Sample Code Audits of Configuration Changes
This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:
[edit system]
syslog {
file Audit-File {
authorization info;
change-log info;
interactive-commands info;
}
}
This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:
[edit system]
syslog {
file Audit-File {
any any;
authorization info;
change-log any;
interactive-commands info;
kernel info;
pfe info;
}
}
Example: System Logging of Configuration Changes
This example shows a sample configuration and makes changes to users and secret data.
It then shows the information sent to the audit server when the secret data is added
to the original configuration and committed with the load command.
[edit system]
location {
country-code US;
building B1;
}
...
login {
message "UNAUTHORIZED USE OF THIS ROUTER\n\tIS STRICTLY PROHIBITED!";
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password “$ABC123”;
# SECRET-DATA
}
}
}
radius-server 192.0.2.15 {
secret “$ABC123” # SECRET-DATA
}
services {
ssh;
}
syslog {
user *{
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
...
...
The new configuration changes the secret data configuration statements and adds a new user.
security-administrator@host:fips# show | compare
[edit system login user admin authentication]
– encrypted-password “$ABC123”; # SECRET-DATA
+ encrypted-password “$ABC123”; # SECRET-DATA
[edit system login]
+ user admin2 {
+ uid 2001;
+ class operator;
+ authentication {
+ encrypted-password “$ABC123”;
# SECRET-DATA
+ }
+ }
[edit system radius-server 192.0.2.15]
– secret “$ABC123”; # SECRET-DATA
+ secret “$ABC123”; # SECRET-DATA
Table 1 shows sample for syslog auditing for NDcPPv2.1:
|
Requirement |
Auditable Events |
Additional Audit Record Contents |
How event generated |
|---|---|---|---|
|
FAU_GEN.1 |
None |
None |
- |
|
FAU_GEN.2 |
None |
None |
- |
|
FAU_STG_EXT.1 |
None |
None |
- |
|
FAU_STG.1 |
None |
None |
- |
|
FCS_CKM.1 |
None |
None |
- |
|
FCS_CKM.2 |
None |
None |
- |
|
FCS_CKM.4 |
None |
None |
|
|
FCS_COP.1/DataEncryption |
None |
None |
- |
|
FCS_COP.1/SigGen |
None |
None |
- |
|
FCS_COP.1/Hash |
None |
None |
- |
|
FCS_COP.1/KeyedHash |
None |
None |
- |
|
FCS_COP.1(1) |
None |
None |
- |
|
FCS_COP.1 |
None |
None |
- |
|
FCS_RBG_EXT.1 |
None |
None |
- |
|
FIA_PMG_EXT.1 |
None |
None |
- |
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address) |
Successful Local Login login[27004]: pam_unix(login:session): session opened for user root by LOGIN(uid=0) login[27325]: ROOT LOGIN on '/dev/ttyS0' Unsuccessful Local Login May 20 02:42:49 evoptx10k-b login[1342]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/ttyS0 ruser= rhost= user=root May 20 02:42:51 evoptx10k-b login[1342]: FAILED LOGIN (1) on '/dev/ttyS0' FOR 'root', Authentication failure Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login sshd[7352]: notice: Login failed for user 'root' from host |
|
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address) |
Successful Local Login login[27004]: pam_unix(login:session): session opened for user root by LOGIN(uid=0) login[27325]: ROOT LOGIN on '/dev/ttyS0' Unsuccessful Local Login May 20 02:42:49 evoptx10k-b login[1342]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/ttyS0 ruser= rhost= user=root May 20 02:42:51 evoptx10k-b login[1342]: FAILED LOGIN (1) on '/dev/ttyS0' FOR 'root', Authentication failure Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login sshd[7352]: notice: Login failed for user 'root' from host |
|
FIA_UAU.7 |
None |
None |
- |
|
FMT_MOF.1/ManualUpdate |
Any attempt to initiate a manual update |
None |
May 21 02:19:10 evoptx10k-b mgd[32755]: UI_CMDLINE_READ_LINE: User 'root', command 'request system software add /var/tmp/junos-evo-install-ptx-fixed-x86-64-23.4R2.6-EVO.iso ' May 21 02:19:11 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : Download and Validate in Progress May 21 02:19:17 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Running pre-checks for 'junos-evo-install-ptx-fixed-x86-64-23.4R2.6-EVO' May 21 02:19:19 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Pre-checks pass successfully, copying files to software area May 21 02:19:20 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Starting upgrade : /var/tmp/junos-evo-install-ptx-fixed-x86-64-23.4R2.6-EVO.iso May 21 02:19:21 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Upgrade version : junos-evo-install-ptx-fixed-x86-64-23.4R2.6-EVO May 21 02:19:22 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Validating existing configs. See /var/log/validation_config.log for config validation logs. |
|
FMT_MTD.1/CoreData |
None |
None |
- |
|
FMT_SMF.1 |
Ability to start and stop services |
None |
Login as security-officer security-officer@ host:fips> request system reboot Reboot the system ? [yes,no] (no) yes |
|
Ability to configure audit behaviour (e.g. changes to storage locations for audit; changes to behaviour when local audit storage space is full) |
None |
security-officer@host:fips#set system syslog archive files |
|
|
Ability to modify the behaviour of the transmission of audit data to an external IT entity |
None |
Generate an RSA public key on the remote syslog server ssh-keygen -b 2048 -t rsa -C 'syslog-monitor key pair' -f ~/.ssh/syslog-monitor [edit system login] security-officer@host:fips# set class monitor permissions trace [edit system login] security-officer @host:fips# set user syslog-mon class monitor authentication ssh-rsa "public-key" [edit system services] security-administrator@host:fips# set netconf ssh [edit system] security-officer@host:fips# set syslog file messages any any commit on the remote syslog server $ eval `ssh-agent -s` $ ssh-add ~/.ssh/syslog-monitor |
|
|
Ability to configure the cryptographic functionality |
None |
security-officer@host:fips#set system services ssh security-officer@host:fips#set system services ssh ciphers aes128-ctr |
|
|
Ability to configure thresholds for SSH rekeying |
None |
security-officer@host:fips#set system services ssh security-officer@host:fips#set system services ssh rekey data-limit 51200 security-officer@host:fips#set system services ssh rekey time-limit 1 |
|
|
Ability to re-enable an Administrator account |
None |
root@fips#set system login user security-officer authentication plain-text-password New password: Retype new password: root@fips#set system login user security-officer class super-user |
|
|
Reset the password for security-officer |
None |
root@fips#set system login user security-officer authentication plain-text-password New password: Retype new password: |
|
|
Syslog check |
None |
Verify resetting passwords behavior through audit logs root@fips>show log /var/log/messages1 |grep "UI_CFG_AUDIT_SET: User 'security-officer' set: \[system login user security-officer authentication\].*unconfigured" |except regress|count Count: 2 lines |
|
|
Ability to set the time which is used for time-stamps |
None |
Login as security-officer and modify the time stamp security-officer@fips-mx-b:fips>set date 202901010101.01 Mon Jan 1 01:01:01 PST 2029 |
|
|
Ability to manage the cryptographic keys |
None |
Ability to manage the trusted public keys database Host_machine#ssh-keygen -t rsa -f $HOME/.ssh/id_ssh_rsa_2048 -N -b 2048 Generating public/private rsa key pair. /root/.ssh/id_ssh_toby_rsa_2048 already exists. Overwrite (y/n)? Your identification has been saved in /root/.ssh/id_ssh_toby_rsa_2048. Your public key has been saved in /root/.ssh/id_ssh_toby_rsa_2048.pub. The key fingerprint is: SHA256:m8ToMFz77/3rLDCK2rNFv9MaXpB0qmZUqAJMAEIX6X0 root@fips-qnc-lnx1.englab.juniper.net The key's randomart image is: +---[RSA 2048]----+ |*o.oo | |.o.. . | | + . . . o . | | + o E o + | | = = S + | | = = =o. | | ..O.o+. | | .o+.o.=o. | | ..oo .*o.+=. | +----[SHA256]-----+ Toby-1960280-10.48.155.181% cat $HOME/.ssh/id_ssh_rsa_2048.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMACOnJHF0UU+3fLO5ji7y9yBBQqolFjgGZ4PZsxOBW44NTYw1yp3cddih9XLEo5rGctThJfth6qIwLTkLdmw8FUIKvqU3szRztEuO/OKgchhi3E0YoPLBZI5M++Qth5e+hA65M/8Rub4CH2xkt2IIMZRDi51SLYecY0eIpGYs77o+u93x/rAe5BjooAfKe8UCwJRr2yxuZU/Xd2U0d6fFVASYIE8dvYI83chrLCC/WbaB3jUZk7tRumPlyq05vT0RXxzbzpffonRYsaaRnxPoc8xDr9uyDsiIQnA8cMM7H6ZxNHTfPOWSds1fraLEZsrsTOMrMBln5RNBZTc8sgbB root@fips-qnc-lnx1.englab.juniper.net security-officer@host:fips#set system login user syslog-mon authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMACOnJHF0UU+3fLO5ji7y9yBBQqolFjgGZ4PZsxOBW44NTYw1yp3cddih9XLEo5rGctThJfth6qIwLTkLdmw8FUIKvqU3szRztEuO/OKgchhi3E0YoPLBZI5M++Qth5e+hA65M/8Rub4CH2xkt2IIMZRDi51SLYecY0eIpGYs77o+u93x/rAe5BjooAfKe8UCwJRr2yxuZU/Xd2U0d6fFVASYIE8dvYI83chrLCC/WbaB3jUZk7tRumPlyq05vT0RXxzbzpffonRYsaaRnxPoc8xDr9uyDsiIQnA8cMM7H6ZxNHTfPOWSds1fraLEZsrsTOMrMBln5RNBZTc8sgbB root@fips-qnc-lnx1.englab.juniper.net" security-officer@host:fips#set system login user syslog-mon class super-user Security Administrator may unlock an account that is locked from remote access (for example, SSH): Thu May 09 15:09:46 [user@ttbg-shell011:~]ssh test@nms-mx304-a Password: Password: Password: Received disconnect from 10.209.4.145 port 22:2: Too many password failures for test Disconnected from 10.209.4.145 port 22 Thu May 09 20:01:19 [user@ttbg-shell011:~] [edit] root@host# run show system login lockout User Lockout start Lockout end test 2024-05-09 20:01:04 IST 2024-05-09 20:05:04 IST [edit] root@host# sshd: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'test' has been locked out from logins sshd: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.220.196.34' are denied sshd: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user test is locked. [edit] root@host# run clear system login lockout user test [edit] root@host# run show system login lockout User accounts not locked [edit] root@host# run show system uptime Current time: 2024-05-09 20:03:10 IST Time Source: LOCAL CLOCK System booted: 2024-05-07 19:19:44 IST (2d 00:43 ago) Protocols started: 2024-05-07 19:22:16 IST (2d 00:40 ago) Last configured: 2024-05-09 20:00:29 IST (00:02:41 ago) by root 8:03PM up 2 days, 43 mins, 1 users, load averages: 0.21, 0.15, 0.10 [edit] root@host# mgd[78360]: LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'test' has been unlocked for logins |
|
|
FMT_SMR.2 |
None |
None |
|
|
FPT_SKP_EXT.1 |
None |
None |
|
|
FPT_APW_EXT.1 |
None |
None |
|
|
FPT_TST_EXT.1 |
None |
None |
Reboot the device to view the self-test during startup. |
|
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
May 21 02:19:10 evoptx10k-b mgd[32755]: UI_CMDLINE_READ_LINE: User 'root', command 'request system software add /var/tmp/junos-evo-install-ptx-fixed-x86-64-23.4R2.6-EVO.iso ' May 21 02:19:11 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : Download and Validate in Progress May 21 02:19:17 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Running pre-checks for 'junos-evo-install-ptx-fixed-x86-64-23.4R2.6-EVO' May 21 02:19:19 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Pre-checks pass successfully, copying files to software area May 21 02:19:20 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Starting upgrade : /var/tmp/junos-evo-install-ptx-fixed-x86-64-23.4R2.6-EVO.iso May 21 02:19:21 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Upgrade version : junos-evo-install-ptx-fixed-x86-64-23.4R2.6-EVO May 21 02:19:22 evoptx10k-b mgd[32755]: UI_SWUPDATE_EVENT: : re0: Validating existing configs. See /var/log/validation_config.log for config validation logs. May 21 02:31:24 evoptx10k-b mgd[21958]: UI_CMDLINE_READ_LINE: User 'root', command 'request system software add negate-sign-byte-evo-test-package.new.tgz ' May 21 02:31:24 evoptx10k-b mgd[21958]: UI_SWUPDATE_EVENT: : Download and Validate in Progress May 21 02:31:29 evoptx10k-b mgd[21958]: UI_SWUPDATE_EVENT: : re0: External Upgrade FAILED. See /var/log/extern_upgrade_master.log file for detailed errors May 21 02:31:29 evoptx10k-b mgd[21958]: UI_SWUPDATE_EVENT: : re0: Check whether the signing keys are installed on all REs May 21 02:31:33 evoptx10k-b mgd[21958]: UI_SWUPDATE_EVENT: : ERROR: Signing keys are not installed. Node:re0 Image: re0:/data/var/home/root/test/negate-sign-byte-evo-test-package.new.tgz May 21 02:31:33 evoptx10k-b mgd[21958]: UI_SWUPDATE_EVENT: : External software upgrade failed. |
|
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed via an automated process. (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1) |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address). |
Apr 22 15:31:37 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'set date 201904221532.00 Apr 22 15:32:05 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'show system uptime May 21 02:51:18 evoptx10k-b ntpdate[10914]: NTP: System clock updated from 2024-05-21/09:48:48.473679 UTC to 2024-05-21/09:51:18.780343 UTC May 21 02:51:18 evoptx10k-b systemd[1]: Started "NTP(Network Time Protocol) Daemon". |
|
FTA_SSL_EXT.1 (if “terminate the session is selected) |
The termination of a local interactive session by the session locking mechanism. |
None |
Jan 3 11:59:29 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
|
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism. |
None |
Jan 3 11:26:23 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
|
FTA_SSL.4 |
The termination of an interactive session. |
None |
Local Jan 3 11:47:25 mgd[52521]: UI_LOGOUT_EVENT: User 'root' logout Remote Jan 3 11:43:33 sshd[52425]: Received disconnect from 10.1.5.153 port 36800:11: disconnected by user |
|
FTA_TAB.1 |
None |
None |
|
|
FTP_ITC.1 |
Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions. |
Identification of the initiator and target of failed trusted channels establishment attempt. |
Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path sshd[3790]: notice: Login failed for user 'root' from host '10.32.196.40 |
|
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path sshd[3790]: notice: Login failed for user 'root' from host '10.32.196.40 |
|
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
Dec 17 15:02:12 sshd[9842]: Unable to negotiate with 10.1.5.153 port 43836: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,ext-info-c |
|
FIA_X509_EXT.2 |
None |
None |
|
|
FMT_MOF.1/Functions |
None |
None |
|
|
FMT_MOF.1/Services |
None |
None |
|
|
FMT_MTD.1/CryptoKeys |
None |
None |
|
|
FIA_AFL.1 |
Administrator lockout due to excessive authentication failures |
Origin of the attempt (e.g., IP address). |
sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user ' security-administrator' Login lockout configuration details: [edit] root@host:fips# run show system login lockout User Lockout start Lockout end security-administrator 2023-01-10 15:03:26 IST 2023-01-10 15:04:26 IST Log for the login lockout configuration: Jan 10 15:03:26 host sshd[63687]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'security-administrator' has been locked out from logins Status of the session closed after the lockout period: ssh security-administrator@host Password: Connection closed by 10.209.21.170 port 22 Log for the closed session after lockout period: Jan 10 15:04:10 host sshd[63694]: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user security-administrator is locked. Security Administrator may unlock an account that is locked from remote access (for example, SSH): Thu May 09 15:09:46 [user@ttbg-shell011:~]ssh test@host Password: Password: Password: Received disconnect from 10.209.4.145 port 22:2: Too many password failures for test Disconnected from 10.209.4.145 port 22 Thu May 09 20:01:19 [user@ttbg-shell011:~] [edit] root@host# run show system login lockout User Lockout start Lockout end test 2024-05-09 20:01:04 IST 2024-05-09 20:05:04 IST [edit] root@host# sshd: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'test' has been locked out from logins sshd: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.220.196.34' are denied sshd: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user test is locked. [edit] root@host# run clear system login lockout user test [edit] root@host# run show system login lockout User accounts not locked [edit] root@host# run show system uptime Current time: 2024-05-09 20:03:10 IST Time Source: LOCAL CLOCK System booted: 2024-05-07 19:19:44 IST (2d 00:43 ago) Protocols started: 2024-05-07 19:22:16 IST (2d 00:40 ago) Last configured: 2024-05-09 20:00:29 IST (00:02:41 ago) by root 8:03PM up 2 days, 43 mins, 1 users, load averages: 0.21, 0.15, 0.10 [edit] root@host# mgd[78360]: LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'test' has been unlocked for logins |