Sample Code Audits of Configuration Changes
This sample code audits all changes to the configuration secret data and sends the logs to a file named messages:
[edit system]
syslog {
file messages {
authorization info;
change-log info;
interactive-commands info;
}
}
This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named messages:
[edit system]
syslog {
file messages {
any any;
authorization info;
change-log any;
interactive-commands info;
kernel info;
pfe info;
}
}
Example: System Logging of Configuration Changes
This example shows a sample configuration and makes changes to users and secret data.
[edit system]
location {
country-code US;
building B1;
}
...
login {
message "UNAUTHORIZED USE OF THIS ROUTER\n\tIS STRICTLY PROHIBITED!";
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password “$ABC123”;
# SECRET-DATA
}
}
password {
format sha512;
}
}
radius-server 192.0.2.15 {
secret “$ABC123” # SECRET-DATA
}
services {
ssh;
}
syslog {
user *{
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
...
...
The new configuration changes the secret data configuration statements and adds a new user.
user@host# show | compare
[edit system login user admin authentication]
– encrypted-password “$ABC123”; # SECRET-DATA
+ encrypted-password “$ABC123”; # SECRET-DATA
[edit system login]
+ user admin2 {
+ uid 2001;
+ class read-only;
+ authentication {
+ encrypted-password “$ABC123”;
# SECRET-DATA
+ }
+ }
[edit system radius-server 192.0.2.15]
– secret “$ABC123”; # SECRET-DATA
+ secret “$ABC123”; # SECRET-DATA
Table 1 shows sample for syslog auditing for NDcPPv2.2e:
Requirement |
Auditable Events |
Additional Audit Record Contents |
How event generated |
|---|---|---|---|
FAU_GEN.1 |
None |
None |
|
FAU_GEN.2 |
None |
None |
|
FAU_STG_EXT.1 |
None |
None |
|
FAU_STG.1 |
None |
None |
|
FCS_CKM.1 |
None |
None |
|
FCS_CKM.2 |
None |
None |
|
FCS_CKM.4 |
None |
None |
|
FCS_COP.1/DataEncryption |
None |
None |
|
FCS_COP.1/SigGen |
None |
None |
|
FCS_COP.1/Hash |
None |
None |
|
FCS_COP.1/KeyedHash |
None |
None |
|
FCS_COP.1(1)/KeyedHashCMAC |
None |
None |
|
FCS_RBG_EXT.1 |
None |
None |
|
FIA_PMG_EXT.1 |
None |
None |
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address) |
Successful Local Login Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login Jan 3 09:57:52 login[7637]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0 Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153' |
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address) |
Successful Local Login Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login Jan 3 09:57:52 login[7637]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0 Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153' |
FIA_UAU.7 |
None |
None |
|
FMT_MOF.1/ManualUpdate |
Any attempt to initiate a manual update |
None |
|
FMT_MTD.1/CoreData |
None |
None |
|
FMT_SMF.1 |
All management activities of TSF data |
None |
Refer to the audit events listed in this table. |
FMT_SMR.2 |
None |
None |
|
FPT_SKP_EXT.1 |
None |
None |
|
FPT_APW_EXT.1 |
None |
None |
|
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
mgd[23878]: UI_CMDLINE_READ_LINE: User 'root', command 'request
system software add
/var/tmp/junos-install-ex-x86-64-22.3R1.tgz |
FPT_STM_EXT.1 FTA_SSL_EXT.1 (if “terminate the session is selected) |
The termination of a local interactive session by the session locking mechanism. |
None |
Jan 3 11:59:29 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism. |
None |
Jan 3 11:26:23 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.4 |
The termination of an interactive session. |
None |
Local Jan 3 11:47:25 mgd[52521]: UI_LOGOUT_EVENT: User 'root' logout Remote Jan 3 11:43:33 sshd[52425]: Received disconnect from 10.1.5.153 port 36800:11: disconnected by user |
FTA_TAB.1 |
None |
None |
|
FTP_ITC.1 |
Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions. |
Identification of the initiator and target of failed trusted channels establishment attempt. |
Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153' |
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153' |
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. Their offer: chacha20-poly1305@openssh.com, aes128-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes256-cbc |
FIA_X509_EXT.1/Rev |
Unsuccessful attempt to validate a certificate Any addition, replacement or removal of trust anchors in the TOE's trust store |
Reason for failure of certificate validation Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store |
Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.9286/manifest.ecerts: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProductionTestEc_2017_NO_DEFECTS/emailAddress=ca@juniper.net |
FIA_X509_EXT.2 |
None |
None |
|
FPT_TUD_EXT.2 |
Failure of update |
Reason for failure (including identifier of invalid certificate) |
Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.9286/manifest.ecerts: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProductionTestEc_2017_NO_DEFECTS/emailAddress=ca@juniper.net |
FMT_MOF.1/Functions |
None |
None |
|
FMT_MOF.1/Services |
None |
None |
|
FMT_MTD.1/CryptoKeys |
None |
None |
|
FCS_MACSEC_EXT.1 |
Session establishment |
Secure Channel Identifier (SCI) |
Apr 10 20:43:35 dot1xd[6622]: DOT1XD_MKA_SECURE_CHANNEL_CREATED: Macsec receive secure channel created for 64:87:88:5a :19:30 on interface xe-0/0/0 |
FCS_MACSEC_EXT.1.7 |
Creation of Connectivity Association |
Connectivity Association Key Names |
Apr 10 20:43:38 dot1xd[6622]: DOT1XD_MKA_SECURE_ASSOCIATION_ESTABLISHED: Macsec secure association established with an :2 on interface xe-0/0/0 |
FCS_MACSEC_EXT.3.1 |
Creation and update of Secure Association Key |
Creation and update times |
Apr 29 16:01:49 fpc0 vsc8584_macsec_rx_sa_create: ifd 148 (ge-0/0/0), port_no 0, vsc8584_handle 0x1543be98, an 3, key 0x18ccb058, lowest_pn 1, sci 0x18ccb044 |
FIA_AFL.1 |
Administrator lockout due to excessive authentication failures |
None |
sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user ' security-administrator' Login lockout configuration details: [edit] root@host:fips# run show system login lockout User Lockout start Lockout end security-administrator 2023-01-10 15:03:26 IST 2023-01-10 15:04:26 IST Log for the login lockout configuration: Jan 10 15:03:26 host sshd[63687]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'security-administrator' has been locked out from logins Status of the session closed after the lockout period: ssh security-administrator@host Password: Connection closed by 10.209.21.170 port 22 Log for the closed session after lockout period: Jan 10 15:04:10 host sshd[63694]: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user security-administrator is locked. Establishes the session through the console as the root user during lockout period: login: security-administrator Password: Last login: Tue Jan 10 15:01:43 on ttyu0 --- JUNOS 22.3R1-S1.3 Kernel 64-bit JNPR-12.1-20221021.ecb908b2_bui security-administrator@bm-a:fips> [edit] root@host:fips# run show system users 3:04PM up 4 days, 3:59, 2 users, load averages: 0.28, 0.21, 0.22 USER TTY FROM LOGIN@ IDLE WHAT security-a u0 - 3:03PM - -cli (cli) Log for the session established through the console as the root user during lockout period: Jan 10 15:03:52 host login[63625]: LOGIN_INFORMATION: User security-administrator logged in from host [unknown] on device ttyu0 |
FPT_RPL.1 |
Detected replay attempt |
None |
Apr 15 10:05:16.142910 MKA actor #0 received duplicate or delayed PDU Apr 15 10:05:16.142932 MKA actor #0 received MKPDU, SCI 3C:94:D5:A0:A0:07/1, MI 27:D7:9F:97:53:CF:EF:86:00:52:C1:78, MN 1530 |
|
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed via an automated process. (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1) |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address). |
mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="root" command="set date 202005201815.00 "] User 'root', command 'set date 202005201815.00' mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message="signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled nsd 2641 NSD_SYS_TIME_CHANGE - System time has changed |
|
Note:
We are not claiming NTP as part of FPT_STM_EXT.1 SFR. However, in our configuration guide we have leveraged activate/deactivate NTP services to validate MACsec tolerance and MACsec key-chain. |
|||
|
FPT_TST_EXT.1 |
None |
None |
Enter |
|
Note:
If there is a self-test error, you can recover the device via USB recovery. If USB recovery fails, you can contact JTAC for support (https://support.juniper.net/support/). |
|||