Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Sample Code Audits of Configuration Changes

This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:

This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:

Example: System Logging of Configuration Changes

This example shows a sample configuration and makes changes to users and secret data. It then shows the information sent to the audit server when the secret data is added to the original configuration and committed with the load command.

The new configuration changes the secret data configuration statements and adds a new user.

Table 1 shows sample for syslog auditing:

Table 1: Auditable Events

Requirement

Auditable Events

Additional Audit Record Contents

Sample Audit Record

FAU_GEN.1

Start-up and shut-down of the audit functions

None

 
%SYSLOG-6: master-eventd: Evo Dependency State Monitoring Started and 
%DAEMON-6: master-eventd.service: Deactivated successfully.

Resetting passwords (name of related Administrator account shall be logged)

None

 
%AUTHPRIV-6: change user 'security-administrator' password

FAU_GEN.2

None

None

-

FAU_STG_EXT.1

Configuration of local audit settings

Identity of account making changes to the audit configuration

 
%CHANGE-6-UI_CFG_AUDIT_SET: User 'security-officer' set: [system syslog archive files] "5 -- 10"

FCS_CKM.1

None

None

-

FCS_CKM.2

None

None

-

FCS_CKM.4

None

None

FCS_COP.1/DataEncryption

None

None

-

FCS_COP.1/SigGen

None

None

-

FCS_COP.1/Hash

None

None

-

FCS_COP.1/KeyedHash

None

None

-

FCS_RBG_EXT.1

None

None

-

FIA_PMG_EXT.1

None

None

-

FIA_UIA_EXT.1

All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address)

 
%INTERACT-6-UI_LOGIN_EVENT: User 'security-administrator' assigned to class 'security-administrator' [4819], ssh-connection '', client-mode 'cli' and 
%INTERACT-6-UI_LOGIN_EVENT: User 'security-administrator' assigned to class 'security-administrator' [4819], ssh-connection '10.4.25.18 58278 10.4.146.41 22', client-mode 'cli'

FIA_UAU.7

None

None

-

FMT_MOF.1/ManualUpdate

Any attempt to initiate a manual update

None

 
%INTERACT-6-UI_CMDLINE_READ_LINE: User 'security-administrator', command 'request system software add /var/tmp/junos-evo-install-acx-f-x86-64-24.4-202501290558.0-EVO.iso and 
%DAEMON-6-UI_SWUPDATE_EVENT: : re0: Starting upgrade: /var/tmp/junos-evo-install-acx-f-x86-64-24.4-202501290558.0-EVO.iso

FMT_MTD.1/CoreData

None

None

-

FMT_SMF.1

Ability to administer the TOE remotely

None

 
%INTERACT-6-UI_LOGIN_EVENT: User 'security-administrator' assigned to class 'security-administrator' [4819], ssh-connection '10.4.25.18 58278 10.4.146.41 22', client-mode 'cli'

Ability to configure the access banner

None

 
%CHANGE-6-UI_CFG_AUDIT_SET: User 'security-administrator' set: [system login message] unconfigured -- "login-message-banner-text"

Ability to configure the remote session inactivity time before session termination

None

 
%CHANGE-6-UI_CFG_AUDIT_SET: User 'security-administrator' set: [system login class security-admin idle-timeout] "1 -- "6"

Ability to update the TOE and to verify the updates using digital signature capability prior to installing those updates

None

 
%INTERACT-6-UI_CMDLINE_READ_LINE: User 'security-administrator', command 'request system software add /var/tmp/junos-evo-install-acx-f-x86-64-24.4-202501290558.0-EVO.iso and 
%DAEMON-6-UI_SWUPDATE_EVENT: : re0: Starting upgrade: /var/tmp/junos-evo-install-acx-f-x86-64-24.4-202501290558.0-EVO.iso

Ability to configure local audit behaviour (e.g. changes to storage locations for audit; changes to behaviour when local audit storage space is full; changes to local audit storage size)

None

 
%CHANGE-6-UI_CFG_AUDIT_SET: User 'security-administrator' set [system syslog file syslog archive size] "10000000 -- "9000000"

Ability to modify the behaviour of the transmission of audit data to an external IT entity

None

 
%CHANGE-6-UI_CFG_AUDIT_SET: User 'security-administrator' set: [system services ssh rekey time-limit] "59 -- "60"

Ability to manage the cryptographic keys

None

 
%AUTH-6: Added SSH public key with fingerprint 3072 SHA256:HWKMBcpf1pz/SYtUWJV3V//Kn8/B48QXzGmoMscqrD0 root@re0 (RSA) for user syslog-mon and 
%AUTH-6: Removed SSH public key with fingerprint 3072 SHA256:HWKMBcpf1pz/SYtUWJV3V//Kn8/B48QXzGmoMscqrD0 root@re0 (RSA) for user syslog-mon

Ability to configure the cryptographic functionality

None

 
%CHANGE-6-UI_CFG_AUDIT_OTHER: User 'security-administrator' set: [system services ssh ciphers aes256-cbc] and 
%CHANGE-6-UI_CFG_AUDIT_OTHER: User 'security-administrator' delete: [system services ssh ciphers] "aes256-cbc

Ability to configure thresholds for SSH rekeying

None

 
%CHANGE-6-UI_CFG_AUDIT_SET: User 'security-administrator' set: [system services ssh rekey time-limit] "59 -- "60"

Ability to re-enable an Administrator account

None

 
%AUTH-5-LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'security-administrator' has been unlocked for logins

Ability to set the time which is used for time-stamps

None

 
%INTERACT-6-UI_CMDLINE_READ_LINE: User 'security-administrator', command 'set date 202501010101.01'

Ability to configure NTP:

None

 
%CHANGE-6-UI_CFG_AUDIT_OTHER: User 'root' set: [groups global system ntp server 1.1.1.1] and 
%CHANGE-6-UI_CFG_AUDIT_OTHER: User 'root' delete: [groups global system ntp server 1.1.1.1]

Ability to administer the TOE locally:

None

 
%INTERACT-6-UI_LOGIN_EVENT: User 'security-administrator' assigned to class 'security-administrator' [4819], ssh-connection '', client-mode 'cli'

Ability to configure the local session inactivity time before session termination or locking

None

 
%CHANGE-6-UI_CFG_AUDIT_SET: User 'security-administrator' set: [system login class security-admin idle-timeout] "1 -- "6"

Ability to configure the authentication failure parameters for FIA_AFL.1

None

 
%CHANGE-6-UI_CFG_AUDIT_SET: User 'security-administrator' set: [system login retry-options tries-before-disconnect] "3 -- "4" and 
%CHANGE-6-UI_CFG_AUDIT_SET: User 'security-administrator' set: [system login retry-options lockout-period] "1 -- "2"

Ability to manage the trusted public keys database

None

 
%AUTH-6: Added SSH public key with fingerprint 3072 SHA256:HWKMBcpf1pz/SYtUWJV3V//Kn8/B48QXzGmoMscqrD0 root@re0 (RSA) for user syslog-mon and 
%AUTH-6: Removed SSH public key with fingerprint 3072 SHA256:HWKMBcpf1pz/SYtUWJV3V//Kn8/B48QXzGmoMscqrD0 root@re0 (RSA) for user syslog-mon

FMT_SMR.2

None

None

FPT_SKP_EXT.1

None

None

FPT_APW_EXT.1

None

None

FPT_TST_EXT.1

None

None

FPT_TUD_EXT.1

Initiation of update; result of the update attempt (success or failure)

None

 
May 21 02:19:10  hostname mgd[32755]: UI_CMDLINE_READ_LINE: User 'root', command 'request system software add /var/tmp/junos-evo-install-acx-f-x86-64-24.4-202501290558.0-EVO.iso '
May 21 02:19:11  hostname mgd[32755]: UI_SWUPDATE_EVENT: : Download and Validate in Progress
May 21 02:19:17  hostname mgd[32755]: UI_SWUPDATE_EVENT: : re0: Running pre-checks for 'junos-evo-install-acx-f-x86-64-24.4-202501290558.0-EVO'
May 21 02:19:19  hostname mgd[32755]: UI_SWUPDATE_EVENT: : re0: Pre-checks pass successfully, copying files to software area
May 21 02:19:20  hostname mgd[32755]: UI_SWUPDATE_EVENT: : re0: Starting upgrade : /var/tmp/junos-evo-install-acx-f-x86-64-24.4-202501290558.0-EVO.iso
May 21 02:19:21  hostname mgd[32755]: UI_SWUPDATE_EVENT: : re0: Upgrade version : junos-evo-install-acx-f-x86-64-24.4-202501290558.0-EVO
May 21 02:19:22  hostname mgd[32755]: UI_SWUPDATE_EVENT: : re0: Validating existing configs. See /var/log/validation_config.log for config validation logs.

May 21 02:31:24  hostname mgd[21958]: UI_CMDLINE_READ_LINE: User 'root', command 'request system software add negate-sign-byte-evo-test-package.new.tgz '
May 21 02:31:24  hostname mgd[21958]: UI_SWUPDATE_EVENT: : Download and Validate in Progress
May 21 02:31:29  hostname mgd[21958]: UI_SWUPDATE_EVENT: : re0: External Upgrade FAILED. See /var/log/extern_upgrade_master.log file for detailed errors
May 21 02:31:29  hostname mgd[21958]: UI_SWUPDATE_EVENT: : re0: Check whether the signing keys are installed on all REs
May 21 02:31:33  hostname mgd[21958]: UI_SWUPDATE_EVENT: : ERROR: Signing keys are not installed. Node:re0 Image: re0:/data/var/home/root/test/negate-sign-byte-evo-test-package.new.tgz
May 21 02:31:33  hostname mgd[21958]: UI_SWUPDATE_EVENT: : External software upgrade failed.

FPT_STM_EXT.1

Discontinuous changes to time - either Administrator actuated or changed via an automated process. (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1)

For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address).

 
%INTERACT-6-UI_CMDLINE_READ_LINE: User 'security-administrator', command 'set date 202501010101.01' and 
%USER-6-NTP: System clock updated from 2025-06-06/14:35:21.158525 UTC to 2025-09-11/20:26:32.590352 UTC

FTA_SSL_EXT.1

The termination of a local session by the session lock

None

 
%USER-6: [11281]UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'security-administrator' exceeded and session terminated

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

None

 
%USER-6: [11281]UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'security-administrator' exceeded and session terminated

FTA_SSL.4

The termination of an interactive session.

None

 
%INTERACT-6-UI_LOGOUT_EVENT: User 'security-administrator' logout and 
%AUTH-6: Received disconnect from 10.4.25.18 port 57596:11: disconnected by user

FTA_TAB.1

None

None

FTP_ITC.1

Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions.

 Reason for failure 
%AUTH-6: Accepted publickey for syslog-mon from 10.4.146.2 port 37342 ssh2: RSA SHA256:sGHTj4KyhAFv2Nh+HGcUL0NgJmpiq8YlEFIpxmQzPXk, 
%AUTH-6: Disconnected from user syslog-mon 10.4.146.2 port 37342, and 
%AUTH-6: Unable to negotiate with 10.4.146.2 port 37342: no matching cipher found. Their offer: aes128-cbc

FTP_TRP.1/Admin

Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions.

 Reason for failure 
%AUTH-6: Accepted keyboard-interactive/pam for atsec from 10.4.25.18 port 50544 ssh2, 
%AUTH-6: Disconnected from user atsec 10.4.25.18 port 50544, and 
%AUTH-6: Unable to negotiate with 10.4.146.2 port 50544: no matching cipher found. Their offer: aes128-cbc

FMT_MOF.1/Functions

None

None

FMT_MOF.1/Services

None

None

FMT_MTD.1/CryptoKeys

None

None

FIA_AFL.1

Unsuccessful login attempts limit is met or exceeded

Origin of the attempt (e.g., IP address).

 
%AUTH-5: notice: Threshold for unsuccessful authentication attempts (3) reached by user 'security-administrator'

FCS_NTP_EXT.1.1

Configuration of new time server

Identity of new or removed time server

 
%CHANGE-6-UI_CFG_AUDIT_OTHER: User 'root' set: [groups global system ntp server 1.1.1.1]

Removal of configured time server

Identity of new or removed time server

 
%CHANGE-6-UI_CFG_AUDIT_OTHER: User 'root' delete: [groups global system ntp server 1.1.1.1]

FCS_SSH_EXT.1

Failure to establish SSH connection

Reason for failure and Non-TOE endpoint of attempted connection (IP Address).

 
%AUTH-6: Unable to negotiate with 10.4.146.2 port 37342: no matching cipher found. Their offer: aes128-cbc

Establishment of SSH connection

Non-TOE endpoint of connection (IP Address).

 
%AUTH-6: Accepted keyboard-interactive/pam for atsec from 10.4.25.18 port 50544 ssh2

Termination of SSH connection session

Non-TOE endpoint of connection (IP Address).

 
%AUTH-6: Disconnected from user atsec 10.4.25.18 port 50544

Dropping of packets outside defined size limits

Packet size

 
%AUTH-6: Bad packet
length 262156

FCS_SSHS_EXT.1

None

None