Event Logging Overview
The evaluated configuration requires the auditing of configuration changes through the system log.
In addition, Junos OS can:
-
Send automated responses to audit events (syslog entry creation).
-
Allow authorized managers to examine audit logs.
-
Send audit files to external servers.
-
Allow authorized managers to return the system to a known state.
The logging for the evaluated configuration must capture the events. The logging events are listed below:
Table 1 shows sample for syslog auditing for NDcPPv2.2e:
Requirement |
Auditable Events |
Additional Audit Record Contents |
How Event is Generated |
---|---|---|---|
FAU_GEN.1 |
None |
None |
|
FAU_GEN.2 |
None |
None |
|
FAU_STG_EXT.1 |
None |
None |
|
FAU_STG.1 |
None |
None |
|
FCS_CKM.1 |
None |
None |
|
FCS_CKM.2 |
None |
None |
|
FCS_CKM.4 |
None |
None |
|
FCS_COP.1/ DataEncryption |
None |
None |
|
FCS_COP.1/SigGen |
None |
None |
|
FCS_COP.1/Hash |
None |
None |
|
FCS_COP.1/KeyedHash |
None |
None |
|
FCS_RBG_EXT.1 |
None |
None |
|
FDP_RIP.2 |
None |
None |
|
FIA_AFL.1 |
Unsuccessful login attempts limit is met or exceeded. |
Origin of the attempt (e.g., IP address). |
sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user ' security-administrator' Login lockout configuration details: [edit] root@host:fips# run show system login lockout User Lockout start Lockout end security-administrator 2023-01-10 15:03:26 IST 2023-01-10 15:04:26 IST Log for the login lockout configuration: Jan 10 15:03:26 host sshd[63687]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'security-administrator' has been locked out from logins Status of the session closed after the lockout period: ssh security-administrator@host Password: Connection closed by 10.209.21.170 port 22 Log for the closed session after lockout period: Jan 10 15:04:10 host sshd[63694]: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user security-administrator is locked. Establishes the session through the console as the root user during lockout period: login: security-administrator Password: Last login: Tue Jan 10 15:01:43 on ttyu0 --- JUNOS 22.4R2.8 Kernel 64-bit JNPR-12.1-20230321.be5f9c0_buil security-administrator@bm-a:fips> [edit] root@host:fips# run show system users 3:04PM up 4 days, 3:59, 2 users, load averages: 0.28, 0.21, 0.22 USER TTY FROM LOGIN@ IDLE WHAT security-a u0 - 3:03PM - -cli (cli) Log for the session established through the console as the root user during lockout period: Jan 10 15:03:52 host login[63625]: LOGIN_INFORMATION: User security-administrator logged in from host [unknown] on device ttyu0 |
FIA_PMG_EXT.1 |
None |
None |
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Provided user identity, origin of the attempt (e.g., IP address). |
Successful Remote Login mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user' mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli' Unsuccessful Remote Login sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' Successful Local Login login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0 login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0 |
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address). |
Successful Remote Login mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user' mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli' Unsuccessful Remote Login sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' Successful Local Login login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0 login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0 |
FIA_UAU.7 |
None |
None |
|
FMT_MOF.1/ ManualUpdate |
Any attempt to initiate a manual update. |
None |
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate "] User 'sec-officer', command 'request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate' |
FMT_MTD.1/CoreData |
All management activities of TSF data |
None |
Refer to the audit events listed in this table. |
FMT_SMF.1/IPS |
None |
None |
None |
FMT_SMF.1/ND |
None |
None |
None |
FMT_SMR.2 |
None |
None |
|
FPT_SKP_EXT.1 |
None |
None |
|
FPT_APW_EXT.1 |
None |
None |
|
FPT_TST_EXT.1 |
None |
None |
Enter |
Note:
If there is a self-test error, you can recover the device via USB recovery. If USB recovery fails, you can contact JTAC for support (https://support.juniper.net/support/). |
|||
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate "] User 'sec-officer', command request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate ' |
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed through an automated process. |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address). |
mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="root" command="set date 202005201815.00 "] User 'root', command 'set date 202005201815.00 ' mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message="signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled nsd 2641 NSD_SYS_TIME_CHANGE - System time has changed |
Note:
We are not claiming NTP as part of FPT_STM_EXT.1 SFR. However, in our configuration guide we have leveraged activate/deactivate NTP services to validate MACsec tolerance and MACsec key-chain. |
|||
FTA_SSL_EXT.1 (if terminate the session is selected) |
The termination of a local interactive session by the session locking mechanism. |
None |
cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism. |
None |
cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.4 |
The termination of an interactive session. |
None |
mgd 71668 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.164 username="root"] User 'root' logout |
FTA_TAB.1 |
None |
None |
|
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. Their offer: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc |
FTP_ITC.1 |
Initiation of the trusted channel.Termination of the trusted channel. Failure of the trusted channel functions |
Identification of the initiator and target of failed trusted channels establishment attempt |
Initiation of the trusted path sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2 Termination of the trusted path sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' |
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
Initiation of the trusted path sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2 Termination of the trusted path sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' |
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. Their offer: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc |
FIA_X509_EXT.1/Rev |
Unsuccessful attempt to validate a certificate |
Reason for failure |
verify-sig 72830 - - cannot validate ecerts.pem: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProduction TestEc_2017_NO_DEFECTS/emailAddress =ca@juniper.net |
FIA_X509_EXT.2 |
None |
None |
|
FIA_X509_EXT.3 |
None |
None |
|
FMT_MOF.1/Functions |
Modification of the behaviour of the transmission of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full. |
None |
mgd 71891 UI_RESTART_EVENT [junos@2636.1.1.1.2.164 username="root" process-name="Network security daemon" description=" immediately"] User 'root' restarting daemon 'Network security daemon' immediately init - - - network-security (PID 72907) terminated by signal number 9! init - - - network-security (PID 72929) started |
FMT_MOF.1/Services |
Starting and stopping of services. |
None |
|
FMT_MTD.1/ CryptoKeys |
Management of cryptographic keys. |
None |
SSH key ssh-keygen 2706 - - Generated SSH key file /root/.ssh/id_rsa.pub with fingerprint SHA256:EQotXjlahhlVplg + YBLbFR3TdmJMpm6D1FSjRo6lVE4 ssh-keygen 2714 - - Generated SSH key file /root/.ssh/id_ecdsa.pub with fingerprint SHA256:ubQWoesME9bpOT1e/ sYv871hwWUzSG8hNqyMUe1cNc0 IPSEC keys pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="384" argument2="ECDSA" argument3="cert1"] A 384 bit ECDSA key-Pair has been generated for cert1 pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="4096" argument2="RSA" argument3="cert2"] A 4096 bit RSA key-Pair has been generated for cert2 |
FCS_IPSEC_EXT.1 |
Session Establishment with peer |
Entire packet contents of packets transmitted/received during session establishment |
user@host:fips# run show log iked | no-more | grep vpn Jun 14 10:40:49.291712 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ipsec-sa selection successful for spi (0x8a45e874) local-ip (20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN) user@host:fips# run show log iked | no-more | grep success Jun 14 10:40:49.278061 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-generate successful response received for ipc-index=45109,local-ip=none,remote-ip=none Jun 14 10:40:49.290742 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] atec-validate-migrate for ed (0x2c09028) success in remote id validation Jun 14 10:40:49.291392 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSi: traffic-selector-match for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255) R:ipv4(10.1.1.0-10.1.1.255) N:ipv4(10.1.1.0-10.1.1.255) Jun 14 10:40:49.291656 [EXT] [TUNL] [20.1.1.1 <-> 20.1.1.2] ike_tunnel_anchor_node_tunnel_add: Anchor tunnel add for tunnel 500009: success total tunnel adds:9 Jun 14 10:40:49.291682 [DET] [TUNL] [20.1.1.1 <-> 20.1.1.2] tunnel-sadb-add success with local-spi (0x8a45e874) Jun 14 10:40:49.291712 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ipsec-sa selection successful for spi (0x8a45e874) local-ip (20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN) Jun 14 10:40:49.292404 [TER] [PEER] [20.1.1.1 <-> 20.1.1.2] IKE: Gateway N:IKE_GW L:20.1.1.1:500 R:20.1.1.2:500 Successful ike-id:20.1.1.2 U:N/A IKE:IKEv2 Role:R Jun 14 10:40:49.294256 [DET] [DIST] [20.1.1.1 <-> 20.1.1.2] ike_dist_ipsec_tunnel_info_add: IPsec distribution tunnel info add to db successful Tunnel Id:500009 Client Id:20 Instance:0 Jun 14 10:40:49.295072 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.20 Jun 14 10:40:49.295292 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.21 Jun 14 10:40:49.296004 [DET] [STER] [20.1.1.1 <-> 20.1.1.2] Successfully modified st0 next hop meta data for tunnel 500009 Jun 14 10:40:49.297336 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.20 Jun 14 10:42:24.328902 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-generate successful response received for ipc-index=45111,local-ip=none,remote-ip=none Jun 14 10:42:24.332381 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-compute successful response received for ipc-index=0 Jun 14 10:42:24.333295 [DET] [PUBL] [20.1.1.1 <-> 20.1.1.2] publish-ike-sa successful for ike-sa-index 11282 ike-sa 0x21dec24 Jun 14 10:42:29.316880 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSi: traffic-selector-match for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255) R:ipv4(10.1.1.0-10.1.1.255) N:ipv4(10.1.1.0-10.1.1.255) Jun 14 10:42:29.316889 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSr: traffic-selector-match for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255) R:ipv4(30.1.1.0-30.1.1.255) N:ipv4(30.1.1.0-30.1.1.255) Jun 14 10:42:29.317147 [DET] [TUNL] [20.1.1.1 <-> 20.1.1.2] tunnel-sadb-add success with local-spi (0x80eeab18) Jun 14 10:42:29.317178 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ipsec-sa selection successful for spi (0x80eeab18) local-ip (20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN) Jun 14 10:42:29.320369 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-generate successful response received for ipc-index=45113,local-ip=none,remote-ip=none Jun 14 10:42:29.323800 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-compute successful response received for ipc-index=0 Jun 14 10:42:29.325513 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.20 |
FIA_X509_EXT.1 |
Session establishment with CA |
Entire packet contents of packets transmitted/received during session establishment |
kmd 7200 KMD_VPN_UP_ALARM_USER [junos@2636.1.1.1.2.164 vpn-name=""vpn1"" remote-address=""5.5.5.1"" local-address=""11.11.11.1"" ga teway-name=""gw1"" group-name=""vpn1"" tunnel-id=""131073"" interface-name=""st0.0"" internal-ip=""Not-Available"" name=""11.11.11.1"" peer-name=""5.5.5.1"" client-name=""Not-Applicable"" vrrp-group-id=""0"" traffic-selector-name= """" traffic-selector-cfg-local-id=""ipv4_subnet(any:0, [0..7\]=0.0.0.0/0)"" traffic-selector-cfg-remote-id= ""ipv4_subnet(any: 0,[0..7\]=0.0.0.0/0)"" argument1= ""Static""] VPN vpn1 from 5.5.5.1 is up. Local-ip: 11.11.11.1, gateway name: gw1, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 11.11.11.1, Remote IKE-ID: 5.5.5.1, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static |
FPF_RUL_EXT.1 |
Application of rules configured with the ‘log’ operation |
Source and destination addresses. Source and destination ports. Transport Layer Protocol TOE Interface |
[edit] root@host:fips# run show firewall Filter: __default_bpdu_filter__ Filter: fw_filter1 Counters: Name Bytes Packets inc1 0 0 inc2 840 10 [edit] root@host:fips# [edit] root@host:fips# run show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 11:05:31 pfe R st0.1 ICMP 30.1.1.1 10.1.1.1 11:05:30 pfe R st0.1 ICMP 30.1.1.1 10.1.1.1 11:05:29 pfe R st0.1 ICMP 30.1.1.1 10.1.1.1 11:05:28 pfe R st0.1 ICMP 30.1.1.1 10.1.1.1 root@host:fips# run show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 11:19:59 pfe R st0.1 TCP 30.1.1.1 10.1.1.1 root@host:fips# run show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 13:00:18 pfe A ge-0/0/4.0 ICMP 30.1.1.5 10.1.1.1 13:00:17 pfe A ge-0/0/4.0 ICMP 30.1.1.5 10.1.1.1 13:00:16 pfe A ge-0/0/4.0 ICMP 30.1.1.5 10.1.1.1 13:00:15 pfe A ge-0/0/4.0 ICMP 30.1.1.5 10.1.1.1 root@host:fips# run show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 13:00:45 pfe A ge-0/0/4.0 TCP 30.1.1.5 10.1.1.1 |
Indication of packets dropped due to too much network traffic |
TOE interface that is unable to process packets |
RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.164 sourceaddress=" 1.1.1. 2" source-port="10001" destination-address="2.2.2.2" destinationport=" 21" connection-tag="0" servicename=" junos-ftp" protocol-id="6" icmptype=" 0" policy-name="p2" source-zone-na me="ZO_A" destination-zone-name="ZO_B" application="UNKNOWN" nestedapplication=" UNKNOWN" username="N/A" roles="N/A" packet-incominginterface=" ge-0/0/0.0" encrypted="No" reason="D enied by policy" sessionid- 32="3" application-category="N/A" application-sub-category="N/A" applicationrisk="- 1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp=" N/A"] session denied 1.1.1.2/10001->2.2.2.2/21 0x0 junos-ftp 6(0) p2 ZO_A ZO_B UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 No Denied by policy 3 N/A N/A -1 N/A N/A N/A |
In addition, Juniper Networks recommends:
-
To capture all changes to the configuration.
-
To store logging information remotely.
For more information on log details, see Specifying Log File Size, Number, and Archiving Properties