Check: JUEX-NM-000570
Juniper EX Series Switches Network Device Management STIG:
JUEX-NM-000570
(in versions v2 r2 through v1 r1)
Title
The Juniper EX switch must be configured to generate audit records for privileged activities or other system-level access. (Cat II impact)
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).
Check Content
Determine if the network device generates audit records for privileged activities or other system-level access. Junos logs all completed commands via the "interactive-commands" syslog facility and all configuration changes via "change-log". Successful and unsuccessful login attempts are logged using the "authorization" facility. Verify syslog is configured to capture these facilities using the logging level "info" or above. The lowest logging level, "any", is debug and will generate significant numbers of messages. The "any" logging facility (not to be confused with the severity level "any") includes authorization, change-log, and interactive-commands. Example configuration to generate audit records for privileged activities or other system-level access. [edit system syslog] file <file name> { authorization info; change-log info; interactive-commands info; } host <syslog address> { any info; explicit-priority; } time-format year millisecond; Note: The time-format command supports including the year and/or the time in milliseconds (both shown for clarity). The default format does not include the year and time is recorded in seconds. Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <syslog address> { authorization info; change-log info; interactive-commands info; structured-data; } file <file name> { any info; structured-data; } If the network device does not generate audit records for privileged activities or other system-level access, this is a finding.
Fix Text
Configure the network device to generate audit records for privileged activities or other system-level access. set system syslog host <syslog address> any info set system syslog host <syslog address> explicit-priority set system syslog file <file name> any info set system syslog time-format year
Additional Identifiers
Rule ID: SV-253934r961827_rule
Vulnerability ID: V-253934
Group Title: SRG-APP-000504-NDM-000321
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
Controls
Number | Title |
---|---|
AU-12 |
Audit Generation |