Event Logging Overview
The evaluated configuration requires the auditing of configuration changes through the system log.
In addition, Junos OS can:
Send automated responses to audit events (syslog entry creation).
Allow authorized managers to examine audit logs.
Send audit files to external servers.
Allow authorized managers to return the system to a known state.
The logging for the evaluated configuration must capture the following events:
Changes to secret key data in the configuration.
Committed changes.
Login/logout of users.
System startup.
Failure to establish an SSH session.
Establishment/termination of an SSH session.
Changes to the (system) time.
Termination of a remote session by the session locking mechanism.
Termination of an interactive session.
Table 1 shows sample for syslog auditing for NDcPPv2.2e:
Requirement |
Auditable Events |
Additional Audit Record Contents |
How Event is Generated |
---|---|---|---|
FAU_GEN.1 |
None |
None |
|
FAU_GEN.2 |
None |
None |
|
FAU_STG_EXT.1 |
None |
None |
|
FAU_STG.1 |
None |
None |
|
FCS_CKM.1 |
None |
None |
|
FCS_CKM.2 |
None |
None |
|
FCS_CKM.4 |
None |
None |
|
FCS_COP.1/ DataEncryption |
None |
None |
|
FCS_COP.1/SigGen |
None |
None |
|
FCS_COP.1/Hash |
None |
None |
|
FCS_COP.1/KeyedHash |
None |
None |
|
FCS_RBG_EXT.1 |
None |
None |
|
FDP_RIP.2 |
None |
None |
|
FIA_AFL.1 |
Unsuccessful login attempts limit is met or exceeded. |
Origin of the attempt (e.g., IP address). |
sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user ' security-administrator' Login lockout configuration details: [edit] root@host:fips# run show system login lockout User Lockout start Lockout end security-administrator 2023-01-10 15:03:26 IST 2023-01-10 15:04:26 IST Log for the login lockout configuration: Jan 10 15:03:26 host sshd[63687]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'security-administrator' has been locked out from logins Status of the session closed after the lockout period: ssh security-administrator@host Password: Connection closed by 10.209.21.170 port 22 Log for the closed session after lockout period: Jan 10 15:04:10 host sshd[63694]: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user security-administrator is locked. Establishes the session through the console as the root user during lockout period: login: security-administrator Password: Last login: Tue Jan 10 15:01:43 on ttyu0 --- JUNOS 22.3R1.12 Kernel 64-bit JNPR-12.1-20220930.fd75b9c_buil security-administrator@bm-a:fips> [edit] root@host:fips# run show system users 3:04PM up 4 days, 3:59, 2 users, load averages: 0.28, 0.21, 0.22 USER TTY FROM LOGIN@ IDLE WHAT security-a u0 - 3:03PM - -cli (cli) Log for the session established through the console as the root user during lockout period: Jan 10 15:03:52 host login[63625]: LOGIN_INFORMATION: User security-administrator logged in from host [unknown] on device ttyu0 |
FIA_PMG_EXT.1 |
None |
None |
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Provided user identity, origin of the attempt (e.g., IP address). |
Successful Remote Login mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user' mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli' Unsuccessful Remote Login sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' Successful Local Login login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0 login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0 |
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address). |
Successful Remote Login mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user' mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli' Unsuccessful Remote Login sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' Successful Local Login login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0 login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0 |
FIA_UAU.7 |
None |
None |
|
FMT_MOF.1/ ManualUpdate |
Any attempt to initiate a manual update. |
None |
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request system software add /var/tmp/junos-acx5448-22.3R1.1.tgz no-validate "] User 'sec-officer', command 'request system software add /var/tmp/junos-acx5448-22.3R1.1.tgz no-validate ' |
FMT_MTD.1/CoreData |
All management activities of TSF data |
None |
Refer to the audit events listed in this table. |
FMT_SMF.1/IPS |
None |
None |
None |
FMT_SMF.1/ND |
None |
None |
None |
FMT_SMR.2 |
None |
None |
|
FPT_SKP_EXT.1 |
None |
None |
|
FPT_APW_EXT.1 |
None |
None |
|
FPT_TST_EXT.1 |
None |
None |
|
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request system software add /var/tmp/junos-acx5448-22.3R1.1.tgz no-validate "] User 'sec-officer', command 'request system software add /var/tmp/junos-acx5448-22.3R1.1.tgz no-validate ' |
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed through an automated process. |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address). |
mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="root" command="set date 202005201815.00 "] User 'root', command 'set date 202005201815.00 ' mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message="signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled nsd 2641 NSD_SYS_TIME_CHANGE - System time has changed |
FTA_SSL_EXT.1 (if terminate the session is selected) |
The termination of a local interactive session by the session locking mechanism. |
None |
cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism. |
None |
cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.4 |
The termination of an interactive session. |
None |
mgd 71668 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.164 username="root"] User 'root' logout |
FTA_TAB.1 |
None |
None |
|
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. Their offer: chacha20-poly1305@openssh.com, aes128-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes256-cbc |
FTP_ITC.1 |
Initiation of the trusted channel.Termination of the trusted channel. Failure of the trusted channel functions |
Identification of the initiator and target of failed trusted channels establishment attempt |
Initiation of the trusted path sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2 Termination of the trusted path sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' |
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
Initiation of the trusted path sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2 Termination of the trusted path sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251' |
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. Their offer: chacha20-poly1305@openssh.com, aes128-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes256-cbc |
FIA_X509_EXT.1/Rev |
Unsuccessful attempt to validate a certificate |
Reason for failure |
verify-sig 72830 - - cannot validate ecerts.pem: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProduction TestEc_2017_NO_DEFECTS/emailAddress =ca@juniper.net |
FIA_X509_EXT.2 |
None |
None |
|
FIA_X509_EXT.3 |
None |
None |
|
FMT_MOF.1/Functions |
Modification of the behaviour of the transmission of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full. |
None |
mgd 71891 UI_RESTART_EVENT [junos@2636.1.1.1.2.164 username="root" process-name="Network security daemon" description=" immediately"] User 'root' restarting daemon 'Network security daemon' immediately init - - - network-security (PID 72907) terminated by signal number 9! init - - - network-security (PID 72929) started |
FMT_MOF.1/Services |
Starting and stopping of services. |
None |
|
FMT_MTD.1/ CryptoKeys |
Management of cryptographic keys. |
None |
SSH key ssh-keygen 2706 - - Generated SSH key file /root/.ssh/id_rsa.pub with fingerprint SHA256:EQotXjlahhlVplg + YBLbFR3TdmJMpm6D1FSjRo6lVE4 ssh-keygen 2714 - - Generated SSH key file /root/.ssh/id_ecdsa.pub with fingerprint SHA256:ubQWoesME9bpOT1e/ sYv871hwWUzSG8hNqyMUe1cNc0 |
In addition, Juniper Networks recommends that logging also:
-
Capture all changes to the configuration.
-
Store logging information remotely.