Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Event Logging Overview

The evaluated configuration requires the auditing of configuration changes through the system log.

In addition, Junos OS can:

  • Send automated responses to audit events (syslog entry creation).

  • Allow authorized managers to examine audit logs.

  • Send audit files to external servers.

  • Allow authorized managers to return the system to a known state.

The logging for the evaluated configuration must capture the events. The logging events are listed below:

Table 1 shows sample for syslog auditing for NDcPPv2.2e and MOD_MACSECv1.0:

Table 1: Auditable Events

Requirement

Auditable Events

Additional Audit Record Contents

How Event is Generated

FAU_GEN.1

None

None

FAU_GEN.2

None

None

FAU_STG_EXT.1

None

None

FAU_STG.1

None

None

FCS_CKM.1

None

None

FCS_CKM.2

None

None

FCS_CKM.4

None

None

FCS_COP.1/ DataEncryption

None

None

FCS_COP.1/SigGen

None

None

FCS_COP.1/Hash

None

None

FCS_COP.1/KeyedHash

None

None

FCS_RBG_EXT.1

None

None

FIA_AFL.1

Unsuccessful login attempts limit is met or exceeded.

Origin of the attempt (e.g., IP address).

sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user ' security-administrator'

Login lockout configuration details:

[edit]
root@host:fips# run show system login lockout
User                                 Lockout start                        Lockout end
security-administrator   2023-01-10 15:03:26 IST    2023-01-10 15:04:26 IST

Log for the login lockout configuration:

Jan 10 15:03:26  host sshd[63687]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'security-administrator' has been locked out from logins

Status of the session closed after the lockout period:

ssh security-administrator@host
Password:
Connection closed by 10.209.21.170 port 22

Log for the closed session after lockout period:

Jan 10 15:04:10  host sshd[63694]: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user security-administrator is locked.

Establishes the session through the console as the root user during lockout period:

login: security-administrator

Password:

Last login: Tue Jan 10 15:01:43 on ttyu0
 
--- JUNOS 22.3R1.8 Kernel 64-bit  JNPR-12.1-20220816.a81ed05_buil
security-administrator@bm-a:fips>

[edit]

root@host:fips# run show system users

3:04PM  up 4 days,  3:59, 2 users, load averages: 0.28, 0.21, 0.22 

USER     TTY      FROM                              LOGIN@  IDLE WHAT

security-a u0     -                                3:03PM      - -cli (cli)

Log for the session established through the console as the root user during lockout period:

Jan 10 15:03:52  host login[63625]: LOGIN_INFORMATION: User security-administrator logged in from host [unknown] on device ttyu0

Security Administrator may unlock an account that is locked from remote access (for example, SSH):

Thu May 09 15:09:46 [user@ttbg-shell011:~]ssh test@nms-mx304-a
Password:
Password:
Password:
Received disconnect from 10.209.4.145 port 22:2: Too many password failures for test
Disconnected from 10.209.4.145 port 22
Thu May 09 20:01:19 [user@ttbg-shell011:~]

[edit]
root@host# run show system login lockout
User                 Lockout start           Lockout end
test                 2024-05-09 20:01:04 IST 2024-05-09 20:05:04 IST

[edit]
root@host#

sshd: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'test' has been locked out from logins
sshd: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.220.196.34' are denied
sshd: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user test is locked.

[edit]
root@host# run clear system login lockout user test

[edit]
root@host# run show system login lockout
User accounts not locked

[edit]
root@host# run show system uptime
Current time: 2024-05-09 20:03:10 IST
Time Source:  LOCAL CLOCK
System booted: 2024-05-07 19:19:44 IST (2d 00:43 ago)
Protocols started: 2024-05-07 19:22:16 IST (2d 00:40 ago)
Last configured: 2024-05-09 20:00:29 IST (00:02:41 ago) by root
 8:03PM  up 2 days, 43 mins, 1 users, load averages: 0.21, 0.15, 0.10

[edit]
root@host#

mgd[78360]: LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'test' has been unlocked for logins

FIA_PMG_EXT.1

None

None

FIA_UIA_EXT.1

All use of identification and authentication mechanism.

Provided user identity, origin of the attempt (e.g., IP address).

Successful Remote Login

mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user'

mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli'

Unsuccessful Remote Login

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

Successful Local Login

login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0

login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module

login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0

FIA_UAU_EXT.2

All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address).

Successful Remote Login

mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user'

mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli'

Unsuccessful Remote Login

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

Successful Local Login

login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0

login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module

login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0

FIA_UAU.7

None

None

FMT_MOF.1/ ManualUpdate

Any attempt to initiate a manual update.

None

UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.3R1.8.tgz no-validate "] User 'sec-officer', command 'request vmhost software add junos-vmhost-install-mx-x86-64-22.3R1.8.tgz no-validate'

FMT_MTD.1/CoreData

All management activities of TSF data

None

Refer to the audit events listed in this table.

FMT_SMF.1

Ability to start and stop services

None

Login as security-officer

security-officer@ host:fips> request system reboot 
Reboot the system ? [yes,no] (no) yes

Ability to configure audit behaviour (e.g. changes to storage locations for audit; changes to behaviour when local audit storage space is full)

None

security-officer@host:fips#set system syslog archive files

Ability to modify the behaviour of the transmission of audit data to an external IT entity

None

Generate an RSA public key on the remote syslog server

ssh-keygen -b 2048 -t rsa -C 'syslog-monitor key pair' -f ~/.ssh/syslog-monitor
[edit system login]
security-officer@host:fips# set class monitor permissions trace
[edit system login]
security-officer @host:fips# set user syslog-mon class monitor authentication ssh-rsa "public-key"
[edit system services] security-administrator@host:fips# set netconf ssh
[edit system]
security-officer@host:fips# set syslog file messages any any commit
on the remote syslog server
$ eval `ssh-agent -s`
  $ ssh-add ~/.ssh/syslog-monitor

Ability to configure the cryptographic functionality

None

security-officer@host:fips#set system services ssh
security-officer@host:fips#set system services ssh ciphers aes128-ctr

Ability to configure thresholds for SSH rekeying

None

security-officer@host:fips#set system services ssh
security-officer@host:fips#set system services ssh rekey data-limit 51200
security-officer@host:fips#set system services ssh rekey time-limit 1

Ability to re-enable an Administrator account

None

root@fips#set system login user security-officer authentication plain-text-password 
New password:
Retype new password:
root@fips#set system login user security-officer class super-user

Reset the password for security-officer

None

root@fips#set system login user security-officer authentication plain-text-password 
New password:
Retype new password:

Syslog check

None

Verify resetting passwords behavior through audit logs

root@fips>show log /var/log/messages1 |grep "UI_CFG_AUDIT_SET: User 'security-officer' set: \[system login user security-officer authentication\].*unconfigured" |except regress|count 
Count: 2 lines

Ability to set the time which is used for time-stamps

None

Login as security-officer and modify the time stamp

security-officer@fips-mx-b:fips>set date 202901010101.01 
Mon Jan  1 01:01:01 PST 2029

Ability to manage the cryptographic keys

None

Ability to manage the trusted public keys database

Host_machine#ssh-keygen -t rsa -f $HOME/.ssh/id_ssh_rsa_2048 -N  -b 2048
Generating public/private rsa key pair.
/root/.ssh/id_ssh_toby_rsa_2048 already exists.
Overwrite (y/n)? Your identification has been saved in /root/.ssh/id_ssh_toby_rsa_2048.
Your public key has been saved in /root/.ssh/id_ssh_toby_rsa_2048.pub.
The key fingerprint is:
SHA256:m8ToMFz77/3rLDCK2rNFv9MaXpB0qmZUqAJMAEIX6X0 root@fips-qnc-lnx1.englab.juniper.net
The key's randomart image is:
+---[RSA 2048]----+
|*o.oo            |
|.o..     .       |
|  + . . . o .    |
|   + o E o +     |
|    = = S +      |
|     = = =o.     |
|      ..O.o+.    |
|     .o+.o.=o.   |
|    ..oo .*o.+=. |
+----[SHA256]-----+
Toby-1960280-10.48.155.181% 
 
cat $HOME/.ssh/id_ssh_rsa_2048.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMACOnJHF0UU+3fLO5ji7y9yBBQqolFjgGZ4PZsxOBW44NTYw1yp3cddih9XLEo5rGctThJfth6qIwLTkLdmw8FUIKvqU3szRztEuO/OKgchhi3E0YoPLBZI5M++Qth5e+hA65M/8Rub4CH2xkt2IIMZRDi51SLYecY0eIpGYs77o+u93x/rAe5BjooAfKe8UCwJRr2yxuZU/Xd2U0d6fFVASYIE8dvYI83chrLCC/WbaB3jUZk7tRumPlyq05vT0RXxzbzpffonRYsaaRnxPoc8xDr9uyDsiIQnA8cMM7H6ZxNHTfPOWSds1fraLEZsrsTOMrMBln5RNBZTc8sgbB root@fips-qnc-lnx1.englab.juniper.net
 
security-officer@host:fips#set system login user syslog-mon authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMACOnJHF0UU+3fLO5ji7y9yBBQqolFjgGZ4PZsxOBW44NTYw1yp3cddih9XLEo5rGctThJfth6qIwLTkLdmw8FUIKvqU3szRztEuO/OKgchhi3E0YoPLBZI5M++Qth5e+hA65M/8Rub4CH2xkt2IIMZRDi51SLYecY0eIpGYs77o+u93x/rAe5BjooAfKe8UCwJRr2yxuZU/Xd2U0d6fFVASYIE8dvYI83chrLCC/WbaB3jUZk7tRumPlyq05vT0RXxzbzpffonRYsaaRnxPoc8xDr9uyDsiIQnA8cMM7H6ZxNHTfPOWSds1fraLEZsrsTOMrMBln5RNBZTc8sgbB root@fips-qnc-lnx1.englab.juniper.net"
security-officer@host:fips#set system login user syslog-mon class super-user

Security Administrator may unlock an account that is locked from remote access (for example, SSH):

Thu May 09 15:09:46 [user@ttbg-shell011:~]ssh test@nms-mx304-a
Password:
Password:
Password:
Received disconnect from 10.209.4.145 port 22:2: Too many password failures for test
Disconnected from 10.209.4.145 port 22
Thu May 09 20:01:19 [user@ttbg-shell011:~]

[edit]
root@host# run show system login lockout
User                 Lockout start           Lockout end
test                 2024-05-09 20:01:04 IST 2024-05-09 20:05:04 IST

[edit]
root@host#

sshd: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'test' has been locked out from logins
sshd: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.220.196.34' are denied
sshd: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user test is locked.

[edit]
root@host# run clear system login lockout user test

[edit]
root@host# run show system login lockout
User accounts not locked

[edit]
root@host# run show system uptime
Current time: 2024-05-09 20:03:10 IST
Time Source:  LOCAL CLOCK
System booted: 2024-05-07 19:19:44 IST (2d 00:43 ago)
Protocols started: 2024-05-07 19:22:16 IST (2d 00:40 ago)
Last configured: 2024-05-09 20:00:29 IST (00:02:41 ago) by root
 8:03PM  up 2 days, 43 mins, 1 users, load averages: 0.21, 0.15, 0.10

[edit]
root@host#

mgd[78360]: LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'test' has been unlocked for logins

FMT_SMR.2

None

None

FPT_SKP_EXT.1

None

None

FPT_APW_EXT.1

None

None

FPT_TST_EXT.1

None

None

Enter request system fips self-test at command line for on demand self-test. or Reboot the device to view the self-test during start-up.

Note:

If there is a self-test error, you can recover the device via USB recovery.

If USB recovery fails, you can contact JTAC for support (https://support.juniper.net/support/).

FPT_TUD_EXT.1

Initiation of update; result of the update attempt (success or failure)

None

UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.3R1.8.tgz no-validate "] User 'sec-officer', command request vmhost software add junos-vmhost-install-mx-x86-64-22.3R1.8.tgz no-validate '

FPT_STM_EXT.1

Discontinuous changes to time - either Administrator actuated or changed through an automated process.

For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address).

mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="root" command="set date 202005201815.00 "] User 'root', command 'set date 202005201815.00 '

mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message="signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled nsd 2641 NSD_SYS_TIME_CHANGE - System time has changed

Note:

We are not claiming NTP as part of FPT_STM_EXT.1 SFR. However, in our configuration we synchronize both MACsec endpoint devices to validate MACsec tolerance and MACsec key-chain.

FTA_SSL_EXT.1 (if terminate the session is selected)

The termination of a local interactive session by the session locking mechanism.

None

cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

None

cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.4

The termination of an interactive session.

None

mgd 71668 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.164 username="root"] User 'root' logout

FTA_TAB.1

None

None

FCS_MACSEC_EXT.1

Session establishment

Session establishment Secure Channel Identifier (SCI)

DOT1XD_MKA_SECURE_CHANNEL_CREATED: Macsec receive secure channel created for 00:90:69:0b:a4:99 on interface xe-0/0/1:0
DOT1XD_MKA_SECURE_ASSOCIATION_ESTABLISHED: Macsec secure association established with an:2 on interface xe-0/0/1:0
DOT1XD_MACSEC_SC_CAK_ACTIVATED: ifd: xe-0/0/1:0 sci-out:D4996C8C97150001 sci-in:0090690BA4990001 cak: 17C9C2C45DDD012AA5BC8EF284AA23FF6729EE2E4ACB66E91FE34BA2CD9FE311
Jun 16 11:49:12.277321 MKA PRIMARY  actor #0 created with MI C9:0E:3C:AE:30:ED:C9:47:F6:AB:53:DA
Jun 16 11:49:12.277435 MKA PRIMARY  actor #0 sending MKPDU, SCI 18:2A:D3:E9:2B:87/1, MI C9:0E:3C:AE:30:ED:C9:47:F6:AB:53:DA, MN 1
Jun 16 11:49:12.277473     SCI: 18:2A:D3:E9:2B:87/1
Jun 16 11:49:12.681174 MKA PRIMARY  actor #0 received MKPDU, SCI 3C:94:D5:A0:A5:A2/1, MI 05:12:CC:DB:E2:E9:69:07:BE:5D:7D:F0, MN 4
Jun 16 11:49:12.681210     SCI: 3C:94:D5:A0:A5:A2/1
Jun 16 11:49:12.681290 MKA PRIMARY  peer #0/#0 created with MI 05:12:CC:DB:E2:E9:69:07:BE:5D:7D:F0
Jun 16 11:49:12.681298 xe-1/1/2:0 peer #0 created with MAC address 3C:94:D5:A0:A5:A2
Jun 16 11:49:12.681421 MKA PRIMARY  peer #0/#0 has SCI 3C:94:D5:A0:A5:A2/1
Jun 16 11:49:12.786331 xe-1/1/2:0(principal: PRIMARY) port 1 PRIMARY MKA.secured = TRUE
Jun 16 11:49:12.786347 xe-1/1/2:0(principal: PRIMARY) port 1 connect = SECURE
Jun 16 11:49:12.786361 xe-1/1/2:0(principal: PRIMARY) port 1 CP state = SECURED
Jun 16 11:49:12.786373 xe-1/1/2:0(principal: PRIMARY) port 1 ifSecure(TRUE, authData)
Jun 16 11:49:12.786401 MKA PRIMARY  actor #0 sending MKPDU, SCI 18:2A:D3:E9:2B:87/1, MI C9:0E:3C:AE:30:ED:C9:47:F6:AB:53:DA, MN 2
Jun 16 11:49:12.786448     SCI: 18:2A:D3:E9:2B:87/1
Jun 16 11:49:11.764288    Include SCI : enabled
Jun 16 11:49:11.764345 macsec_diff_configs: 1 cas are created
Jun 16 11:49:11.766573 macsec_evaluate_new_cas: 1 cas are created
Jun 16 11:49:11.766701    Include SCI : enabled
Jun 16 11:49:11.898782 task_job_create_foreground: created  job job to run completion_queue_next for task MACSEC
Jun 16 11:49:11.899193 task_job_create_foreground: created  job job to run completion_queue_next for task MACSEC
Jun 16 11:49:12.681344 DOT1XD_MKA_SECURE_CHANNEL_CREATED: Macsec receive secure channel created for 3c:94:d5:a0:a5:a2 on interface xe-1/1/2:0
Jun 16 11:49:13.825460 macsec_rt_sa_msg_insert: MACSEC_MSG_ADD - if:xe-1/1/2:0 ifdx:264 iflx:0 is_ifl:0 sc_id:18:2a:d3:e9:2b:87/0100 next_pn:1 ssci:00:00:00:02 salt:00:00:00:00:00:00:00:00:00:00:00:00 an:0
Jun 16 11:49:13.825471 macsec_rt_msg_send: MACSEC_MSG_ADD: MACSEC_SA_MSG - ifd: xe-1/1/2:0(idx: 264),  sc_id: 18:2a:d3:e9:2b:87/0100, next_pn: 1, an: 0, ssci: 00:00:00:02
Jun 16 11:49:13.825575 macsec_rt_sa_msg_insert: MACSEC_MSG_ADD - if:xe-1/1/2:0 ifdx:264 iflx:0 is_ifl:0 sc_id:3c:94:d5:a0:a5:a2/0100 next_pn:1 ssci:00:00:00:01 salt:00:00:00:00:00:00:00:00:00:00:00:00 an:0
Jun 16 11:49:13.825584 macsec_rt_msg_send: MACSEC_MSG_ADD: MACSEC_SA_MSG - ifd: xe-1/1/2:0(idx: 264),  sc_id: 3c:94:d5:a0:a5:a2/0100, next_pn: 1, an: 0, ssci: 00:00:00:01
Jun 16 11:49:13.825938 DOT1XD_MKA_SECURE_ASSOCIATION_ESTABLISHED: Macsec secure association established with an:0 on interface xe-1/1/2:0
Jun 16 11:49:22.006396 DOT1XD_MACSEC_SC_CAK_ACTIVATED: ifd: xe-1/1/2:0 sci-out:182AD3E92B870001 sci-in:3C94D5A0A5A20001 cak: 2345678922334455667788992223334445556667778889992222333344445551

FCS_MACSEC_EXT.3

Creation and update of SAK

Creation and update of SAK

sending EAPOL-MKA packet to 01:80:C2:00:00:03
received EAPOL-MKA from A8:D0:E5:F6:CF:17
MKA decode: truncated parameter set
cannot decode MKA PDU
Jun 16 11:49:13.198521   SAK use parameter set:
Jun 16 11:49:13.198592   Distributed SAK parameter set:
Jun 16 11:49:13.198623     AES key wrap of SAK: A5:38:56:DE:A0:CD:DB:B7:9D:39:1D:61:B6:33:1B:68:3E:42:2A:65:B1:23:A1:66:B4:37:C5:00:84:56:DB:68:
Jun 16 11:49:13.201028 xe-1/1/2:0(principal: PRIMARY) port 1 MKA peer #0/#0 received new 256-bit SAK cp_state SECURED transmit_when 0
Jun 16 11:49:13.201358 xe-1/1/2:0(principal: PRIMARY) port 1 newSAK = TRUE
Jun 16 11:49:13.276372 xe-1/1/2:0(principal: PRIMARY) port 1 installKey(sak, 05:12:CC:DB:E2:E9:69:07:BE:5D:7D:F0-1)
Jun 16 11:49:13.277752 xe-1/1/2:0(principal: PRIMARY) port 1 newSAK = FALSE
Jun 16 11:49:13.277910   SAK use parameter set:
Jun 16 11:49:13.719189   SAK use parameter set:
Jun 16 11:49:13.276380 macsec_is_sak_has_128bit_forced: ca context : CA1 found for ifd xe-1/1/2:0
Jun 16 11:49:13.276387 macsec_util_generate_sak_hash: sak_key_bits value 256
Jun 16 11:49:13.825180 macsec_enable_transmit ifd:xe-1/1/2:0(ifd:264 ifl:0) ks:0 type:PRIMARY key-num:1 an:0 rx-sak-ack:0
Jun 16 11:49:13.825492 macsec_set_sa_msg_gencfg_data: ifdx:264 iflx:0 is_ifl:0 key:xe-1/1/2:0-SA-TX-AN-0 len:164 an:0 sak-hash:10:cc:a2:cc:94:e7:ce:fb:58:40:4a:d2:23:cb:5c:1d
Jun 16 11:49:13.825594 macsec_set_sa_msg_gencfg_data: ifdx:264 iflx:0 is_ifl:0 key:xe-1/1/2:0-SA-RX-AN-0 len:164 an:0 sak-hash:10:cc:a2:cc:94:e7:ce:fb:58:40:4a:d2:23:cb:5c:1d

FCS_MACSEC_EXT.4

Creation of CA

Creation of CA Connectivity Association Key Names (CKNs)

macsec_update_psk_keychain(692) ifd:xe-11/0/0 Dump Old CAK Info
macsec_update_psk_keychain(695) ifd:xe-11/0/0 Install New CAK
DOT1XD_MKA_SA_KEY_ROLLOVER: Macsec secure association key rolled over on interface xe-11/0/0
DOT1XD_MKA_SECURE_CHANNEL_CREATED: Macsec receive secure channel created for 28:8a:1c:a5:39:4a on interface xe-11/0/0
DOT1XD_MKA_SECURE_ASSOCIATION_ESTABLISHED: Macsec secure association established with an:0 on interface xe-11/0/0
Jun 16 11:49:11.766530 ifd:xe-1/1/2:0 primary ckn:2345678922334455667788992223334445556667778889992222333344445551 cak:0x04E54960 being activated
Jun 16 11:49:11.766717    Primary CKN : 2345678922334455667788992223334445556667778889992222333344445551
Jun 16 11:49:19.928712     CKN: 23:45:67:89:22:33:44:55:66:77:88:99:22:23:33:44:45:55:66:67:77:88:89:99:22:22:33:33:44:44:55:51
Jun 16 11:49:22.006355 xe-1/1/2:0 CAK PRIMARY #0 (pre-shared pairwise) CAK activity: CKN 23:45:67:89:22:33:44:55:66:77:88:99:22:23:33:44:45:55:66:67:77:88:89:99:22:22:33:33:44:44:55:51 -> ACTIVATED

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found.

FPT_RPL.1

Detected replay attempt

None

[edit]
root@homer:fips# run show security mka statistics | match "Duplicate address|Old Replayed message"
        Duplicate address packets:            89516
        Old Replayed message number packets:  89192
		
[edit]
root@homer:fips# run show security mka statistics | match "Duplicate address|Old Replayed message"
Apr 11 05:28:58
    Interface name: xe-0/0/7
        Received packets:                     179707
        Transmitted packets:                  1000
        Version mismatch packets:             0
        CAK mismatch packets:                 0
        ICV mismatch packets:                 0
        Duplicate message identifier packets: 0
        Duplicate message number packets:     0
        Duplicate address packets:            89516
        Invalid destination address packets:  0
        Formatting error packets:             0
        Old Replayed message number packets:  89192

FTP_ITC.1

Initiation of the trusted channel.Termination of the trusted channel. Failure of the trusted channel functions

Identification of the initiator and target of failed trusted channels establishment attempt

Initiation of the trusted path

sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2

Termination of the trusted path

sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

Note:

If the MACsec connection is broken unintentionally, deactivate and activate the security MACsec or restart dot1x-protocol.

FTP_TRP.1/Admin

Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions.

None

Initiation of the trusted path

sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2

Termination of the trusted path

sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482

Failure of the trusted path

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

FMT_MOF.1/Functions

None

None

mgd 71891 UI_RESTART_EVENT [junos@2636.1.1.1.2.164 username="root" process-name="Network security daemon" description=" immediately"] User 'root' restarting daemon 'Network security daemon' immediately init - - - network-security (PID 72907) terminated by signal number 9! init - - - network-security (PID 72929) started

FMT_MOF.1/Services

None

None

FMT_MTD.1/ CryptoKeys

None

None

SSH key

ssh-keygen 2706 - - Generated SSH key file /root/.ssh/id_rsa.pub with fingerprint SHA256:EQotXjlahhlVplg + YBLbFR3TdmJMpm6D1FSjRo6lVE4 ssh-keygen 2714 - - Generated SSH key file /root/.ssh/id_ecdsa.pub with fingerprint SHA256:ubQWoesME9bpOT1e/ sYv871hwWUzSG8hNqyMUe1cNc0

IPSEC keys

pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="384" argument2="ECDSA" argument3="cert1"] A 384 bit ECDSA key-Pair has been generated for cert1

pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="4096" argument2="RSA" argument3="cert2"] A 4096 bit RSA key-Pair has been generated for cert2

In addition, Juniper Networks recommends:

  • To capture all changes to the configuration.

  • To store logging information remotely.

For more information on log details, see Specifying Log File Size, Number, and Archiving Properties