Check: JUEX-NM-000600
Juniper EX Series Switches Network Device Management STIG:
JUEX-NM-000600
(in versions v2 r2 through v1 r5)
Title
The Juniper EX switch must be configured to offload audit records onto a different system or media than the system being audited. (Cat II impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Archiving is not required unless space is limited in the audit server.
Check Content
Mark as not a finding if the site has a solution in place to prevent the device from running out of audit storage. Verify the device is configured to send system events to external syslog. If the organization has a centralized repository (or repositories) for secure transfer of audit log files, verify each log file is configured to transfer files to the appropriate repository. Each log file must be configured separately. [edit system syslog] file <file name> { any info; archive size <65536..1073741824 bytes> files <1..1000> transfer-interval <5..2880 minutes> start-time "<yyyy-mm-dd.hh:mm>" archive-sites { "URL" password "hashed PSK" } ## SECRET-DATA } Note: The URL format is: <scp|sftp>://<username>@<address>/<path>. The trailing slash is omitted because Junos automatically adds that when it appends the filename. host <external syslog address> { any info; } Note: If using secure file transfer to offload log files, the Juniper device will immediately attempt to connect with the configured protocol, address, and credentials. If successful, Junos will prompt to accept an untrusted public key. If the administrator accepts that key, Junos adds it to [edit security ssh-known-hosts]. Alternately, configure the trusted public key at [edit security ssh-known-hosts] before configuring automatic file offload. If the device does not offload audit records onto a different system or media, this is a finding.
Fix Text
Archiving is not required unless space is limited in the audit server. Configure the network device to offload audit records onto a different system or media than the system being audited. set file <file name> any info set system syslog file <file name> any info set system syslog file <file name> archive size <65536..1073741824 bytes> set system syslog file <file name> archive files <1..1000> set system syslog file <file name> archive transfer-interval <5..2880 minutes> set system syslog file <file name> archive start-time "<yyyy-mm-dd.hh:mm>" set system syslog file <file name> archive archive-sites "<scp|sftp>://<username>@<repository address>/<path without trailing slash (/)>" password "<PSK>" set system syslog host <external syslog address> any info
Additional Identifiers
Rule ID: SV-253937r961860_rule
Vulnerability ID: V-253937
Group Title: SRG-APP-000515-NDM-000325
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
Controls
Number | Title |
---|---|
AU-4(1) |
Transfer to Alternate Storage |