Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Event Logging Overview

The evaluated configuration requires the auditing of configuration changes through the system log.

In addition, Junos OS can:

  • Send automated responses to audit events (syslog entry creation).

  • Allow authorized managers to examine audit logs.

  • Send audit files to external servers.

  • Allow authorized managers to return the system to a known state.

The logging for the evaluated configuration must capture the events. The logging events are listed below:

Table 1 shows sample for syslog auditing for NDcPPv2.2e:

Table 1: Auditable Events

Requirement

Auditable Events

Additional Audit Record Contents

How Event is Generated

FAU_GEN.1

None

None

FAU_GEN.2

None

None

FAU_STG_EXT.1

None

None

FAU_STG.1

None

None

FCS_CKM.1

None

None

FCS_CKM.2

None

None

FCS_CKM.4

None

None

FCS_COP.1/ DataEncryption

None

None

FCS_COP.1/SigGen

None

None

FCS_COP.1/Hash

None

None

FCS_COP.1/KeyedHash

None

None

FCS_RBG_EXT.1

None

None

FDP_RIP.2

None

None

FIA_AFL.1

Unsuccessful login attempts limit is met or exceeded.

Origin of the attempt (e.g., IP address).

sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user ' security-administrator'

Login lockout configuration details:

[edit]
root@host:fips# run show system login lockout
User                                 Lockout start                        Lockout end
security-administrator   2023-01-10 15:03:26 IST    2023-01-10 15:04:26 IST

Log for the login lockout configuration:

Jan 10 15:03:26  host sshd[63687]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'security-administrator' has been locked out from logins

Status of the session closed after the lockout period:

ssh security-administrator@host
Password:
Connection closed by 10.209.21.170 port 22

Log for the closed session after lockout period:

Jan 10 15:04:10  host sshd[63694]: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user security-administrator is locked.

Establishes the session through the console as the root user during lockout period:

login: security-administrator

Password:

Last login: Tue Jan 10 15:01:43 on ttyu0
 
--- JUNOS 22.4R2.8 Kernel 64-bit  JNPR-12.1-20230321.be5f9c0_buil
security-administrator@bm-a:fips>

[edit]

root@host:fips# run show system users

3:04PM  up 4 days,  3:59, 2 users, load averages: 0.28, 0.21, 0.22 

USER     TTY      FROM                              LOGIN@  IDLE WHAT

security-a u0     -                                3:03PM      - -cli (cli)

Log for the session established through the console as the root user during lockout period:

Jan 10 15:03:52  host login[63625]: LOGIN_INFORMATION: User security-administrator logged in from host [unknown] on device ttyu0

FIA_PMG_EXT.1

None

None

FIA_UIA_EXT.1

All use of identification and authentication mechanism.

Provided user identity, origin of the attempt (e.g., IP address).

Successful Remote Login

mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user'

mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli'

Unsuccessful Remote Login

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

Successful Local Login

login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0

login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module

login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0

FIA_UAU_EXT.2

All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address).

Successful Remote Login

mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 username="root" authentication-level="super-user"] Authenticated user 'root' assigned to class 'super-user'

mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 username="root" class-name="super-user" local-peer="" pid="70652" ssh-connection="10.223.5.251 53476 10.204.134.54 22" client-mode="cli"] User 'root' login, class 'super-user' [70652], ssh-connection '10.223.5.251 53476 10.204.134.54 22', client-mode 'cli'

Unsuccessful Remote Login

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

Successful Local Login

login 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in from host [unknown] on device ttyu0

login 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 username="root" hostname="[unknown\]" tty-name="ttyu0"] User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

login 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 username="root" error-message="error in service module"] Failure while authenticating user root: error in service module

login 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="ttyu0"] Login failed for user root from host ttyu0

FIA_UAU.7

None

None

FMT_MOF.1/ ManualUpdate

Any attempt to initiate a manual update.

None

UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate "] User 'sec-officer', command 'request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate'

FMT_MTD.1/CoreData

All management activities of TSF data

None

Refer to the audit events listed in this table.

FMT_SMF.1/IPS

None

None

None

FMT_SMF.1/ND

None

None

None

FMT_SMR.2

None

None

FPT_SKP_EXT.1

None

None

FPT_APW_EXT.1

None

None

FPT_TST_EXT.1

None

None

Enter request system fips self-test at command line for on demand self-test. or Reboot the device to view the self-test during start-up.

Note:

If there is a self-test error, you can recover the device via USB recovery.

If USB recovery fails, you can contact JTAC for support (https://support.juniper.net/support/).

FPT_TUD_EXT.1

Initiation of update; result of the update attempt (success or failure)

None

UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="sec-officer" command="request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate "] User 'sec-officer', command request vmhost software add junos-vmhost-install-mx-x86-64-22.4R1.10.tgz no-validate '

FPT_STM_EXT.1

Discontinuous changes to time - either Administrator actuated or changed through an automated process.

For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address).

mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="root" command="set date 202005201815.00 "] User 'root', command 'set date 202005201815.00 '

mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message="signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled nsd 2641 NSD_SYS_TIME_CHANGE - System time has changed

Note:

We are not claiming NTP as part of FPT_STM_EXT.1 SFR. However, in our configuration guide we have leveraged activate/deactivate NTP services to validate MACsec tolerance and MACsec key-chain.

FTA_SSL_EXT.1 (if terminate the session is selected)

The termination of a local interactive session by the session locking mechanism.

None

cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

None

cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 username="root"] Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.4

The termination of an interactive session.

None

mgd 71668 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.164 username="root"] User 'root' logout

FTA_TAB.1

None

None

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. Their offer: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc

FTP_ITC.1

Initiation of the trusted channel.Termination of the trusted channel. Failure of the trusted channel functions

Identification of the initiator and target of failed trusted channels establishment attempt

Initiation of the trusted path

sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2

Termination of the trusted path

sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482 Failure of the trusted path

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

FTP_TRP.1/Admin

Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions.

None

Initiation of the trusted path

sshd 72418 - - Accepted keyboard-interactive/pam for root from 10.223.5.251 port 42482 ssh2

Termination of the trusted path

sshd 72418 - - Disconnected from user root 10.223.5.251 port 42482

Failure of the trusted path

sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username="root" source-address="10.223.5.251"] Login failed for user 'root' from host '10.223.5.251'

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

sshd 72404 - - Unable to negotiate with 1.1.1.2 port 42168: no matching cipher found. Their offer: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc

FIA_X509_EXT.1/Rev

Unsuccessful attempt to validate a certificate

Reason for failure

verify-sig 72830 - - cannot validate ecerts.pem: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProduction TestEc_2017_NO_DEFECTS/emailAddress =ca@juniper.net

FIA_X509_EXT.2

None

None

FIA_X509_EXT.3

None

None

FMT_MOF.1/Functions

Modification of the behaviour of the transmission of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full.

None

mgd 71891 UI_RESTART_EVENT [junos@2636.1.1.1.2.164 username="root" process-name="Network security daemon" description=" immediately"] User 'root' restarting daemon 'Network security daemon' immediately init - - - network-security (PID 72907) terminated by signal number 9! init - - - network-security (PID 72929) started

FMT_MOF.1/Services

Starting and stopping of services.

None

FMT_MTD.1/ CryptoKeys

Management of cryptographic keys.

None

SSH key

ssh-keygen 2706 - - Generated SSH key file /root/.ssh/id_rsa.pub with fingerprint SHA256:EQotXjlahhlVplg + YBLbFR3TdmJMpm6D1FSjRo6lVE4 ssh-keygen 2714 - - Generated SSH key file /root/.ssh/id_ecdsa.pub with fingerprint SHA256:ubQWoesME9bpOT1e/ sYv871hwWUzSG8hNqyMUe1cNc0

IPSEC keys

pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="384" argument2="ECDSA" argument3="cert1"] A 384 bit ECDSA key-Pair has been generated for cert1

pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1="4096" argument2="RSA" argument3="cert2"] A 4096 bit RSA key-Pair has been generated for cert2

FCS_IPSEC_EXT.1

Session Establishment with peer

Entire packet contents of packets transmitted/received during session establishment

user@host:fips# run show log iked | no-more | grep vpn

Jun 14 10:40:49.291712 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ipsec-sa selection successful for spi (0x8a45e874) local-ip (20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN)

user@host:fips# run show log iked | no-more | grep success

Jun 14 10:40:49.278061 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-generate successful response received for ipc-index=45109,local-ip=none,remote-ip=none

Jun 14 10:40:49.290742 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] atec-validate-migrate for ed (0x2c09028) success in remote id validation

Jun 14 10:40:49.291392 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSi: traffic-selector-match for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255) R:ipv4(10.1.1.0-10.1.1.255) N:ipv4(10.1.1.0-10.1.1.255)

Jun 14 10:40:49.291656 [EXT] [TUNL] [20.1.1.1 <-> 20.1.1.2] ike_tunnel_anchor_node_tunnel_add: Anchor tunnel add for tunnel 500009: success total tunnel adds:9

Jun 14 10:40:49.291682 [DET] [TUNL] [20.1.1.1 <-> 20.1.1.2] tunnel-sadb-add success with local-spi (0x8a45e874)

Jun 14 10:40:49.291712 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ipsec-sa selection successful for spi (0x8a45e874) local-ip (20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN)

Jun 14 10:40:49.292404 [TER] [PEER] [20.1.1.1 <-> 20.1.1.2] IKE: Gateway N:IKE_GW L:20.1.1.1:500 R:20.1.1.2:500 Successful ike-id:20.1.1.2 U:N/A IKE:IKEv2 Role:R

Jun 14 10:40:49.294256 [DET] [DIST] [20.1.1.1 <-> 20.1.1.2] ike_dist_ipsec_tunnel_info_add: IPsec distribution tunnel info add to db successful Tunnel Id:500009 Client Id:20 Instance:0

Jun 14 10:40:49.295072 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.20

Jun 14 10:40:49.295292 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.21

Jun 14 10:40:49.296004 [DET] [STER] [20.1.1.1 <-> 20.1.1.2] Successfully modified st0 next hop meta data for tunnel 500009

Jun 14 10:40:49.297336 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.20

Jun 14 10:42:24.328902 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-generate successful response received for ipc-index=45111,local-ip=none,remote-ip=none

Jun 14 10:42:24.332381 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-compute successful response received for ipc-index=0

Jun 14 10:42:24.333295 [DET] [PUBL] [20.1.1.1 <-> 20.1.1.2] publish-ike-sa successful for ike-sa-index 11282 ike-sa 0x21dec24

Jun 14 10:42:29.316880 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSi: traffic-selector-match for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255) R:ipv4(10.1.1.0-10.1.1.255) N:ipv4(10.1.1.0-10.1.1.255)

Jun 14 10:42:29.316889 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSr: traffic-selector-match for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255) R:ipv4(30.1.1.0-30.1.1.255) N:ipv4(30.1.1.0-30.1.1.255)

Jun 14 10:42:29.317147 [DET] [TUNL] [20.1.1.1 <-> 20.1.1.2] tunnel-sadb-add success with local-spi (0x80eeab18)

Jun 14 10:42:29.317178 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ipsec-sa selection successful for spi (0x80eeab18) local-ip (20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN)

Jun 14 10:42:29.320369 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-generate successful response received for ipc-index=45113,local-ip=none,remote-ip=none

Jun 14 10:42:29.323800 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ike-atec-dh-compute successful response received for ipc-index=0

Jun 14 10:42:29.325513 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Successfully sent IPC msg tag 4 from iked to SPU.0.20

FIA_X509_EXT.1

Session establishment with CA

Entire packet contents of packets transmitted/received during session establishment

kmd 7200 KMD_VPN_UP_ALARM_USER [junos@2636.1.1.1.2.164 vpn-name=""vpn1"" remote-address=""5.5.5.1"" local-address=""11.11.11.1"" ga teway-name=""gw1"" group-name=""vpn1"" tunnel-id=""131073"" interface-name=""st0.0"" internal-ip=""Not-Available"" name=""11.11.11.1"" peer-name=""5.5.5.1"" client-name=""Not-Applicable"" vrrp-group-id=""0"" traffic-selector-name= """" traffic-selector-cfg-local-id=""ipv4_subnet(any:0, [0..7\]=0.0.0.0/0)"" traffic-selector-cfg-remote-id= ""ipv4_subnet(any: 0,[0..7\]=0.0.0.0/0)"" argument1= ""Static""] VPN vpn1 from 5.5.5.1 is up. Local-ip: 11.11.11.1, gateway name: gw1, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 11.11.11.1, Remote IKE-ID: 5.5.5.1, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static

FPF_RUL_EXT.1

Application of rules configured with the ‘log’ operation

Source and destination addresses. Source and destination ports. Transport Layer Protocol TOE Interface

[edit]
root@host:fips# run show firewall

Filter: __default_bpdu_filter__

Filter: fw_filter1
Counters:
Name                                                Bytes              Packets
inc1                                                    0                    0
inc2                                                  840                   10

[edit]
root@host:fips#

[edit]
root@host:fips# run show firewall log
Log :
Time      Filter    Action Interface           Protocol        Src Addr                         Dest Addr
11:05:31  pfe       R      st0.1               ICMP            30.1.1.1                         10.1.1.1
11:05:30  pfe       R      st0.1               ICMP            30.1.1.1                         10.1.1.1
11:05:29  pfe       R      st0.1               ICMP            30.1.1.1                         10.1.1.1
11:05:28  pfe       R      st0.1               ICMP            30.1.1.1                         10.1.1.1

root@host:fips# run show firewall log
Log :
Time      Filter    Action Interface           Protocol        Src Addr                         Dest Addr
11:19:59  pfe       R      st0.1               TCP             30.1.1.1                         10.1.1.1

root@host:fips# run show firewall log
Log :
Time      Filter    Action Interface           Protocol        Src Addr                         Dest Addr
13:00:18  pfe       A      ge-0/0/4.0          ICMP            30.1.1.5                         10.1.1.1
13:00:17  pfe       A      ge-0/0/4.0          ICMP            30.1.1.5                         10.1.1.1
13:00:16  pfe       A      ge-0/0/4.0          ICMP            30.1.1.5                         10.1.1.1
13:00:15  pfe       A      ge-0/0/4.0          ICMP            30.1.1.5                         10.1.1.1

root@host:fips# run show firewall log
Log :
Time      Filter    Action Interface           Protocol        Src Addr                         Dest Addr
13:00:45  pfe       A      ge-0/0/4.0          TCP          30.1.1.5                         10.1.1.1

Indication of packets dropped due to too much network traffic

TOE interface that is unable to process packets

RT_FLOW - RT_FLOW_SESSION_DENY
[junos@2636.1.1.1.2.164 sourceaddress="
1.1.1. 2" source-port="10001"
destination-address="2.2.2.2" destinationport="
21" connection-tag="0" servicename="
junos-ftp" protocol-id="6" icmptype="
0" policy-name="p2" source-zone-na
me="ZO_A" destination-zone-name="ZO_B"
application="UNKNOWN" nestedapplication="
UNKNOWN" username="N/A"
roles="N/A" packet-incominginterface="
ge-0/0/0.0" encrypted="No"
reason="D enied by policy" sessionid-
32="3" application-category="N/A"
application-sub-category="N/A" applicationrisk="-
1" application-characteristics="N/A"
src-vrf-grp="N/A" dst-vrf-grp=" N/A"]
session denied 1.1.1.2/10001->2.2.2.2/21
0x0 junos-ftp 6(0) p2 ZO_A ZO_B
UNKNOWN UNKNOWN N/A(N/A)
ge-0/0/0.0 No Denied by policy 3 N/A N/A
-1 N/A N/A N/A

In addition, Juniper Networks recommends:

  • To capture all changes to the configuration.

  • To store logging information remotely.

For more information on log details, see Specifying Log File Size, Number, and Archiving Properties