Event Logging Overview
The evaluated configuration requires the auditing of configuration changes through the system log.
In addition, Junos OS can:
-
Send automated responses to audit events (syslog entry creation).
-
Allow authorized managers to examine audit logs.
-
Send audit files to external servers.
-
Allow authorized managers to return the system to a known state.
The logging for the evaluated configuration must capture the events. The logging events are listed below:
Table 1 shows sample for syslog auditing for NDcPPv2.2e and MOD_MACSECv1.0:
Requirement |
Auditable Events |
Additional Audit Record Contents |
How Event is Generated |
---|---|---|---|
FAU_GEN.1 |
None |
None |
|
FAU_GEN.2 |
None |
None |
|
FAU_STG_EXT.1 |
None |
None |
|
FAU_STG.1 |
None |
None |
|
FCS_CKM.1 |
None |
None |
|
FCS_CKM.2 |
None |
None |
|
FCS_CKM.4 |
None |
None |
|
FCS_COP.1/ DataEncryption |
None |
None |
|
FCS_COP.1/SigGen |
None |
None |
|
FCS_COP.1/Hash |
None |
None |
|
FCS_COP.1/KeyedHash |
None |
None |
|
FCS_RBG_EXT.1 |
None |
None |
|
FIA_AFL.1 |
Unsuccessful login attempts limit is met or exceeded. |
Origin of the attempt (e.g., IP address). |
sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user ' security-administrator' Login lockout configuration details: [edit] root@host:fips# run show system login lockout User Lockout start Lockout end security-administrator 2023-01-10 15:03:26 IST 2023-01-10 15:04:26 IST Log for the login lockout configuration: Jan 10 15:03:26 host sshd[63687]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'security-administrator' has been locked out from logins Status of the session closed after the lockout period: ssh security-administrator@host Password: Connection closed by 10.209.21.170 port 22 Log for the closed session after lockout period: Jan 10 15:04:10 host sshd[63694]: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user security-administrator is locked. Establishes the session through the console as the root user during lockout period: login: security-administrator Password: Last login: Tue Jan 10 15:01:43 on ttyu0 --- JUNOS 22.3R1.8 Kernel 64-bit JNPR-12.1-20220816.a81ed05_buil security-administrator@bm-a:fips> [edit] root@host:fips# run show system users 3:04PM up 4 days, 3:59, 2 users, load averages: 0.28, 0.21, 0.22 USER TTY FROM LOGIN@ IDLE WHAT security-a u0 - 3:03PM - -cli (cli) Log for the session established through the console as the root user during lockout period: Jan 10 15:03:52 host login[63625]: LOGIN_INFORMATION: User security-administrator logged in from host [unknown] on device ttyu0 Security Administrator may unlock an account that is locked from remote access (for example, SSH): Thu May 09 15:09:46 [user@ttbg-shell011:~]ssh test@nms-mx304-a Password: Password: Password: Received disconnect from 10.209.4.145 port 22:2: Too many password failures for test Disconnected from 10.209.4.145 port 22 Thu May 09 20:01:19 [user@ttbg-shell011:~] [edit] root@host# run show system login lockout User Lockout start Lockout end test 2024-05-09 20:01:04 IST 2024-05-09 20:05:04 IST [edit] root@host# sshd: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'test' has been locked out from logins sshd: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.220.196.34' are denied sshd: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user test is locked. [edit] root@host# run clear system login lockout user test [edit] root@host# run show system login lockout User accounts not locked [edit] root@host# run show system uptime Current time: 2024-05-09 20:03:10 IST Time Source: LOCAL CLOCK System booted: 2024-05-07 19:19:44 IST (2d 00:43 ago) Protocols started: 2024-05-07 19:22:16 IST (2d 00:40 ago) Last configured: 2024-05-09 20:00:29 IST (00:02:41 ago) by root 8:03PM up 2 days, 43 mins, 1 users, load averages: 0.21, 0.15, 0.10 [edit] root@host# mgd[78360]: LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'test' has been unlocked for logins |
FIA_PMG_EXT.1 |
None |
None |
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Provided user identity, origin of the attempt (e.g., IP address). |
Successful Remote Login mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user' mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli' Unsuccessful Remote Login sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' Successful Local Login login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0 login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0 |
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address). |
Successful Remote Login mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user' mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli' Unsuccessful Remote Login sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' Successful Local Login login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0 login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0 |
FIA_UAU.7 |
None |
None |
|
FMT_MOF.1/ ManualUpdate |
Any attempt to initiate a manual update. |
None |
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.3R1.8.tgz no-validate "] User 'sec-officer', command 'request vmhost software add junos-vmhost-install-mx-x86-64-22.3R1.8.tgz no-validate' |
FMT_MTD.1/CoreData |
All management activities of TSF data |
None |
Refer to the audit events listed in this table. |
FMT_SMF.1 |
Ability to start and stop services |
None |
Login as security-officer security-officer@ host:fips> request system reboot Reboot the system ? [yes,no] (no) yes |
Ability to configure audit behaviour (e.g. changes to storage locations for audit; changes to behaviour when local audit storage space is full) |
None |
security-officer@host:fips#set system syslog archive files |
|
Ability to modify the behaviour of the transmission of audit data to an external IT entity |
None |
Generate an RSA public key on the remote syslog server ssh-keygen -b 2048 -t rsa -C 'syslog-monitor key pair' -f ~/.ssh/syslog-monitor [edit system login] security-officer@host:fips# set class monitor permissions trace [edit system login] security-officer @host:fips# set user syslog-mon class monitor authentication ssh-rsa "public-key" [edit system services] security-administrator@host:fips# set netconf ssh [edit system] security-officer@host:fips# set syslog file messages any any commit on the remote syslog server $ eval `ssh-agent -s` $ ssh-add ~/.ssh/syslog-monitor |
|
Ability to configure the cryptographic functionality |
None |
security-officer@host:fips#set system services ssh security-officer@host:fips#set system services ssh ciphers aes128-ctr |
|
Ability to configure thresholds for SSH rekeying |
None |
security-officer@host:fips#set system services ssh security-officer@host:fips#set system services ssh rekey data-limit 51200 security-officer@host:fips#set system services ssh rekey time-limit 1 |
|
Ability to re-enable an Administrator account |
None |
root@fips#set system login user security-officer authentication plain-text-password New password: Retype new password: root@fips#set system login user security-officer class super-user |
|
Reset the password for security-officer |
None |
root@fips#set system login user security-officer authentication plain-text-password New password: Retype new password: |
|
Syslog check |
None |
Verify resetting passwords behavior through audit logs root@fips>show log /var/log/messages1 |grep "UI_CFG_AUDIT_SET: User 'security-officer' set: \[system login user security-officer authentication\].*unconfigured" |except regress|count Count: 2 lines |
|
Ability to set the time which is used for time-stamps |
None |
Login as security-officer and modify the time stamp security-officer@fips-mx-b:fips>set date 202901010101.01 Mon Jan 1 01:01:01 PST 2029 |
|
Ability to manage the cryptographic keys |
None |
Ability to manage the trusted public keys database Host_machine#ssh-keygen -t rsa -f $HOME/.ssh/id_ssh_rsa_2048 -N -b 2048 Generating public/private rsa key pair. /root/.ssh/id_ssh_toby_rsa_2048 already exists. Overwrite (y/n)? Your identification has been saved in /root/.ssh/id_ssh_toby_rsa_2048. Your public key has been saved in /root/.ssh/id_ssh_toby_rsa_2048.pub. The key fingerprint is: SHA256:m8ToMFz77/3rLDCK2rNFv9MaXpB0qmZUqAJMAEIX6X0 root@fips-qnc-lnx1.englab.juniper.net The key's randomart image is: +---[RSA 2048]----+ |*o.oo | |.o.. . | | + . . . o . | | + o E o + | | = = S + | | = = =o. | | ..O.o+. | | .o+.o.=o. | | ..oo .*o.+=. | +----[SHA256]-----+ Toby-1960280-10.48.155.181% cat $HOME/.ssh/id_ssh_rsa_2048.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMACOnJHF0UU+3fLO5ji7y9yBBQqolFjgGZ4PZsxOBW44NTYw1yp3cddih9XLEo5rGctThJfth6qIwLTkLdmw8FUIKvqU3szRztEuO/OKgchhi3E0YoPLBZI5M++Qth5e+hA65M/8Rub4CH2xkt2IIMZRDi51SLYecY0eIpGYs77o+u93x/rAe5BjooAfKe8UCwJRr2yxuZU/Xd2U0d6fFVASYIE8dvYI83chrLCC/WbaB3jUZk7tRumPlyq05vT0RXxzbzpffonRYsaaRnxPoc8xDr9uyDsiIQnA8cMM7H6ZxNHTfPOWSds1fraLEZsrsTOMrMBln5RNBZTc8sgbB root@fips-qnc-lnx1.englab.juniper.net security-officer@host:fips#set system login user syslog-mon authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMACOnJHF0UU+3fLO5ji7y9yBBQqolFjgGZ4PZsxOBW44NTYw1yp3cddih9XLEo5rGctThJfth6qIwLTkLdmw8FUIKvqU3szRztEuO/OKgchhi3E0YoPLBZI5M++Qth5e+hA65M/8Rub4CH2xkt2IIMZRDi51SLYecY0eIpGYs77o+u93x/rAe5BjooAfKe8UCwJRr2yxuZU/Xd2U0d6fFVASYIE8dvYI83chrLCC/WbaB3jUZk7tRumPlyq05vT0RXxzbzpffonRYsaaRnxPoc8xDr9uyDsiIQnA8cMM7H6ZxNHTfPOWSds1fraLEZsrsTOMrMBln5RNBZTc8sgbB root@fips-qnc-lnx1.englab.juniper.net" security-officer@host:fips#set system login user syslog-mon class super-user Security Administrator may unlock an account that is locked from remote access (for example, SSH): Thu May 09 15:09:46 [user@ttbg-shell011:~]ssh test@nms-mx304-a Password: Password: Password: Received disconnect from 10.209.4.145 port 22:2: Too many password failures for test Disconnected from 10.209.4.145 port 22 Thu May 09 20:01:19 [user@ttbg-shell011:~] [edit] root@host# run show system login lockout User Lockout start Lockout end test 2024-05-09 20:01:04 IST 2024-05-09 20:05:04 IST [edit] root@host# sshd: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'test' has been locked out from logins sshd: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.220.196.34' are denied sshd: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user test is locked. [edit] root@host# run clear system login lockout user test [edit] root@host# run show system login lockout User accounts not locked [edit] root@host# run show system uptime Current time: 2024-05-09 20:03:10 IST Time Source: LOCAL CLOCK System booted: 2024-05-07 19:19:44 IST (2d 00:43 ago) Protocols started: 2024-05-07 19:22:16 IST (2d 00:40 ago) Last configured: 2024-05-09 20:00:29 IST (00:02:41 ago) by root 8:03PM up 2 days, 43 mins, 1 users, load averages: 0.21, 0.15, 0.10 [edit] root@host# mgd[78360]: LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'test' has been unlocked for logins |
|
FMT_SMR.2 |
None |
None |
|
FPT_SKP_EXT.1 |
None |
None |
|
FPT_APW_EXT.1 |
None |
None |
|
FPT_TST_EXT.1 |
None |
None |
Enter |
Note:
If there is a self-test error, you can recover the device via USB recovery. If USB recovery fails, you can contact JTAC for support (https://support.juniper.net/support/). |
|||
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.3R1.8.tgz no-validate "] User 'sec-officer', command request vmhost software add junos-vmhost-install-mx-x86-64-22.3R1.8.tgz no-validate ' |
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed through an automated process. |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address). |
mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="root" command="set date 202005201815.00 "] User 'root', command 'set date 202005201815.00 ' mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message="signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled nsd 2641 NSD_SYS_TIME_CHANGE - System time has changed |
Note:
We are not claiming NTP as part of FPT_STM_EXT.1 SFR. However, in our configuration we synchronize both MACsec endpoint devices to validate MACsec tolerance and MACsec key-chain. |
|||
FTA_SSL_EXT.1 (if terminate the session is selected) |
The termination of a local interactive session by the session locking mechanism. |
None |
cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism. |
None |
cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.4 |
The termination of an interactive session. |
None |
mgd 71668 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.164 username="root"] User 'root' logout |
FTA_TAB.1 |
None |
None |
|
FCS_MACSEC_EXT.1 |
Session establishment |
Session establishment Secure Channel Identifier (SCI) |
DOT1XD_MKA_SECURE_CHANNEL_CREATED: Macsec receive secure channel created for 00:90:69:0b:a4:99 on interface xe-0/0/1:0 DOT1XD_MKA_SECURE_ASSOCIATION_ESTABLISHED: Macsec secure association established with an:2 on interface xe-0/0/1:0 DOT1XD_MACSEC_SC_CAK_ACTIVATED: ifd: xe-0/0/1:0 sci-out:D4996C8C97150001 sci-in:0090690BA4990001 cak: 17C9C2C45DDD012AA5BC8EF284AA23FF6729EE2E4ACB66E91FE34BA2CD9FE311 Jun 16 11:49:12.277321 MKA PRIMARY actor #0 created with MI C9:0E:3C:AE:30:ED:C9:47:F6:AB:53:DA Jun 16 11:49:12.277435 MKA PRIMARY actor #0 sending MKPDU, SCI 18:2A:D3:E9:2B:87/1, MI C9:0E:3C:AE:30:ED:C9:47:F6:AB:53:DA, MN 1 Jun 16 11:49:12.277473 SCI: 18:2A:D3:E9:2B:87/1 Jun 16 11:49:12.681174 MKA PRIMARY actor #0 received MKPDU, SCI 3C:94:D5:A0:A5:A2/1, MI 05:12:CC:DB:E2:E9:69:07:BE:5D:7D:F0, MN 4 Jun 16 11:49:12.681210 SCI: 3C:94:D5:A0:A5:A2/1 Jun 16 11:49:12.681290 MKA PRIMARY peer #0/#0 created with MI 05:12:CC:DB:E2:E9:69:07:BE:5D:7D:F0 Jun 16 11:49:12.681298 xe-1/1/2:0 peer #0 created with MAC address 3C:94:D5:A0:A5:A2 Jun 16 11:49:12.681421 MKA PRIMARY peer #0/#0 has SCI 3C:94:D5:A0:A5:A2/1 Jun 16 11:49:12.786331 xe-1/1/2:0(principal: PRIMARY) port 1 PRIMARY MKA.secured = TRUE Jun 16 11:49:12.786347 xe-1/1/2:0(principal: PRIMARY) port 1 connect = SECURE Jun 16 11:49:12.786361 xe-1/1/2:0(principal: PRIMARY) port 1 CP state = SECURED Jun 16 11:49:12.786373 xe-1/1/2:0(principal: PRIMARY) port 1 ifSecure(TRUE, authData) Jun 16 11:49:12.786401 MKA PRIMARY actor #0 sending MKPDU, SCI 18:2A:D3:E9:2B:87/1, MI C9:0E:3C:AE:30:ED:C9:47:F6:AB:53:DA, MN 2 Jun 16 11:49:12.786448 SCI: 18:2A:D3:E9:2B:87/1 Jun 16 11:49:11.764288 Include SCI : enabled Jun 16 11:49:11.764345 macsec_diff_configs: 1 cas are created Jun 16 11:49:11.766573 macsec_evaluate_new_cas: 1 cas are created Jun 16 11:49:11.766701 Include SCI : enabled Jun 16 11:49:11.898782 task_job_create_foreground: created job job to run completion_queue_next for task MACSEC Jun 16 11:49:11.899193 task_job_create_foreground: created job job to run completion_queue_next for task MACSEC Jun 16 11:49:12.681344 DOT1XD_MKA_SECURE_CHANNEL_CREATED: Macsec receive secure channel created for 3c:94:d5:a0:a5:a2 on interface xe-1/1/2:0 Jun 16 11:49:13.825460 macsec_rt_sa_msg_insert: MACSEC_MSG_ADD - if:xe-1/1/2:0 ifdx:264 iflx:0 is_ifl:0 sc_id:18:2a:d3:e9:2b:87/0100 next_pn:1 ssci:00:00:00:02 salt:00:00:00:00:00:00:00:00:00:00:00:00 an:0 Jun 16 11:49:13.825471 macsec_rt_msg_send: MACSEC_MSG_ADD: MACSEC_SA_MSG - ifd: xe-1/1/2:0(idx: 264), sc_id: 18:2a:d3:e9:2b:87/0100, next_pn: 1, an: 0, ssci: 00:00:00:02 Jun 16 11:49:13.825575 macsec_rt_sa_msg_insert: MACSEC_MSG_ADD - if:xe-1/1/2:0 ifdx:264 iflx:0 is_ifl:0 sc_id:3c:94:d5:a0:a5:a2/0100 next_pn:1 ssci:00:00:00:01 salt:00:00:00:00:00:00:00:00:00:00:00:00 an:0 Jun 16 11:49:13.825584 macsec_rt_msg_send: MACSEC_MSG_ADD: MACSEC_SA_MSG - ifd: xe-1/1/2:0(idx: 264), sc_id: 3c:94:d5:a0:a5:a2/0100, next_pn: 1, an: 0, ssci: 00:00:00:01 Jun 16 11:49:13.825938 DOT1XD_MKA_SECURE_ASSOCIATION_ESTABLISHED: Macsec secure association established with an:0 on interface xe-1/1/2:0 Jun 16 11:49:22.006396 DOT1XD_MACSEC_SC_CAK_ACTIVATED: ifd: xe-1/1/2:0 sci-out:182AD3E92B870001 sci-in:3C94D5A0A5A20001 cak: 2345678922334455667788992223334445556667778889992222333344445551 |
FCS_MACSEC_EXT.3 |
Creation and update of SAK |
Creation and update of SAK |
sending EAPOL-MKA packet to 01:80:C2:00:00:03 received EAPOL-MKA from A8:D0:E5:F6:CF:17 MKA decode: truncated parameter set cannot decode MKA PDU Jun 16 11:49:13.198521 SAK use parameter set: Jun 16 11:49:13.198592 Distributed SAK parameter set: Jun 16 11:49:13.198623 AES key wrap of SAK: A5:38:56:DE:A0:CD:DB:B7:9D:39:1D:61:B6:33:1B:68:3E:42:2A:65:B1:23:A1:66:B4:37:C5:00:84:56:DB:68: Jun 16 11:49:13.201028 xe-1/1/2:0(principal: PRIMARY) port 1 MKA peer #0/#0 received new 256-bit SAK cp_state SECURED transmit_when 0 Jun 16 11:49:13.201358 xe-1/1/2:0(principal: PRIMARY) port 1 newSAK = TRUE Jun 16 11:49:13.276372 xe-1/1/2:0(principal: PRIMARY) port 1 installKey(sak, 05:12:CC:DB:E2:E9:69:07:BE:5D:7D:F0-1) Jun 16 11:49:13.277752 xe-1/1/2:0(principal: PRIMARY) port 1 newSAK = FALSE Jun 16 11:49:13.277910 SAK use parameter set: Jun 16 11:49:13.719189 SAK use parameter set: Jun 16 11:49:13.276380 macsec_is_sak_has_128bit_forced: ca context : CA1 found for ifd xe-1/1/2:0 Jun 16 11:49:13.276387 macsec_util_generate_sak_hash: sak_key_bits value 256 Jun 16 11:49:13.825180 macsec_enable_transmit ifd:xe-1/1/2:0(ifd:264 ifl:0) ks:0 type:PRIMARY key-num:1 an:0 rx-sak-ack:0 Jun 16 11:49:13.825492 macsec_set_sa_msg_gencfg_data: ifdx:264 iflx:0 is_ifl:0 key:xe-1/1/2:0-SA-TX-AN-0 len:164 an:0 sak-hash:10:cc:a2:cc:94:e7:ce:fb:58:40:4a:d2:23:cb:5c:1d Jun 16 11:49:13.825594 macsec_set_sa_msg_gencfg_data: ifdx:264 iflx:0 is_ifl:0 key:xe-1/1/2:0-SA-RX-AN-0 len:164 an:0 sak-hash:10:cc:a2:cc:94:e7:ce:fb:58:40:4a:d2:23:cb:5c:1d |
FCS_MACSEC_EXT.4 |
Creation of CA |
Creation of CA Connectivity Association Key Names (CKNs) |
macsec_update_psk_keychain(692) ifd:xe-11/0/0 Dump Old CAK Info macsec_update_psk_keychain(695) ifd:xe-11/0/0 Install New CAK DOT1XD_MKA_SA_KEY_ROLLOVER: Macsec secure association key rolled over on interface xe-11/0/0 DOT1XD_MKA_SECURE_CHANNEL_CREATED: Macsec receive secure channel created for 28:8a:1c:a5:39:4a on interface xe-11/0/0 DOT1XD_MKA_SECURE_ASSOCIATION_ESTABLISHED: Macsec secure association established with an:0 on interface xe-11/0/0 Jun 16 11:49:11.766530 ifd:xe-1/1/2:0 primary ckn:2345678922334455667788992223334445556667778889992222333344445551 cak:0x04E54960 being activated Jun 16 11:49:11.766717 Primary CKN : 2345678922334455667788992223334445556667778889992222333344445551 Jun 16 11:49:19.928712 CKN: 23:45:67:89:22:33:44:55:66:77:88:99:22:23:33:44:45:55:66:67:77:88:89:99:22:22:33:33:44:44:55:51 Jun 16 11:49:22.006355 xe-1/1/2:0 CAK PRIMARY #0 (pre-shared pairwise) CAK activity: CKN 23:45:67:89:22:33:44:55:66:77:88:99:22:23:33:44:45:55:66:67:77:88:89:99:22:22:33:33:44:44:55:51 -> ACTIVATED |
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. |
FPT_RPL.1 |
Detected replay attempt |
None |
[edit] root@homer:fips# run show security mka statistics | match "Duplicate address|Old Replayed message" Duplicate address packets: 89516 Old Replayed message number packets: 89192 [edit] root@homer:fips# run show security mka statistics | match "Duplicate address|Old Replayed message" Apr 11 05:28:58 Interface name: xe-0/0/7 Received packets: 179707 Transmitted packets: 1000 Version mismatch packets: 0 CAK mismatch packets: 0 ICV mismatch packets: 0 Duplicate message identifier packets: 0 Duplicate message number packets: 0 Duplicate address packets: 89516 Invalid destination address packets: 0 Formatting error packets: 0 Old Replayed message number packets: 89192 |
FTP_ITC.1 |
Initiation of the trusted channel.Termination of the trusted channel. Failure of the trusted channel functions |
Identification of the initiator and target of failed trusted channels establishment attempt |
Initiation of the trusted path sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2 Termination of the trusted path sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' |
Note:
If the MACsec connection is broken unintentionally, deactivate and activate the security MACsec or restart dot1x-protocol. |
|||
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
Initiation of the trusted path sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2 Termination of the trusted path sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' |
FMT_MOF.1/Functions |
None |
None |
mgd 71891 UI_RESTART_EVENT [junos@2636.1.1.1.2.164 username="root" process-name="Network security daemon" description=" immediately"] User 'root' restarting daemon 'Network security daemon' immediately init - - - network-security (PID 72907) terminated by signal number 9! init - - - network-security (PID 72929) started |
FMT_MOF.1/Services |
None |
None |
|
FMT_MTD.1/ CryptoKeys |
None |
None |
SSH key ssh-keygen 2706 - - Generated SSH key file /root/.ssh/id_rsa.pub with fingerprint SHA256:EQotXjlahhlVplg + YBLbFR3TdmJMpm6D1FSjRo6lVE4 ssh-keygen 2714 - - Generated SSH key file /root/.ssh/id_ecdsa.pub with fingerprint SHA256:ubQWoesME9bpOT1e/ sYv871hwWUzSG8hNqyMUe1cNc0 IPSEC keys pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="384" argument2="ECDSA" argument3="cert1"] A 384 bit ECDSA key-Pair has been generated for cert1 pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="4096" argument2="RSA" argument3="cert2"] A 4096 bit RSA key-Pair has been generated for cert2 |
In addition, Juniper Networks recommends:
-
To capture all changes to the configuration.
-
To store logging information remotely.
For more information on log details, see Specifying Log File Size, Number, and Archiving Properties