Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the network device configuration and verify the device limits the number of concurrent management sessions to an organization-defined number for all authorized access methods. SSH example: [edit system services ssh] connection-limit <1..10>; rate-limit <1..4>; Note: The SSH connection- and rate-limit directives affect secure file transfer protocols like SCP and SFTP. NETCONF over SSH example: [edit system services netconf] ssh { connection-limit <1..10>; rate-limit <1..4>; } Note: Rate limiting is the permissible number of connections per one minute interval. If the network device does not limit the number of concurrent management sessions to an organization-defined number, this is a finding.
Limit the number of concurrent management sessions to 10. SSH example: set system services ssh connection-limit 10 set system services ssh rate-limit <1..4> NETCONF over SSH example: set system services netconf ssh connection-limit <1..10> set system services netconf ssh rate-limit <1..4>
Review the network device configuration to determine if it automatically audits account creation or is configured to use an authentication server that would perform this function. Verify the system logs the facility "any", or minimally "change-log" and "interactive-commands", and the logging level is appropriate. Generally, the "all" (debug) logging level should be avoided because the number of logged messages is significant. [edit system syslog] host <IPv4 or IPv6 syslog address> { any info; } file <file name> { change-log info; interactive-commands info; } Note: If minimally logging only configuration changes, there will be other files receiving the events from the other logging facilities (e.g., "authorizations" or "firewall"). Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <IPv4 or IPv6 syslog address> { change-log info; interactive-commands info; structured-data; } file <file name> { any info; structured-data; } If account creation is not automatically audited, this is a finding.
Configure the network device or its associated authentication server to automatically audit the creation of accounts. set system syslog host <IPv4 or IPv6 syslog address> change-log info set system syslog host <IPv4 or IPv6 syslog address> interactive-commands info -or- set system syslog host <IPv4 or IPv6 syslog address> any info Also set the syslog file configuration as follows: set system syslog file <file name> change-log info set system syslog file <file name> interactive-commands info -or- set system syslog file <file name> any info
If the network device is configured to use a AAA service account, and the AAA broker is configured to assign authorization levels based on centralized user account group memberships on behalf of the network device, that will satisfy this objective. Because the responsibility for meeting this objective is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and/or local authentication depending upon the authentication order. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives, or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. Verify the network device is configured to assign appropriate user roles or access levels to authenticated users. This requirement may be verified by demonstration or configuration review. If the network device does not enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level, this is a finding.
Configure the network device to assign appropriate user roles or access levels to authenticated users, or configure the network device to leverage an AAA solution that will satisfy this objective. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Review the network device configuration to determine if it enforces approved authorizations for controlling the flow of management information within the network device based on information flow control policies. Verify the switch permits administrative access only from the authorized management network(s). Verify filters and terms account for all authorized management traffic. Example prefix-list defining the management networks. Prefix lists are not required because IP addresses can be directly embedded into terms, but they define a set of IP addresses once that permits use across multiple terms. [edit policy-options] prefix-list ipv4-management { <IPv4 MGT subnet/mask>; } prefix-list ipv6-management { <IPv6 MGT subnet/prefix>; } Example firewall filter for SSH traffic: [edit firewall] family inet { filter permit-management-ipv4 { term 1 { from { destination-address { <OOBM IPv4 address>; } source-address { << Example embedded addresses using the 'source-address' match criterion <IPv4 MGT subnet/mask>; } --or-- source-prefix-list { << Example inherited addresses using the 'source-prefix-list' match criterion ipv4-management; } protocol tcp; destination-port 22; } then { syslog; accept; } } term 2 { then { syslog; discard; } } } } family inet6 { filter permit-management-ipv6 { term 1 { from { destination-address { <OOBM IPv6 address>; } source-address { << Example embedded addresses using the 'source-address' match criterion <IPv6 MGT subnet/prefix>; } --or-- source-prefix-list { << Example inherited addresses using the 'source-prefix-list' match criterion ipv6-management; } next-header tcp; destination-port 22; } then { syslog; accept; } } term 2 { then { syslog; discard; } } } } Note: Additional terms will be required for other services like SNMP, RADIUS, or syslog. Example firewall filter applied to the OOBM interface. Juniper devices use different OOBM interface names depending upon platform (fxp0 used in the example): [edit interfaces] fxp0 { unit 0 { family inet { filter { input permit-management-ipv4; } address <OOBM IPv4 address>/<mask>; } family inet6 { filter { input permit-management-ipv6; } address <OOBM IPv6 address>/<prefix>; } } } Note: Although the example filter is shown applied to the management interface, the filter can also be applied to the loopback interface (lo0). If applying to loopback, ensure the filter terms account for all traffic, services, and protocols that must reach the routing engine (e.g., OSPF, BGP, SNMP, etc.). If the switch does not enforce approved authorizations for controlling the flow of management information within the device based on information control policies, this is a finding.
Configure the network device to enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies. Example MGT networks: set policy-options prefix-list ipv4-management <IPv4 MGT subnet/mask> set policy-options prefix-list ipv6-management <IPv6 MGT subnet/prefix> Example firewall filters: set firewall family inet filter permit-management-ipv4 term 1 from destination-address <OOBM IPv4 address> set firewall family inet filter permit-management-ipv4 term 1 from source-prefix-list ipv4-management set firewall family inet filter permit-management-ipv4 term 1 from protocol tcp set firewall family inet filter permit-management-ipv4 term 1 from destination-port 22 set firewall family inet filter permit-management-ipv4 term 1 then syslog set firewall family inet filter permit-management-ipv4 term 1 then accept set firewall family inet filter permit-management-ipv4 term 2 then syslog set firewall family inet filter permit-management-ipv4 term 2 then discard set firewall family inet6 filter permit-management-ipv6 term 1 from destination-address <OOBM IPv6 address> set firewall family inet6 filter permit-management-ipv6 term 1 from source-prefix-list ipv6-management set firewall family inet6 filter permit-management-ipv6 term 1 from next-header tcp set firewall family inet6 filter permit-management-ipv6 term 1 from destination-port 22 set firewall family inet6 filter permit-management-ipv6 term 1 then syslog set firewall family inet6 filter permit-management-ipv6 term 1 then accept set firewall family inet6 filter permit-management-ipv6 term 2 then syslog set firewall family inet6 filter permit-management-ipv6 term 2 then discard Example interface configuration: set interfaces fxp0 unit 0 family inet filter input permit-management-ipv4 set interfaces fxp0 unit 0 family inet address <OOBM IPv4 address>/<mask> set interfaces fxp0 unit 0 family inet6 filter input permit-management-ipv6 set interfaces fxp0 unit 0 family inet6 address <OOBM IPv6 address>/<prefix>
Juniper switches maintain the number of failed login attempts per user until the session is restarted or, if lockout-period is configured, until the next successful login. If the permissible number of failed login attempts is reached, the switch prevents logging in for the duration of the lockout-period (1..43200 minutes) regardless whether the account is locally or externally authenticated and across all management access methods (e.g., local console and SSH). Review the device configuration to verify that it enforces the limit of three consecutive invalid logon attempts before introducing a 15 minute lockout period. [edit system login] retry-options { tries-before-disconnect 3; lockout-period 15; } If the device is not configured to enforce the limit of three consecutive invalid logon attempts before introducing a 15-minute block on subsequent login attempts, this is a finding.
Configure the network device to enforce the limit of three consecutive invalid logon attempts and to block subsequent login attempts for 15 minutes. set system login retry-options tries-before-disconnect 3 set system login retry-options lockout-period 15
Determine if the network device is configured to present a DOD-approved banner that is formatted in accordance with DTM-08-060. Use the following verbiage for applications that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Verify the appropriate banner is configured. [edit system login] message "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.-This IS includes security measures (e.g., authentication and access controls) to protect USG interests-not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n"; If such a banner is not presented, this is a finding.
Configure the network device to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the device. Set system login message: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.-This IS includes security measures (e.g., authentication and access controls) to protect USG interests-not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n"
Determine if the network device produces audit log records containing sufficient information to establish what type of event occurred. Junos standard event log messages are configurable for time format, inclusion of logging facility and severity levels, and format. Setting "structured-data" automatically includes "explicit-priority" and "time-format year millisecond". Verify logging is enabled. [edit system] syslog { host <syslog IPv4 or IPv6 address> { any info; structured-data; <<< Includes 'explicit-priority' and 'time-format' } host <syslog IPv4 or IPv6 address> { any info; explicit-priority; <<< Includes logging facility and severity in standard format } file <file name> { any info; <<< Uses only standard format } time-format year; <<< Applied only to standard format } Note: In the example, events sent to the first external syslog server include the year and time is expressed in milliseconds. The second syslog server and the file both include the year, but time is expressed in seconds. If the network device does not produce audit log records containing sufficient information to establish what type of event occurred, this is a finding.
Configure the network device to produce audit log records containing sufficient information to establish what type of event occurred. set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives set system syslog file <file name> any info set system syslog file <file name> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives -or- set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> explicit-priority <<< Only if log level and severity are required set system syslog file <file name> any info set system syslog file <file name> explicit-priority <<< Only if log level and severity are required set system syslog time-format year
Determine if the network device is configured to produce audit records containing information to establish when (date and time) the events occurred. Junos standard event log messages are configurable for time format, inclusion of logging facility and severity levels, and format. Setting "structured-data" automatically includes "explicit-priority" and "time-format year millisecond". Verify logging is enabled. [edit system] syslog { host <syslog IPv4 or IPv6 address> { any info; structured-data; <<< Includes 'explicit-priority' and 'time-format' } host <syslog IPv4 or IPv6 address> { any info; explicit-priority; <<< Includes logging facility and severity in standard format } file <file name> { any info; <<< Uses only standard format } time-format year; <<< Applied only to standard format } Note: In the example, events sent to the first external syslog server include the year and time is expressed in milliseconds. The second syslog server and the file both include the year, but time is expressed in seconds. If the network device does not produce audit records containing information to establish when the events occurred, this is a finding.
Configure the network device to produce audit records containing information to establish when (date and time) the events occurred. set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives set system syslog file <file name> any info set system syslog file <file name> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives -or- set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> explicit-priority <<< Only if log level and severity are required set system syslog file <file name> any info set system syslog file <file name> explicit-priority <<< Only if log level and severity are required set system syslog time-format year
Determine if the network device is configured to produce audit records containing information to establish where the events occurred. Junos standard event log messages are configurable for time format, inclusion of logging facility and severity levels, and format. Setting "structured-data" automatically includes "explicit-priority" and "time-format year millisecond". Verify logging is enabled. [edit system] syslog { host <syslog IPv4 or IPv6 address> { any info; structured-data; <<< Includes 'explicit-priority' and 'time-format' } host <syslog IPv4 or IPv6 address> { any info; explicit-priority; <<< Includes logging facility and severity in standard format } file <file name> { any info; <<< Uses only standard format } time-format year; <<< Applied only to standard format } Note: In the example, events sent to the first external syslog server include the year and time is expressed in milliseconds. The second syslog server and the file both include the year, but time is expressed in seconds. If the network device does not produce audit records containing information to establish where the events occurred, this is a finding.
Configure the network device to produce audit records containing information to establish where the events occurred. set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives set system syslog file <file name> any info set system syslog file <file name> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives -or- set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> explicit-priority <<< Only if log level and severity are required set system syslog file <file name> any info set system syslog file <file name> explicit-priority <<< Only if log level and severity are required set system syslog time-format year
Determine if the network device is configured to produce audit records containing information to establish the source (apparent cause) of the event. Junos standard event log messages are configurable for time format, inclusion of logging facility and severity levels, and format. Setting "structured-data" automatically includes "explicit-priority" and "time-format year millisecond". Verify logging is enabled. [edit system] syslog { host <syslog IPv4 or IPv6 address> { any info; structured-data; <<< Includes 'explicit-priority' and 'time-format' } host <syslog IPv4 or IPv6 address> { any info; explicit-priority; <<< Includes logging facility and severity in standard format } file <file name> { any info; <<< Uses only standard format } time-format year; <<< Applied only to standard format } Note: In the example, events sent to the first external syslog server include the year and time is expressed in milliseconds. The second syslog server and the file both include the year, but time is expressed in seconds. If the network device does not produce audit records containing information to establish the source of the event, this is a finding.
Configure the network device to produce audit records containing information to establish the source of the event. set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives set system syslog file <file name> any info set system syslog file <file name> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives -or- set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> explicit-priority <<< Only if log level and severity are required set system syslog file <file name> any info set system syslog file <file name> explicit-priority <<< Only if log level and severity are required set system syslog time-format year
Determine if the network device is configured to produce audit records that contain information to establish the outcome of the event. Junos standard event log messages are configurable for time format, inclusion of logging facility and severity levels, and format. Setting "structured-data" automatically includes "explicit-priority" and "time-format year millisecond". Verify logging is enabled. [edit system] syslog { host <syslog IPv4 or IPv6 address> { any info; structured-data; <<< Includes 'explicit-priority' and 'time-format' } host <syslog IPv4 or IPv6 address> { any info; explicit-priority; <<< Includes logging facility and severity in standard format } file <file name> { any info; <<< Uses only standard format } time-format year; <<< Applied only to standard format } Note: In the example, events sent to the first external syslog server include the year and time is expressed in milliseconds. The second syslog server and the file both include the year, but time is expressed in seconds. If the network device does not produce audit records that contain information to establish the outcome of the event, this is a finding.
Configure the network device to produce audit records that contain information to establish the outcome of the event. set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives set system syslog file <file name> any info set system syslog file <file name> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives -or- set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> explicit-priority <<< Only if log level and severity are required set system syslog file <file name> any info set system syslog file <file name> explicit-priority <<< Only if log level and severity are required set system syslog time-format year
Determine if the network device generates audit records containing information that establishes the identity of any individual or process associated with the event. This requirement may be verified by demonstration or validated test results. Junos standard event log messages are configurable for time format, inclusion of logging facility and severity levels, and format. Setting "structured-data" automatically includes "explicit-priority" and "time-format year millisecond". Verify logging is enabled. [edit system] syslog { host <syslog IPv4 or IPv6 address> { any info; structured-data; <<< Includes 'explicit-priority' and 'time-format' } host <syslog IPv4 or IPv6 address> { any info; explicit-priority; <<< Includes logging facility and severity in standard format } file <file name> { any info; <<< Uses only standard format } time-format year; <<< Applied only to standard format } Note: In the example, events sent to the first external syslog server include the year and time is expressed in milliseconds. The second syslog server and the file both include the year, but time is expressed in seconds. If the network device does not generate audit records containing information that establishes the identity of any individual or process associated with the event, this is a finding.
Configure the network device to generate audit records containing information that establishes the identity of any individual or process associated with the event. set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives set system syslog file <file name> any info set system syslog file <file name> structured-data <<< Includes the 'explicit-priority' and 'time-format year millisecond' directives -or- set system syslog host <syslog IPv4 or IPv6 address> any info set system syslog host <syslog IPv4 or IPv6 address> explicit-priority <<< Only if log level and severity are required set system syslog file <file name> any info set system syslog file <file name> explicit-priority <<< Only if log level and severity are required set system syslog time-format year
Determine if the network device protects audit information from any type of unauthorized modification with such methods as ensuring log files receive the proper file system permissions, limiting log data locations, and leveraging user permissions and roles to identify the user accessing the data and the corresponding rights that the user enjoys. This requirement may be verified by demonstration, configuration, or validated test results. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Audit logs are configured in the [edit system] hierarchy and require the "system" permission to view and the "system-control" permission to configure (or permissions set "all"). However, using the allow or deny statements permits adding, or removing, specific commands or configuration hierarchy levels. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If the network device does not protect audit information from unauthorized modification, this is a finding.
Configure the network device to protect audit information from unauthorized modification. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Determine if the network device protects audit information from any type of unauthorized deletion with such methods as ensuring log files receive the proper file system permissions utilizing file system protections, restricting access to log data and backing up log data to ensure log data is retained, and leveraging user permissions and roles to identify the user accessing the data and the corresponding rights the user enjoys. This requirement may be verified by demonstration, configuration, or validated test results. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Audit logs are configured in the [edit system] hierarchy and require the "system" permission to view and the "system-control" permission to configure (or permissions set "all"). However, using the allow or deny statements permits adding, or removing, specific commands or configuration hierarchy levels. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If the network device does not protect audit information from unauthorized deletion, this is a finding.
Configure the network device to protect audit information from unauthorized deletion. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Junos provides the operational mode commands "show" (to display the contents of a log file) or "clear" (to delete all of the contents of a log file); there is no text editor or other "audit tool" provided in the CLI. Operational and configuration mode commands require assignment of the required permission bit to execute. For example, audit logs are configured in the [edit system] hierarchy and require the "system" permission to view and the "system-control" permission to configure (or permissions set "all"). However, using the allow or deny statements permits adding, or removing, specific commands or configuration hierarchy levels. Adding the "deny-commands "^clear log"" directive to a login class prevents any user assigned to that class from clearing any log file. Verify the permissions assigned to each login class is appropriate. In addition to limiting permissions, Junos supports limiting commands and hierarchy levels that would otherwise be permitted. For example, to remove the ability to modify auditing from a login class with the "system-control" or "all" permissions assigned, use the "deny-configuration-regexps [ "system syslog" ]" directive. To prevent administrative users assigned to that same login class from viewing and/or deleting the audit file contents, add the "deny-commands "^(show|clear) log"" directive. Example login-class definitions: [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If the network device does not protect its audit tools from unauthorized access, this is a finding.
Configure the network device to protect audit tools from unauthorized access. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Determine if the network device limits privileges to change the software resident within software libraries. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Installation of firmware requires the maintenance permission bit. However, even with that bit set, software installation can be limited by the "deny-commands" statement (e.g., deny-commands "^request system software"). The command takes a regular expression (REGEX) enclosed in double quotes ("). Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If it does not limit privileges to change the software resident within software libraries, this is a finding.
Configure the network device to limit privileges to change the software resident within software libraries. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Determine if the network device prohibits the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. Verify unnecessary or nonsecure functions are not configured or are explicitly disabled. For example, FTP and Telnet are nonsecure. Verify these services are not enabled as in the example below: [edit system services] ftp; telnet; If any unnecessary or nonsecure functions are permitted, this is a finding.
Configure the network device to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. delete system services ftp delete system services telnet delete system services web-management Note: Delete other configured but unnecessary system services.
Review the network device configuration to determine if an account of last resort is configured. Verify default admin and other vendor-provided accounts are disabled, removed, or renamed where possible. Verify the username and password for the account of last resort is contained within a sealed envelope and kept in a safe. There are no default passwords in Junos and the root account cannot be renamed or disabled. The root account password should be saved in the same manner as the account of last resort. Verify direct root login is disabled. [edit system services ssh] root-login deny; [edit system ports] console { log-out-on-disconnect; insecure; } Note: Setting the console port "insecure" prevents direct root login but also prevents password recovery without knowledge of the root password. Verify only a single local account has an authentication stanza. Local accounts without an authentication stanza are "template accounts" and must be externally authenticated. Template accounts must match the logging-in username or a returned Vendor Specific Attribute (VSA) and are used to map permissions (assigned in the login class) to the user. This example assumes a working external authentication server and appropriate authentication order. [edit system login] : : user <account of last resort name> { uid 2004; class <class name>; authentication { encrypted-password "$6$0/BgZc6n$BIY..<snip>..vLzjWpYq2D/"; ## SECRET-DATA } } user auditor { uid 2010; class <class name>; } If one local account does not exist for use as the account of last resort, this is a finding.
Configure the device to only allow one local account for use as the account of last resort. Disable direct root login: set system services ssh root-login deny set system ports console insecure Configure the account of last resort: set system login user <account of last resort name> class <class name> set system login user <account of last resort name> authentication plain-text-password New password: <password - not echoed to the screen> Retype new password: <password verification - not echoed to the screen> Set all other template accounts: set system login user <template account 1> class <class 1> set system login user <template account 2> class <class 2>
Determine if the network device implements replay-resistant authentication mechanisms for network access to privileged accounts. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. Verify SSH version 2 is configured for network (remote) access to privileged accounts. [edit system services ssh] protocol-version v2; If the network device does not implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
Configure the network device to implement replay-resistant authentication mechanisms for network access to privileged accounts. set system services ssh protocol-version v2
Determine if the network device or its associated authentication server enforces a minimum 15-character password length. This requirement may be verified by demonstration or configuration review. [edit system login password] : minimum-length 15; : If the network device or its associated authentication server does not enforce a minimum 15-character password length, this is a finding.
Configure the network device or its associated authentication server to enforce a minimum 15-character password length. set system login password minimum-length 15
Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one uppercase character be used. This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-uppercases 1; : If the network device and associated authentication server does not require that at least one uppercase character be used in each password, this is a finding.
Configure the network device and associated authentication server to enforce password complexity by requiring that at least one uppercase character be used. set system login password minimum-uppercases 1
Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one lowercase character be used. This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-lowercases 1; : If the network device and associated authentication server does not require that at least one lowercase character be used in each password, this is a finding.
Configure the network device and associated authentication server to enforce password complexity by requiring that at least one lowercase character be used. set system login password minimum-lowercases 1
Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one numeric character be used. This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-numerics 1; : If the network device and associated authentication server does not require that at least one numeric character be used in each password, this is a finding.
Configure the network device and associated authentication server to enforce password complexity by requiring that at least one numeric character be used. set system login password minimum-numerics 1
Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one punctuation (special) character be used. This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-punctuations 1; : If the network device and associated authentication server does not require that at least one special character be used in each password, this is a finding.
Configure the network device and associated authentication server to enforce password complexity by requiring that at least one punctuation (special) character be used. set system login password minimum-punctuations 1
For older Juniper EX versions, only four characters may be changed instead of the DOD-required eight characters. If so, four characters should be selected. This remains a finding when set to four characters, but is mitigated to a CAT 3. Where passwords are used, confirm the characters are changed in at least eight of the positions within the password. This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-changes 8; : If the network device and associated authentication server does not require that when a password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.
Configure the network device and associated authentication server to require that when a password is changed, the characters are changed in at least eight of the positions within the password. set system login password minimum-changes 8 Note: For older Juniper EX versions, only four characters may be changed instead of the DOD-required eight characters. If so, four characters should be selected. This remains a finding when set to four characters, but is mitigated to a CAT 3.
Review the network device’s files using a text editor or a database tool that allows viewing data stored in database tables. Determine if password strings are readable/discernable. Determine if the network device, and any associated authentication servers, enforce only storing cryptographic representations of passwords. Verify that databases, configuration files, and log files have encrypted representations of all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a network device related database table. Also identify if the network device uses the MD5 hashing algorithm to create password hashes. By default, Junos uses SHA-512 as the password hashing algorithm to save only hashed representations of passwords. Verify the hashing algorithm at [edit system login password] format. [edit system login password] : format sha512; If the network device, or any associated authentication servers, stores unencrypted (clear text) representations of passwords, this is a finding. If the network device uses MD5 hashing algorithm to create password hashes, this is a finding.
Configure the network device, and any associated authentication servers, to store all passwords using cryptographic representations. set system login password format <sha-256|sha-512> Note: Although Junos supports the SHA-1 hashing algorithm, it is included only for backwards compatibility when restoring a previous configuration from an older version. Configure all associated databases, configuration files, and log files to use only encrypted representations of passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a network device-related database table.
Determine if the network device uses FIPS 140-2 approved algorithms for authentication to a cryptographic module. Verify the password format and SSH use approved algorithms. Verify the random number generator (RNG) is hmac-drbg, a FIPS approved RNG. [edit system] login { password { : format <sha-256|sha-512>; } } services { ssh { : ciphers [ aes256-ctr aes192-ctr aes128-ctr ]; macs [ hmac-sha2-512 hmac-sha2-256 ]; key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 dh-group14-sha1 ]; : } } rng { hmac-drbg; } If the network device is not configured to use a FIPS-approved authentication algorithm to a cryptographic module, this is a finding.
Configure the network device to use FIPS 140-2 approved algorithms for authentication to a cryptographic module. set system login password format <sha-256|sha-512> set system services ssh ciphers aes256-ctr set system services ssh ciphers aes192-ctr set system services ssh ciphers aes128-ctr set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh key-exchange ecdh-sha2-nistp521 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp256 set system services ssh key-exchange dh-group14-sha1 set system rng hmac-drbg
Determine if the network device terminates the connection associated with a device management session at the end of the session or after 10 minutes of inactivity. This requirement may be verified by demonstration or configuration review. Junos permits the administrator to log out at the end of the session, which terminates the session and the network connection. Junos forcibly terminates the session and network connection upon exceeding the inactivity timeout threshold. Verify the global idle-timeout is 10 minutes. Alternately, verify that each login class is configured for an idle-timeout of 10. [edit system login] idle-timeout 10; class <name> { idle-timeout 10; <<< Optional. If not configured, each login class inherits the global setting. } If the network device does not terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity, this is a finding.
Configure the network device to terminate the connection associated with a device management session at the end of the session or after 10 minutes of inactivity. set system login idle-timeout 10
The Junos operating system maintains file permissions for all files on the device and cannot be configured otherwise. Because Juniper digitally signs and used cryptographic hashes, modified system files (specifically binary files) will invalidate the signature/hash and will not be executed. The Junos OS enforces the permissions assigned to each user to restrict access to system, configuration, and audit files via login classes. Every account must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based on organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Verify "no-world-readable" for archived log files. [edit system syslog] archive size <file size> files <number of files> no-world-readable; If any files allow read or write access by accounts not specifically authorized access or by nonprivileged accounts, this is a finding.
Configure the device to enforce RBAC permissions so only authorized administrators can read or change file contents. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system syslog archive size <file size> files <number of files> no-world-readable
Determine if the network device enforces role-based access control policy over defined subjects and objects. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If role-based access control policy is not enforced over defined subjects and objects, this is a finding.
Configure the network device or its associated authentication server to enforce role-based access control policy over defined subjects and objects. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Determine if the network device allocates audit record storage capacity in accordance with organization-defined audit record storage requirements. This requirement may be verified by configuration review or vendor-provided information. This requirement may be met through use of a properly configured syslog server if the device is configured to use the syslog server. Junos does not permit configuring audit logging storage space. However, the majority of disk space is reserved for local audit log storage and file are rotated using a first-in-first-out (FIFO) function. Verify external syslog servers are configured. [edit system syslog] host <address 1> { any info; } host <address 2> { any info; } If audit record store capacity is not allocated in accordance with organization-defined audit record storage requirements, or the device is not configured to use external syslog server(s), this is a finding.
Configure the network device to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. Configure external syslog server(s): set system syslog host <address 1> any info set system syslog host <address 2> any info
Determine if the network device generates an immediate alert of all audit failure events requiring real-time alerts. Juniper network devices support monitoring the audit log storage partition (/var), monitoring the SNMP health status, or both. On devices supporting disk partition monitoring, verify the audit log partition (/var) free space is configured appropriately for the environment. For example, to generate "high disk usage" alerts at 80 percent capacity (20 percent free), and "full disk usage" at 90 percent capacity (10 percent free): [edit chassis] disk-partition /var { level full { free-space 10 percent; } level high { free-space 20 percent; } } Note: The configurable parameter is a percentage of free space remaining, not percentage used. "High" usage percent of remaining free space must be equal to, or greater than, the "full" usage percent of remaining free space. For network devices supporting SNMP health monitoring, verify the rising and falling threshold values for monitored objects (e.g., CPU, memory, and disk storage usage). In the example below, any monitored object exceeding 75 percent usage will generate an alert. Another alert is generated when the usage falls below 74 percent. As configured in the example, Junos samples every 300 seconds. The falling threshold value must be less than the rising threshold value. Verify the thresholds are appropriate for the target environment. [edit snmp] health-monitor { interval 300; rising-threshold 75; falling-threshold 74; } Note: Monitored objects generate an event the first time they cross a threshold, not at every sample interval. This requirement may be verified by configuration review or validated test results. If an immediate alert of all audit failure events requiring real-time alerts is not generated, this is a finding.
Configure the network device to generate an immediate real-time alert of all audit failure events requiring real-time alerts. set chassis disk-partition /var level full free-space <0..100> set chassis disk-partition /var level full free-space percent set chassis disk-partition /var level high free-space <0..100> set chassis disk-partition /var level high free-space percent Note: "High" disk free-space value must be equal to or greater than "full" free-space value. set snmp health-monitor interval <1..2147483647 seconds> set snmp health-monitor rising-threshold <1..100 percent> set snmp health-monitor falling-threshold <0..100 percent> Note: Falling threshold value must be less than the rising-threshold value or commit fails.
Determine if the network device is configured to synchronize internal information system clocks with the primary and secondary time sources. Verify the Network Time Protocol (NTP) configuration. [edit system ntp] authentication-key 1 type sha256 value "PSK"; ## SECRET-DATA authentication-key 2 type sha1 value "PSK"; ## SECRET-DATA server <address 1> key 1 prefer; ## SECRET-DATA server <address 2> key 2; ## SECRET-DATA trusted-key [ 1 2 ]; source-address <lo0 or OOBM address>; If the network device is not configured to synchronize internal information system clocks with the primary and secondary time sources, this is a finding.
Configure the network device to synchronize internal information system clocks with the primary and secondary time sources. set system ntp authentication-key 1 type sha256 set system ntp authentication-key 1 value "PSK" set system ntp authentication-key 2 type sha1 set system ntp authentication-key 2 value "PSK" set system ntp server <address 1> key 1 set system ntp server <address 1> prefer set system ntp server <address 2> key 2 set system ntp trusted-key 1 set system ntp trusted-key 2 set system ntp source-address <lo0 or OOBM address>
Determine if the network device records time stamps for audit records that can be mapped to UTC or GMT. This requirement may be verified by demonstration or configuration review. Verify the time zone is UTC. [edit system] time-zone UTC; If the network device does not record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.
Configure the network device to record time stamps for audit records that can be mapped to UTC or GMT. set system time-zone UTC
Determine if the network device prohibits installation of software without explicit privileged status. This requirement may be verified by demonstration or configuration review. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Installation of firmware requires the maintenance permission bit. However, even with that bit set, software installation can be limited by the "deny-commands" statement (e.g., deny-commands "^request system software"). The command takes a regular expression (REGEX) enclosed in double quotes ("). Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If installation of software is not prohibited without explicit privileged status, this is a finding.
Configure the network device to prohibit installation of software without explicit privileged status. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Determine if the network device enforces access restrictions associated with changes to device configuration. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Configuration changes require permissions sets appropriate for each stanza. For example, the "system" bit permits one to view [edit system] and the "system-control" bit permits editing (add, delete, modify). Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If the network device does not enforce such access restrictions, this is a finding.
Configure the network device to enforce access restrictions associated with changes to device configuration. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Review the network device configuration to verify SNMP messages are authenticated using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). By default, SNMP is disabled. If used, verify SNMPv3 is configured (minimally) for authentication-sha. Although HMAC-MD5-96 is supported as required by RFC, Junos also supports HMAC-SHA, HMAC-SHA224/256/384/512. Configure the strongest HMAC supported by both the Juniper device and the Network Management System (NMS). [edit snmp v3] usm { local-engine { user <SNMPv3 user> { authentication-sha { authentication-key "$8$aes256-gcm$hmac-sha2-256$100$2CM/LosUGF4$A...<snip>...rflBKxq/w+jaAVF55Bsc6PA"; ## SECRET-DATA } } } } If the network device is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.
Configure the network device to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). set snmp v3 usm local-engine user <SNMPv3 username> authentication-sha authentication-password "PSK"
Review the Juniper EX configuration to determine if it obtains time information from a trusted source. [edit system ntp] authentication-key 1 type sha256 value "PSK"; ## SECRET-DATA authentication-key 2 type sha1 value "PSK"; ## SECRET-DATA server <address 1> key 1 prefer; ## SECRET-DATA server <address 2> key 2; ## SECRET-DATA trusted-key [ 1 2 ]; If the network device does not support FIPS-validated algorithms, verify the network device configuration to determine NTP endpoints are authenticated before establishing the local, remote, or network connection using cryptographically based algorithms. [edit system ntp] authentication-key 3 type md5 value "PSK"; ## SECRET-DATA server <address 3> key 3; ## SECRET-DATA trusted-key [ 1 2 3 ]; If the Juniper EX switch is not configured to use an NTP service that is hosted by a trusted source or a DOD-compliant enterprise or local NTP server, this is a finding.
Configure the network device to authenticate Network Time Protocol sources using FIPS-validated algorithms. set system ntp authentication-key 1 type sha256 set system ntp authentication-key 1 value "PSK" set system ntp authentication-key 2 type sha1 set system ntp authentication-key 2 value "PSK" set system ntp server <address 1> key 1 set system ntp server <address 1> prefer set system ntp server <address 2> key 2 set system ntp trusted-key 1 set system ntp trusted-key 2 If the network device does not support FIPS-validated algorithms, configure NTP authentication using cryptographically based algorithms. set system ntp authentication-key 3 type md5 set system ntp authentication-key 3 value "PSK" set system ntp server <address 3> key 3 set system ntp trusted-key 3
Review the network device configuration to determine if the network device or its associated authentication server prohibits the use of cached authenticators after an organization-defined time period. Verify idle-timeouts, SSH keepalive messages, and SSH rekey are configured to meet the requirements of the target network. [edit system] login { idle-timeout 10; } system { services { ssh { protocol-version v2; client-alive-count-max (0..255); client-alive-interval (0..65535 seconds); rekey { data-limit (51200..4294967295 bytes); time-limit (1..1440 minutes); } } } } For externally authenticated accounts, verify the external authentication server enforces appropriate authenticator timeouts. If cached authenticators are used after an organization-defined time period, this is a finding.
Configure the network device or its associated authentication server to prohibit the use of cached authenticators after an organization-defined time period. set system login idle-timeout 10 set system services ssh protocol-version v2 set system services ssh client-alive-count-max (0..255) set system services ssh client-alive-interval (0..65535 seconds) set system services ssh rekey data-limit (51200..4294967295 bytes) set system services ssh rekey time-limit (1..1440 minutes)
Verify the network device uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. If using SNMPv3, verify (minimally) that authentication-sha is configured. Juniper devices also support authentication-sha224/256/384/512. Verify the strongest mutually supported HMAC between the network device and the Network Management Server (NMS) is configured. [edit system snmp] v3 { usm { local-engine { user <SNMPv3 user> { authentication-sha { authentication-key "PSK"; ## SECRET-DATA } } } } } Verify SSHv2 is configured for protocol V2 only, ciphers [ aes256-ctr aes192-ctr aes128-ctr ], key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ], and macs [ hmac-sha2-512 hmac-sha2-256]. [edit system services ssh] : protocol-version v2; ciphers [ aes256-ctr aes192-ctr aes128-ctr ]; macs [ hmac-sha2-512 hmac-sha2-256 ]; key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ]; If the network device does not use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications, this is a finding.
Configure the network device to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. set snmp v3 usm local-engine user <SNMPv3 user> authentication-sha authentication-password "PSK" set snmp v3 usm local-engine user <SNMPv3 user> privacy-aes128 privacy-password "PSK" Note: Use the strongest HMAC mutually supported with the NMS (e.g., authentication-sha256, authentication-sha512) set system services ssh protocol-version v2 set system services ssh ciphers aes256-ctr set system services ssh ciphers aes192-ctr set system services ssh ciphers aes128-ctr set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh key-exchange ecdh-sha2-nistp521 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp256
Review the network device configuration to determine if cryptographic mechanisms are implemented using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions. If using SNMPv3, verify (minimally) that authentication-sha is configured. Juniper devices also support authentication-sha224/256/384/512. Verify the strongest mutually supported HMAC between the network device and the Network Management Server (NMS) is configured. [edit system snmp] v3 { usm { local-engine { user <SNMPv3 user> { authentication-sha { authentication-key "PSK"; ## SECRET-DATA } } } } } Verify SSHv2 is configured for protocol V2 only, ciphers [ aes256-ctr aes192-ctr aes128-ctr ], key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ], and macs [ hmac-sha2-512 hmac-sha2-256 ]. [edit system services ssh] : protocol-version v2; ciphers [ aes256-ctr aes192-ctr aes128-ctr ]; macs [ hmac-sha2-512 hmac-sha2-256 ]; key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ]; If the network device is not configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm, this is a finding.
Configure the network device to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm. set snmp v3 usm local-engine user <SNMPv3 user> authentication-sha authentication-password "PSK" set snmp v3 usm local-engine user <SNMPv3 user> privacy-aes128 privacy-password "PSK" Note: Use the strongest HMAC mutually supported with the NMS (e.g., authentication-sha256, authentication-sha512) set system services ssh protocol-version v2 set system services ssh ciphers aes256-ctr set system services ssh ciphers aes192-ctr set system services ssh ciphers aes128-ctr set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh key-exchange ecdh-sha2-nistp521 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp256
Determine if the network device protects against or limits the effects of all known types of DoS attacks by employing organization-defined security safeguards. Verify session and (if supported) rate limits for management connections. SSH example: [edit system services ssh] connection-limit <1..250>; rate-limit <1..250>; Note: The SSH connection- and rate-limit directives affect secure file transfer protocols like SCP and SFTP. NETCONF over SSH example: [edit system services netconf] ssh { connection-limit <1..250>; rate-limit <1..250>; } Note: Rate limiting is the permissible number of connections per one minute interval. Verify policers (rate limiters) are appropriately applied to limit traffic; for example, to limit SSH connection attempts: [edit firewall] family inet { filter <filter name> { term 1 { from { destination-address { <device OOBM or loopback address>; } source-prefix-list { <management address list name>; } protocol tcp; destination-port 22; tcp-initial; } then { policer policer-32k; syslog; accept; } } term 2 { from { destination-address { <device OOBM or loopback address>; } source-prefix-list { <management address list name>; } protocol tcp; destination-port 22; } then { syslog; accept; } } term default { then { syslog; discard; } } } } family inet6 { filter <filter name-1> { term 1 { from { destination-address { <device OOBM or loopback address>; } source-prefix-list { <management address list name-1>; } next-header tcp; destination-port 22; tcp-initial; } then { policer policer-32k; syslog; accept; } } term 2 { from { destination-address { <device OOBM or loopback address>; } source-prefix-list { <management address list name-1>; } next-header tcp; destination-port 22; } then { syslog; accept; } } term default { then { syslog; discard; } } } } Note: Additional terms will be required for other services like SNMP. policer policer-32k { if-exceeding { bandwidth-limit 32k; burst-size-limit 1500; } then discard; } [edit interfaces] <OOBM interface> { unit 0 { family inet { filter { input <filter name>; } address <IPv4 address>/<mask>; } family inet6 { filter { input <filter name-1>; } address <IPv6 address>/<prefix>; } } } Note: Although the example filter is shown applied to the management interface, the filter can be also be applied to the loopback interface. If applying to loopback, ensure the filter terms account for all traffic, services, and protocols that must reach the routing engine (e.g., OSPF, BGP, SNMP, etc.). If the network device does not protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards, this is a finding.
Configure the network device to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards. SSH example: set system services ssh connection-limit <1..250> set system services ssh rate-limit <1..250> NETCONF over SSH example: set system services netconf ssh connection-limit <1..250> set system services netconf ssh rate-limit <1..250> Example firewall filters: set firewall family inet filter <filter name> term 1 from destination-address <device OOBM or loopback address> set firewall family inet filter <filter name> term 1 from source-prefix-list <management address list name> set firewall family inet filter <filter name> term 1 from protocol tcp set firewall family inet filter <filter name> term 1 from destination-port 22 set firewall family inet filter <filter name> term 1 from tcp-initial set firewall family inet filter <filter name> term 1 then policer policer-32k set firewall family inet filter <filter name> term 1 then syslog set firewall family inet filter <filter name> term 1 then accept set firewall family inet filter <filter name> term 2 from destination-address <device OOBM or loopback address> set firewall family inet filter <filter name> term 2 from source-prefix-list <management address list name> set firewall family inet filter <filter name> term 2 from protocol tcp set firewall family inet filter <filter name> term 2 from destination-port 22 set firewall family inet filter <filter name> term 2 then syslog set firewall family inet filter <filter name> term 2 then accept set firewall family inet filter <filter name> term default then syslog set firewall family inet filter <filter name> term default then discard set firewall family inet6 filter <filter name-1> term 1 from destination-address <device OOBM or loopback address> set firewall family inet6 filter <filter name-1> term 1 from source-prefix-list <management address list name-1> set firewall family inet6 filter <filter name-1> term 1 from next-header tcp set firewall family inet6 filter <filter name-1> term 1 from destination-port 22 set firewall family inet6 filter <filter name-1> term 1 from tcp-initial set firewall family inet6 filter <filter name-1> term 1 then policer policer-32k set firewall family inet6 filter <filter name-1> term 1 then syslog set firewall family inet6 filter <filter name-1> term 1 then accept set firewall family inet6 filter <filter name-1> term 2 from destination-address <device OOBM or loopback address> set firewall family inet6 filter <filter name-1> term 2 from source-prefix-list <management address list name-1> set firewall family inet6 filter <filter name-1> term 2 from next-header tcp set firewall family inet6 filter <filter name-1> term 2 from destination-port 22 set firewall family inet6 filter <filter name-1> term 2 then syslog set firewall family inet6 filter <filter name-1> term 2 then accept set firewall family inet6 filter <filter name-1> term default then syslog set firewall family inet6 filter <filter name-1> term default then discard Example interface configuration: set interfaces <OOBM interface> unit 0 family inet filter input <filter name> set interfaces <OOBM interface> unit 0 family inet address <IPv4 address>/<mask> set interfaces <OOBM interface> unit 0 family inet6 filter input <filter name-1> set interfaces <OOBM interface> unit 0 family inet6 address <IPv6 address>/<prefix>
Determine if the network device generates audit records when successful/unsuccessful logon attempts occur. Junos logs all logon attempts via the "authorization" syslog facility (or facility "any"). Verify logging level "any info" or "authorization info" is configured. [edit system syslog] file <file name> { authorization info; } host <external syslog address> { any info; } time-format year millisecond; Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <syslog address> { authorization info; structured-data; } file <file name> { any info; structured-data; } If it does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.
Configure the network device to generate audit records when successful/unsuccessful logon attempts occur. set system syslog file <file name> any info set system syslog file <file name> structured-data << (Optional) Only if structured data format is required set system syslog host <external syslog address> authorization info set system syslog host <external syslog address> structured-data << (Optional) Only if structured data format is required set system syslog time-format <(year|millisecond)>
Determine if the network device generates audit records for privileged activities or other system-level access. Junos logs all completed commands via the "interactive-commands" syslog facility and all configuration changes via "change-log". Successful and unsuccessful login attempts are logged using the "authorization" facility. Verify syslog is configured to capture these facilities using the logging level "info" or above. The lowest logging level, "any", is debug and will generate significant numbers of messages. The "any" logging facility (not to be confused with the severity level "any") includes authorization, change-log, and interactive-commands. Example configuration to generate audit records for privileged activities or other system-level access. [edit system syslog] file <file name> { authorization info; change-log info; interactive-commands info; } host <syslog address> { any info; explicit-priority; } time-format year millisecond; Note: The time-format command supports including the year and/or the time in milliseconds (both shown for clarity). The default format does not include the year and time is recorded in seconds. Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <syslog address> { authorization info; change-log info; interactive-commands info; structured-data; } file <file name> { any info; structured-data; } If the network device does not generate audit records for privileged activities or other system-level access, this is a finding.
Configure the network device to generate audit records for privileged activities or other system-level access. set system syslog host <syslog address> any info set system syslog host <syslog address> explicit-priority set system syslog file <file name> any info set system syslog time-format year
Determine if the network device generates audit records showing starting and ending time for administrator access to the system. Junos logs all logon attempts via the "authorization" syslog facility. Verify logging level "any info" or "authorization info" is configured. Time stamps are created for every log entry, both successful and failed logon attempts, and logout. [edit system syslog] file <file name> { any info; } host <external syslog address> { any info; } time-format year millisecond; Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <syslog address> { change-log info; interactive-commands info; structured-data; } file <file name> { any info; structured-data; } If the network device does not generate audit records showing starting and ending time for administrator access to the system, this is a finding.
Configure the network device to generate audit records showing starting and ending time for administrator access to the system. set system syslog file <file name> any info set system syslog host <external syslog address> any info set system syslog time-format year
Determine if the network device generates audit records when concurrent logons from different workstations occur. Junos logs all logon attempts via the "authorization" syslog facility. Verify logging level "any info" or "authorization info" is configured. Time stamps are created for every log entry, both successful and failed logon attempts, and logout. [edit system syslog] file <file name> { any info; } host <external syslog address> { any info; } time-format year millisecond; Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <syslog address> { change-log info; interactive-commands info; structured-data; } file <file name> { any info; structured-data; } If the network device does not generate audit records when concurrent logons from different workstations occur, this is a finding.
Configure the network device to generate audit records when concurrent logons from different workstations occur. set system syslog file <file name> any info set system syslog host <external syslog address> any info set system syslog time-format year
Mark as not a finding if the site has a solution in place to prevent the device from running out of audit storage. Verify the device is configured to send system events to external syslog. If the organization has a centralized repository (or repositories) for secure transfer of audit log files, verify each log file is configured to transfer files to the appropriate repository. Each log file must be configured separately. [edit system syslog] file <file name> { any info; archive size <65536..1073741824 bytes> files <1..1000> transfer-interval <5..2880 minutes> start-time "<yyyy-mm-dd.hh:mm>" archive-sites { "URL" password "hashed PSK" } ## SECRET-DATA } Note: The URL format is: <scp|sftp>://<username>@<address>/<path>. The trailing slash is omitted because Junos automatically adds that when it appends the filename. host <external syslog address> { any info; } Note: If using secure file transfer to offload log files, the Juniper device will immediately attempt to connect with the configured protocol, address, and credentials. If successful, Junos will prompt to accept an untrusted public key. If the administrator accepts that key, Junos adds it to [edit security ssh-known-hosts]. Alternately, configure the trusted public key at [edit security ssh-known-hosts] before configuring automatic file offload. If the device does not offload audit records onto a different system or media, this is a finding.
Archiving is not required unless space is limited in the audit server. Configure the network device to offload audit records onto a different system or media than the system being audited. set file <file name> any info set system syslog file <file name> any info set system syslog file <file name> archive size <65536..1073741824 bytes> set system syslog file <file name> archive files <1..1000> set system syslog file <file name> archive transfer-interval <5..2880 minutes> set system syslog file <file name> archive start-time "<yyyy-mm-dd.hh:mm>" set system syslog file <file name> archive archive-sites "<scp|sftp>://<username>@<repository address>/<path without trailing slash (/)>" password "<PSK>" set system syslog host <external syslog address> any info
Determine if the network device is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Verify the configuration implements security configuration or implementation guidance using the "show" commands. For example, to review the entire configuration, use "show configuration" from operational mode. If in configuration mode, executing the "show" command will show the configuration of the current hierarchy level. If it is not configured in accordance with the designated security configuration settings, this is a finding.
Configure the network device to be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. To enable a function or set its configurable parameters, use the "set" command. To disable a function or its configuration parameters, use the "deactivate" or "delete" commands.
Determine if the network device generates audit log events for a locally developed list of auditable events. Verify audit logging is enabled. [edit system syslog] file <file name> { any info; } host <external syslog address> { any info; } time-format year; Note: Without the "structured-data" directive (as shown), syslog outputs in standard format. Add the "structured-data" command to all files and external syslog servers requiring that format. For example: [edit system syslog] file <file name> { any info; structured-data; } If the logging facility and level is too broad, Junos supports REGEX or string match conditions to filter events. If used, verify the match conditions capture the required events. [edit system syslog] file <file name> { any info; match <REGEX>; -or- match-strings [ "string 1" "string 2" ]; } Note: When using match conditions, it may be necessary to use the "any" (debug) severity level, but this should not generate overwhelming numbers of messages because the filter will ignore all unmatched events. If the network device is not configured to generate audit log events for a locally developed list of auditable events, this is a finding.
Configure the network device to generate audit log events for a locally developed list of auditable events. set system syslog file <file name> messages any info set system syslog file <file name> structured-data << (Optional) Only if structured data format is required set system syslog host <external syslog address> any info set system syslog host <external syslog address> structured-data << (Optional) Only if structured data format is required set system syslog time-format year If using REGEX or string match conditions: set system syslog file <name> any <info|any> set system syslog file <name> match <REGEX> -or- set system syslog file <name> match-strings [ "string 1" "string 2" ]
Check the network device to determine if only authorized administrators have permissions for changes, deletions and updates on the network device. Inspect the maintenance log to verify changes are being made only by the system administrators. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If unauthorized users are allowed to change the hardware or software, this is a finding.
Configure the network device to enforce access restrictions associated with changes to the system components. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>
Review the network device configuration to verify the device is configured to use an authentication server as the primary source for authentication. Verify the RADIUS and/or TACACS+ server addresses. [edit system] radius-server { <RADIUS-1 address> secret "hashed PSK"; ## SECRET-DATA <RADIUS-2 address> secret "hashed PSK"; ## SECRET-DATA } tacplus-server { <TACPLUS-1 address> secret "hashed PSK"; ## SECRET-DATA <TACPLUS-2 address> secret "hashed PSK"; ## SECRET-DATA } Verify the authentication order places the external authentication server first. [edit system] authentication-order [ radius tacplus password ]; Note: Only the global authentication order is required; all administrative access methods will honor the global setting unless configured separately. If the network device is not configured to use an authentication server to authenticate users prior to granting administrative access, this is a finding.
Configure the network device to use an authentication server. set system radius-server <RADIUS-1 address> secret "<PSK>" set system tacplus-server <TACPLUS-1 address> secret "<PSK>" Configure the authentication order to use the authentication server as primary source for authentication. set system authentication-order radius set system authentication-order tacplus set system authentication-order password
Review the network device configuration to determine if the device is configured to conduct backups of system-level information contained in the information system when changes occur. Verify the preferred centralized backup system is configured to retrieve the configuration file. There is no provision for backing up system binaries because Juniper provides the signed installation packages rather than individual files. Therefore, verify the centralized backup solution has the appropriate installation packages for the deployed platforms. When the configuration file is pulled from the centralized server, an example retrieval method is authenticated connections over NETCONF or manual retrieval using SSH. Junos supports authenticating external services via RADIUS or TACACS+, or via a local account. [edit system services netconf] ssh; rfc-compliant; Note: The rfc command is recommended for compatibility in large enterprises, but can be omitted if there are overriding operational considerations. If the network device will be saving system files to a centralized repository, verify the configuration file is automatically saved at each commit. [edit system archival] configuration { transfer-on-commit; archive-sites { "sftp://user@host/configuration_files" password "$9$w52...<snip>...mfzn/"; ## SECRET-DATA } } Note: The URL uses <scp|sftp>://<username>@<repository address>/<path without trailing slash (/)> format because Junos appends the slash with the system-generated filename. Junos supports file transfer either on commit, or at configured intervals. If the network device is not configured to conduct backups of system-level data when changes occur, this is a finding.
Configure the network device to conduct backups of system-level information contained in the information system when changes occur. For NETCONF connections: set system services netconf ssh set system services netconf rfc-compliant Note: The rfc command is recommended for compatibility in large enterprise but can be omitted if there are overriding operational considerations. For device automated configuration offload: set system archival configuration transfer-on-commit set system archival configuration archive-sites "<scp|sftp>://<username>@<address>/<path without trailing slash (/)>" password "<PSK>"
Determine if the network device obtains public key certificates from an appropriate certificate policy through an approved service provider. Verify the certificate is signed by an approved CA via the "show security pki local-certificate" or "show security pki local-certificate detail" commands. If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Configure the network device to obtain its public key certificates from an appropriate certificate policy through an approved service provider. To view installed certificates: show security pki (ca-certificate | local-certificate) Generate a public/private keypair: request security pki generate-key-pair type <ecdsa|rsa> size <bit size> certificate-id <name> Note: ECDSA certificates support 256, 384, or 512 key sizes and RSA supports 1024, 2048, or 4096. Generate a certificate signing request: request security pki generate-certificate-request certificate-id <key name> digest <sha-1|sha-256|sha-384> domain-name <FQDN> ip-address <IPv4 address> ipv6-address <IPv6 address> subject <LDAP format> Note: The subject is LDAP formatted. For example, "CN=switch-01,DC=example,DC=com,O=Company,OU=HR,L=Some City,ST=Some State,C=US". Not all key => value pairs are required but those used must match organizational policy. After securely transferring the CSR to the certificate authority for signing, and securely transferring the certificate to the device, add the certificate: request security pki local-certificate load filename <path/filename of certificate> certificate-id <key name> The certificate can also be generated externally, with separate public and private key files, or a PKCS#12 package containing both certificate and private key. When importing externally generated certificate and private key, use the "key" directive to identify the path and filename of the private key. If the private key, or the PKCS#12 package, uses a passphrase, use the "passphrase" directive and provide the correct value.
Verify that the network device is configured to send log data to a central log server. Verify the external syslog server is configured. The lowest severity level, "any", is debug and will generate a significant number of messages. [edit system syslog] host <external syslog address> { any info; structured-format; << Only if structured formatting is required, otherwise events are recorded in standard format. } time-format year; Note: The time-format command supports including the year and/or the time in milliseconds. The default format does not include the year and time is recorded in seconds. If the network device is not configured to send log data to a central log server, this is a finding.
Configure the network device to send log data to a central log server. set system syslog host <external syslog IPv4 or IPv6 address> any info
Verify that the network device is in compliance with this requirement. The currently running version is displayed at login and can be displayed at any time by running the "show version" (or "show version local" depending upon platform) command. If the network device is not running an operating system release that is currently supported by the vendor, this is a finding.
Upgrade the network device to an operating system that is supported by the vendor. request system software add <supported installation package>
Review the site's SSP to verify the password for the account of last resort and the root account are changed when a system administrator with knowledge of the password leaves or no longer has a need to know/access. If the credentials for account of last resort are not changed when administrators who know the credential leave the organization, this is a finding.
Document this process in the SSP. Change the account of last resort to a new password when administrators who know the credential leave the organization Set the password for the account of last resort: set system login user <account of last resort name> authentication plain-text-password New password: <password - not echoed to the screen> Retype new password: <password verification - not echoed to the screen>
If the network device is configured to use a AAA service account, and the AAA broker is configured to assign authorization levels based on centralized user account group memberships on behalf of the network device, that will satisfy this objective. Because the responsibility for meeting this objective is transferred to the AAA broker, this requirement is not applicable for the local network device. This requirement may be verified by demonstration or configuration review. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and/or local authentication depending upon the authentication order. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives, or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. Verify the network device is configured to assign appropriate user roles or access levels to authenticated users. This requirement may be verified by demonstration or configuration review. If the Juniper EX switch does not prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, this is a finding.
Configure the network device to assign appropriate user roles or access levels to authenticated users, or configure the network device to leverage an AAA solution that will satisfy this objective. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>