Supported Platforms
Monitoring Security Policy Violations
Security policy violations are monitored by audit administrator and action taken against possible security breaches. An audit administrator analyzes the audit trail, reviews the audit record, and deletes the audit trail for maintenance purposes. The search and sort capability provides an efficient mechanism to the audit administrator for viewing pertinent audit information. For more information, see the following topics:
Understanding Searching and Sorting Audit Log
An audit administrator analyzes the audit trail, reviews the audit record, and deletes the audit trail for maintenance purposes. The search and sort capability provides an efficient mechanism to the audit administrator for viewing pertinent audit information. This helps the audit administrator to identify potential security violations and take action against possible security breaches. The audit log can be viewed by all the administrators (such as Audit, Cryptographic, Security, and IDS administrators) . An IDS audit log can be viewed only by IDS audit administrator.
The security administrator can configure audit events and set thresholds that could indicate a potential security violation. The device monitors the occurrences of these events and notifies the administrator after an event has occurred or a set threshold has been met.
The audit administrator can search or group the audit log data based on the following:
Destination subject identity
Source subject identity
Range of date, time, user identities, subject service identifiers, or Transport Layer protocol
Rule identity
User identity
Network interface
Success of auditable security events
Failure of auditable security events
Note:
|
Example: Generating a Security Alarm in Response to Policy Violations
This example shows how to configure the device to generate a system alarm when a policy violation occurs. By default, no alarm is raised when a policy violation occurs.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you configure an alarm to be raised when:
The application size is 10240 units.
The source IP violation exceeds 1000 within 20 seconds.
The destination IP violations exceeds 1000 within 10 seconds.
The policy match violation exceeds 100, with a size of 100 units.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level , and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure policy violation alarms:
- Enable security alarms.[edit]user@host# edit security alarms
- Specify that an alarm should be raised when an application
violation occurs.[edit security alarms potential-violation policy]user@host# set application size 10240
- Specify that an alarm should be raised when a source IP
violation occurs.[edit security alarms potential-violation policy]user@host# set source-ip threshold 1000 duration 20
- Specify that an alarm should be raised when a destination
IP violation occurs.[edit security alarms potential-violation policy]user@host# set destination-ip threshold 1000 duration 10
- Specify that an alarm should be raised when a policy match
violation occurs.[edit security alarms potential-violation policy]user@host# set policy-match threshold 100 size 100
Results
From configuration mode, confirm your configuration by entering the show security alarms command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, from operational mode, enter the show security alarms command.