Check: JUEX-NM-000670
Juniper EX Series Switches Network Device Management STIG:
JUEX-NM-000670
(in version v2 r2)
Title
The Juniper EX switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). (Cat I impact)
Discussion
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Check Content
1. Verify that the network device is configured to send log data to a redundant central log servers. 2. Verify the external syslog server is configured. The lowest severity level, "any", is debug and will generate a significant number of messages. [edit system syslog] host <external syslog address> { any info; structured-format; << Only if structured formatting is required, otherwise events are recorded in standard format. } time-format year; If the network device is not configured to send log data to redundant log servers, this is a finding.
Fix Text
Add the following stanzas to the configuration. set system syslog host <external syslog host1 IPv4 or IPv6 address> any info set system syslog host <external syslog host2 IPv4 or IPv6 address> any info Note: The time-format command supports including the year and/or the time in milliseconds. The default format does not include the year and time is recorded in seconds.
Additional Identifiers
Rule ID: SV-253944r1028872_rule
Vulnerability ID: V-253944
Group Title: SRG-APP-000516-NDM-000350
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
| CCI-002605 |
Install security-relevant software updates within an organization-defined time period of the release of the updates. |