Event Logging Overview
The evaluated configuration requires the auditing of configuration changes through the system log.
In addition, Junos OS can:
Send automated responses to audit events (syslog entry creation).
Allow authorized managers to examine audit logs.
Send audit files to external servers.
Allow authorized managers to return the system to a known state.
The logging for the evaluated configuration must capture the events. The logging events are listed below:
Table 1 shows sample for syslog auditing for NDcPPv2.2e, MOD_VPNGWv1.3, MOD_FWv1.4e, and MOD_IPSv1.0
|
Requirement |
Auditable Events |
Additional Audit Record Contents |
|---|---|---|
|
FAU_GEN.1 |
None |
None |
|
FAU_GEN.2 |
None |
None |
|
FAU_STG_EXT.1 |
None |
None |
|
FCS_CKM.1 |
None |
None |
|
FCS_CKM.2 |
None |
None |
|
FCS_CKM.4 |
None |
None |
|
FCS_COP.1/DataEncryption |
None |
None |
|
FCS_COP.1/SigGen |
None |
None |
|
FCS_COP.1/Hash |
None |
None |
|
FCS_COP.1/KeyedHash |
None |
None |
|
FCS_RBG_EXT.1 |
None |
None |
|
FDP_RIP.2 |
None |
None |
|
FIA_AFL.1 |
Unsuccessful login attempts limit is met or exceeded. |
Origin of the attempt (e.g., IP address). |
|
FIA_PMG_EXT.1 |
None |
None |
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address). |
|
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address). |
|
FIA_UAU.7 |
None |
None |
|
FMT_MOF.1/ManualUpdate |
Any attempt to initiate a manual update. |
None |
|
FMT_MTD.1/CoreData |
None |
None |
|
FMT_SMF.1 |
All management activities of TSF data |
None |
|
FMT_SMR.2 |
None |
None |
|
FPT_SKP_EXT.1 |
None |
None |
|
FPT_APW_EXT.1 |
None |
None |
|
FPT_TST_EXT.1 |
None |
None |
|
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
|
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed through an automated process. |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address). |
|
FTA_SSL_EXT.1 |
The termination of a local interactive session by the session locking mechanism. |
None |
|
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism. |
None |
|
FTA_SSL.4 |
The termination of an interactive session. |
None |
|
FTA_TAB.1 |
None |
None |
|
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
|
FTP_ITC.1 |
Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions. |
Identification of the initiator and target of failed trusted channels establishment attempt. |
|
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
|
FIA_X509_EXT.1/Rev |
Any addition, replacement or removal of trust anchors in the TOE's trust store |
Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store |
|
FIA_X509_EXT.2 |
None |
None |
|
FIA_X509_EXT.3 |
None |
None |
|
FMT_MOF.1/Functions |
None |
None |
|
FMT_MOF.1/Services |
None |
None |
|
FMT_MTD.1/CryptoKeys |
None |
None |
|
FFW_RUL_EXT.1 |
Application of rules configured with the ‘log’ operation |
|
|
FMT_SMF.1/FFW |
All management activities of TSF data (including creation, modification and deletion of firewall rules) | None |
|
FCS_IPSEC_EXT.1 |
Failure to establish an IPsec SA |
Reason for failure |
|
FCS_NTP_EXT.1 |
|
Identity if new/removed time server |
|
FCS_SSHC_EXT.1 |
Failure to establish an SSH session | Reason for failure |
|
FAU_GEN.1/VPN |
No events specified | N/A |
|
FCS_CKM.1/IKE |
No events specified | N/A |
|
FMT_SMF.1/VPN |
All administrative actions | No additional information |
|
FPT_FLS.1/SelfTest |
No events specified | N/A |
|
FPT_TST_EXT.3 |
No events specified | N/A |
|
FPF_RUL_EXT.1 |
Application of rules configured with the ‘log’ operation |
|
|
FTP_ITC.1/VPN |
Initiation of the trusted channel | No additional information |
| Termination of the trusted channel | No additional information | |
| Failure of the trusted channel functions | Identification of the initiator and target of failed trusted channel establishment attempt | |
|
FIA_PSK_EXT.1 |
No events specified | N/A |
|
FIA_PSK_EXT.2 |
No events specified | N/A |
| IPS_ABD_EXT.1 | Inspected traffic matches an anomaly-based IPS policy. | Source and destination IP addresses. |
| The content of the header fields that were determined to match the policy. | ||
| TOE interface that received the packet. | ||
| Aspect of the anomaly-based IPS policy rule that triggered the event (e.g. throughput, time of day, frequency, etc.) | ||
| Network-based action by the TOE (e.g. allowed, blocked, sent reset to source IP, sent blocking notification to firewall). | ||
| IPS_IPB_EXT.1 | Inspected traffic matches a list of known-good or known-bad addresses applied to an IPS policy. | Source and destination IP addresses (and, if applicable, indication of whether the source and/or destination address matched the list). |
| TOE interface that received the packet. | ||
| Network-based action by the TOE (e.g. allowed, blocked, sent reset). | ||
| IPS_NTA_EXT.1 | Modification of which IPS policies
are active on a TOE interface Enabling/disabling a TOE interface with IPS policies applied Modification of which mode(s) is/are active on a TOE interface |
Identification of the TOE interface. |
| The IPS policy and interface mode (if applicable). | ||
| IPS_SBD_EXT.1 | Inspected traffic matches a signature-based IPS rule with logging enabled | Name or identifier of the matched signature |
| Source and destination IP addresses | ||
| The content of the header fields that were determined to match the signature | ||
| TOE interface that received the packet | ||
| Network-based action by the TOE (e.g. allowed, blocked, sent reset) |
In addition, Juniper Networks recommends that logging also:
Capture all changes to the configuration.
Store logging information remotely.