Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the Juniper SRX sets a connection-limit for the SSH protocol. Show system services ssh If the SSH connection-limit is not set to 10 or less, this is a finding.
Configure the SSH protocol to limit connection and sessions per connection. [edit] set system services ssh connection-limit 10 set system services ssh max-sessions-per-connection 1
Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host <syslog server address> { any <info | any>; source-address <device address>; } -OR- host <syslog server address> { change-log <info | any>; source-address <device address>; } If an external syslog host is not configured to log facility change-log severity <info | any>, or configured for facility any severity <info | any>, this is a finding.
Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>
Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host <syslog server address> { any <info | any>; source-address <device address>; } -OR- host <syslog server address> { change-log <info | any>; source-address <device address>; } If an external syslog host is not configured to log facility change-log severity <info | any>, or configured for facility any severity <info | any>, this is a finding.
Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>
Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host <syslog server address> { any <info | any>; source-address <device address>; } -OR- host <syslog server address> { change-log <info | any>; source-address <device address>; } If an external syslog host is not configured to log facility change-log severity <info | any>, or configured for facility any severity <info | any>, this is a finding.
Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>
Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host <syslog server address> { any <info | any>; source-address <device address>; } -OR- host <syslog server address> { change-log <info | any>; source-address <device address>; } If an external syslog host is not configured to log facility change-log severity <info | any>, or configured for facility any severity <info | any>, this is a finding.
Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>
Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system is not configured to generate a log record when account enabling actions occur, this is a finding.
The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. [edit] set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any
Verify all accounts are assigned a user-defined (not built-in) login class with appropriate permissions configured. If the remote user is configured, it may have a user-defined, or the built-in unauthorized login class. [edit] show system login Junos OS supports groups, which are centrally located snippets of code. This allows common configuration to be applied at one or more hierarchy levels without requiring duplicated stanzas. If there are no login-classes defined at [edit system login], then check for an apply-groups statement and verify appropriate configuration at the [edit groups] level. [edit] show groups If one or more account templates are not defined with an appropriate login class, this is a finding. If more than one local account has an authentication stanza and is not documented, this is a finding. Note: Template accounts are differentiated from local accounts by the presence of an authentication stanza.
User accounts, including the account of last resort must be assigned to a login class. Configure the class parameters and privileges. [edit] Set system login class <class name> idle-timeout 10 set system login class <class name> permissions <appropriate permissions> Commit for the changes to take effect. Create and configure template user (s). [edit] set system login user <template account name> login-class <appropriate class> Note: Junos does not permit account creation without login-class assignment. Note: There are 4 pre-defined classes which should not be uses used for <class name>: Super-user, Operator, Read-only, and unauthorized. However, the Unauthorized class may be used for the remote user account to prevent logins from externally-authenticated users when a VSA is not returned from the AAA server.
Verify the device generates a log event when privileged commands are executed. [edit] show system syslog If a valid syslog host server and the syslog file names are not configured to capture "any" facility and "any" event, this is a finding.
Along with the other commands that constitute a complete DoD syslog configuration, the following command must be ensure privileged commands are sent to the Syslog Server. [edit] set system syslog host <IP-syslog-server> any any
Verify the number of unsuccessful logon attempts is set to 3. [edit] show system login retry-options If the number of unsuccessful logon attempts is not set to 3, this is a finding.
Configure the number of unsuccessful logon attempts for all login account, globally. [edit] set system login retry-options tries-before-disconnect 3
Verify the Standard Mandatory DoD Notice and Consent Banner is displayed before the user has been authenticated either locally or by the AAA server by typing the following command at the [edit system login] hierarchy level. [edit] show system login message If the Standard Mandatory DoD Notice and Consent Banner is not displayed before the user has been authenticated, this is a finding.
To configure a system login message, include the message statement at the [edit] hierarchy level. This is the approved verbiage for applications that can accommodate banners of 1300 characters: [edit] set system login message "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\by using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\n" OR [edit] Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: set system login message "I've read & consent to terms in IS user agreem't>\n\n" Note: Use \n to insert a line between paragraphs where needed.
Verify logging has been enabled and configured. [edit] show system syslog If a valid syslog host server and the syslog file names are not configured to capture "any" facility and "any" event, this is a finding.
The following example commands configure Syslog and local backup files to capture DoD-defined auditable events. [edit] set system syslog user * any emergency set system syslog host <IP-syslog-server> any any set system syslog host <IP-syslog-server> source-address <MGT-IP-Address> set system syslog host <IP-syslog-server> log-prefix <host-name> set system syslog file messages any info set system syslog file messages authorization none set system syslog file messages interactive-commands none set system syslog file messages daemon none set system syslog file User-Auth authorization any set system syslog file interactive-commands interactive-commands any set system syslog file processes daemon any set system syslog file account-actions change-log any any set file account-actions match “system login user” set system syslog console any any
Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host <syslog server address> { any <info | any>; source-address <device address>; } -OR- host <syslog server address> { change-log <info | any>; source-address <device address>; } If an external syslog host is not configured to log facility change-log severity <info | any>, or configured for facility any severity <info | any>, this is a finding.
Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>
Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host <syslog server address> { any <info | any>; source-address <device address>; } -OR- host <syslog server address> { change-log <info | any>; source-address <device address>; } If an external syslog host is not configured to log facility change-log severity <info | any>, or configured for facility any severity <info | any>, this is a finding.
Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>
Verify the device generates a log when login events occur. [edit] show system syslog host <syslog server address> { any <info | any>; source-address <device address>; } If an external syslog host is not configured to log, or configured for facility any severity <info | any>, this is a finding.
Configure at least one external syslog host to log facility any and severity info or any. [edit system syslog] set host <syslog server address> any <info | any>
Verify the device generates a log when login events occur. [edit] show system syslog host <syslog server address> { any any; source-address <device address>; } If an external syslog host is not configured to log, or configured for facility any severity any, this is a finding.
Configure at least one external syslog host to log facility any and severity info or any. There are multiple ways to accomplish this, the following is an example. [edit system syslog] set host <syslog server address> any any
Verify the device generates a log when login events occur. [edit] show system syslog host <syslog server address> { any any; source-address <device address>; } If an external syslog host is not configured to log, or configured for facility any severity any, this is a finding.
Configure at least one external syslog host to log facility any and severity info or any. There are multiple ways to accomplish this, the following is an example. [edit system syslog] set host <syslog server address> any any
Verify logging has been enabled and configured. [edit] show system syslog If at least one valid syslog host server and the syslog file names are not configured to capture "any" facility and "any" event, this is a finding.
The following commands configure syslog to record any use of any command, including privileged commands. Configure Syslog and local backup files to capture DoD-defined auditable events. [edit] set system syslog user * any emergency set system syslog host <IP-syslog-server> any any set system syslog host <IP-syslog-server> source-address <MGT-IP-Address> set system syslog host <IP-syslog-server> log-prefix <host-name> set system syslog file messages any info set system syslog file messages authorization none set system syslog file messages interactive-commands none set system syslog file messages daemon none set system syslog file User-Auth authorization any set system syslog file interactive-commands interactive-commands any set system syslog file processes daemon any set system syslog file account-actions change-log any any set file account-actions match “system login user” set system syslog console any any
To verify the file size for the local system log is set. [edit] show system syslog View the archive size setting of the local log files. If all local log files are not set to an organizational-defined size, this is a finding.
Enter the following commands in the [edit system syslog] hierarchy. [edit system syslog] set file <log filename> any any archive size <file size> file <number of archives>
Verify the system Syslog has been configured to display an alert on the console for the emergency and critical levels of the daemon facility. [edit] show system syslog If the system is not configured to generate a system alert message when a component failure is detected, this is a finding.
The following commands configure syslog to immediately display any emergency level or daemon alert events to the management console. The message will display on any currently logged on administrator's console. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog user * any emergency set system syslog user * daemon alert set system syslog user * daemon critical
Verify the time zone is set to UTC. [edit] show system time-zone If the time zone is not set to UTC, this is a finding.
The following command sets the time zone to UTC. [edit] set system time-zone UTC
To verify role-based access control has been configured, view the settings for each login class defined. [edit] show system login View all login classes to see which roles are assigned the "Maintenance" or "request system software add" permissions. If login classes for user roles that are not authorized to install and update software are configured, this is a finding.
Configure the Juniper SRX to allow only the information system security manager (ISSM) user account (or administrators/roles appointed by the ISSM) to select which auditable events are to be audited. To ensure this is the case, each ISSM-appointed role on the AAA must be configured for least privilege using the following stanzas for each role. [edit] show system login Use the delete command or retype the command to remove the permission "Maintenance" or "request system software add" from any class that is not authorized to upgrade software on the device. An explicitly Deny for the command "request system software add" can also be used if some Maintenance commands are permitted.
If the loopback interface is not used, this is not applicable. Verify the loopback interface is protected by firewall filters. [edit] show interfaces lo0 If the loopback interface is not configured with IPv6 and IPv4 firewall filters, this is a finding.
If the loopback interface is used, configure firewall filters. The following is an example of configuring a loopback address with filters on the device. It shows the format of both IPv4 and IPv6 addresses being applied to the interface. The first two commands show firewall filters being applied to the interface. [edit] set interfaces lo0 unit 0 family inet filter input protect_re set interfaces lo0 unit 0 family inet6 filter input protect_re-v6 set interfaces lo0 unit 0 family inet address 1.1.1.250/32 set interfaces lo0 unit 0 family inet6 address 2100::250/128
To view the current setting for maximum number of rollbacks enter the following command. [edit] show system max-configuration-rollbacks If the number of back up configurations is not set to an organization-defined value which is 5 or more, this is a finding.
To configure number of backup configurations to be stored in the configuration partition enter the following command at the configuration hierarchy. [edit] set system max-configuration-rollbacks <organization-defined number>
Verify the Juniper SRX is configured to synchronize internal information system clocks with the primary and secondary NTP sources. [edit] show system ntp If the Juniper SRX is not configured to synchronize internal information system clocks with an NTP server, this is a finding.
The following commands allow the device to keep time synchronized with the network. To designate a primary NTP server, add the “prefer” keyword to the server statement. [edit] set system ntp server <NTP-server1-IP> prefer set system ntp source-address <MGT-IP-Address> set system ntp server <NTP-server2-IP> set system ntp source-address <MGT-IP-Address>
Verify the Juniper SRX is configured to support the use of AAA services to centrally manage user authentication and logon settings. From the CLI operational mode enter: show system radius-server or show system tacplus-server If the Juniper SRX has not been configured to support the use RADIUS and/or TACACS+ servers to centrally manage authentication and logon settings for remote and nonlocal access, this is a finding.
Configure the Juniper SRX to support the use of AAA services to centrally manage user authentication and logon settings. To completely set up AAA authentication, use a user template account (the default name is remote) and specify a system authentication server and an authentication order. [edit] set system tacplus-server address <server ipaddress> port 1812 secret <shared secret> or [edit] set system radius-server address <server ipaddress> port 1812 secret <shared secret> Note: DOD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device. Also see CCI-000213 for further details.
To validate that the certificate was loaded, type the following command: show security pki local-certificate View the installed device certificates. If any of the certificates have the name or identifier of a nonapproved source in the Issuer field, this is a finding.
Generate a new key-pair from a DOD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil/ website for procedures for NIPRNet and SIPRNet. RSA: request security pki generate-key-pair certificate-id <cert name> type rsa size <512 | 1024 | 2048 | 4096> ECDSA: request security pki generate-key-pair certificate-id <cert_name> type ecdsa size <256 | 384> Generate a CSR from RSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> Generate a CSR from ECDSA key-pair use the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha256 | sha384> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> If no filename is specified, the CSR is displayed on the standard out (terminal) After receiving the approved certificate from the CA, enter the following command and options to upload the certificate. request security pki local-certificate certificate-id <cert_name_from_key_file> filename <path/filename_of_uploaded_certificate> From the operational mode of the hierarchy: set security certificates local new load-key-file /var/tmp/new.pem Type the following command to load the X.509 certificate into the certificate store in operations mode. >request security pki local-certificate load certificate-id <ID> filename <PATH TO CERTIFICATE FILE> For this example, assume the transferred the X.509 certificate called "device-cert.crt" to the /var/tmp directory on the SRXD. The following command will load the device-cert.crt certificate file and associate it with the public/private keypair named “device-keypair” generated in a previous step. >request security pki local-certificate load certificate-id device-keypair filename /var/tmp/device-cert.crt
Entering the following commands from the configuration level of the hierarchy. [edit] show system services If functions, ports, protocols, and services identified on the PPSM CAL are not disabled, this is a finding.
Ensure functions, ports, protocols, and services identified on the PPSM CAL are not used for system services configuration. [edit] show system services Compare the services that are enabled, including the port, services, protocols, and functions. Consult the Juniper knowledge base and configuration guides to determine the commands for disabling each port, protocol, service, or function that is not in compliance with the PPSM CAL and vulnerability assessments.
Verify nonsecure protocols are not enabled for management access by viewing the enabled system services. From the operational hierarchy: > show config | match "set system services" | display set From the configuration hierarchy: [edit] show snmp show system services telnet show system services ftp show system services ssh If nonsecure protocols and protocol versions such as Telnet, FTP, SNMPv1, SNMPv2c, or SSHv1 are enabled, this is a finding.
Remove or deny nonsecure protocols to prevent their usage for nonlocal management and diagnostic communications. Use the delete command to disable services that should not be enabled. Example deletion commands: [edit] delete system services telnet delete system services ftp delete snmp v1 delete snmp v2c delete set system services ssh protocol-version v1
Verify the Juniper SRX is configured to synchronize internal information system clocks with the primary and secondary NTP sources. [edit] show system ntp If the NTP configuration is not configured to use authentication, this is a finding.
The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; therefore, it violates CCI-000803, which is a CAT 1. However, MD5 is preferred to no authentication at all. The following commands configure the Juniper SRX to use MD5 authentication keys. set system ntp authentication-key 1 type md5 set system ntp authentication-key 1 value "$9$EgfcrvX7VY4ZEcwgoHjkP5REyv87" set system ntp authentication-key 2 type md5 set system ntp authentication-key 2 value "kP5$EgvVfcrwgoY4X7ZEcH$9j RExz50" set system ntp server <NTP_server_IP> key 1 set system ntp server <NTP_server_IP> prefer set system ntp server <NTP_server_IP> key 2 set system ntp trusted-key 1 set system ntp trusted-key 2
Verify SNMPv3 is enabled and configured. [edit] show snmp If an SNMP stanza does not exist, this is not a finding. If SNMPv3 is not configured to meet DoD requirements, this is a finding. If versions earlier than SNMPv3 are enabled, this is a finding.
Enable and configure SNMPv3 and configure a trap and community string. [edit] set snmp location <LOCATION-NAME> set snmp v3 usm local-engine user <USER-NAME> privacy-AES128 set snmp v3 vacm security-to-group security-model usm security-name <SECURITY-NAME> group <GROUP-NAME> set snmp v3 vacm access group <GROUP-NAME> default-context-prefix security-model usm security-level privacy read-view all set snmp v3 vacm access group <GROUP-NAME> default-context-prefix security-model usm security-level privacy notify-view all set snmp v3 target-address <target-address-name> tag-list <SNMP-trap-receiver> set snmp v3 target-address <TARGER-ADDRESS-NAME> target-parameters <PARMS-NAME> set snmp v3 target-parameters <PARMS-NAME> parameters message-processing-model v3 set snmp v3 target-parameters <PARMS-NAME> parameters security-model usm set snmp v3 target-parameters <PARMS-NAME> parameters security-level privacy set snmp v3 target-parameters <PARMS-NAME> parameters security-name <SECURITY-NAME> set snmp v3 target-parameters <PARMS-NAME> notify-filter device-traps set snmp v3 notify <SNMP-TRAPS> type trap set snmp v3 notify <SNMP-TRAPS> tag <SNMP-TRAP-RECEIVER> set snmp v3 notify-filter device-traps oid jnxChassisTraps include set snmp v3 notify-filter device-traps oid jnxChassisOKTraps include set snmp v3 notify-filter device-traps oid system include set snmp v3 notify-filter device-traps oid .1 include set snmp v3 notify-filter device-traps oid snmpMIBObjects include set snmp engine-id use-mac-address set snmp view all oid .1 include set snmp view all oid system include set snmp view all oid jnxBoxAnatomy include set snmp view all oid snmpMIBObjects include
Use the CLI to view this setting for disabled for SSH. [edit] show system services ssh root-login If SSH is not disabled for the root user, this is a finding.
From the configuration mode, enter the following commands to disable root-login using SSH. [edit] set system services ssh root-login deny
Verify each login class is configured to deny access to the UNIX shell. [edit] show system login If each configured login class is not configured to deny access to the UNIX shell, this is a finding.
For each login class, add the following command to the stanza. [edit] set system login class <class name> deny-commands "(start shell)"
Use the CLI to view this setting for disabled for SSH. [edit] show system services ssh If TCP forwarding is not disabled for the root user, this is a finding.
From the configuration mode, enter the following commands to disable TCP forwarding for the SSH protocol. [edit] set system services ssh no-tcp-forwarding
Verify only a single local account has an authentication stanza and that the name is the account of last resort. [edit] show system login user <account of last resort> { uid 2001; class <appropriate class name>; authentication { <--- This stanza permits local login encrypted-password "$sha2$22895$aVBPaRVa$o6xIqNSYg9D7yt8pI47etAjZV9uuwHrhAFT6R021HNsy"; ## SECRET-DATA } } OR user <template account> { uid 2001; class <appropriate class name>; } If accounts other than the account of last resort contain an authentication stanza, and that account is not documented, this is a finding.
If more than one account has an authentication stanza, and it is not documented, delete the authentication stanza (if the account is a template account) or the entire account (if the account is unauthorized or no longer needed). To delete a template account: [edit] delete system login user <account name> authentication commit To delete an unneeded or unauthorized account: [edit] delete system login user <account name>
Verify SSH is configured to use a replay-resistant authentication mechanism. [edit] show system services ssh If SSH is not configured to use the MAC authentication protocol, this is a finding.
Configure SSH to use a replay-resistant authentication mechanism. The following is an example stanza. [edit] set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh macs hmac-sha1 set system services ssh macs hmac-sha1-96
Verify the SRX password enforces this complexity requirement. In configuration mode, enter the following command. [edit] show system login password If the minimum password length for local accounts is not set to at least a 15-character length, this is a finding.
Set the global password option for all accounts created on the Juniper SRX. [edit] set system login password minimum-length 15 Note: This setting only enforces the minimum character password length for newly created passwords. The password of the existing account must be changed if it is not already complaint. To set or change the root user password, in configuration mode enter the following command. [edit] set system root-authentication plain-text-password When prompted, enter the password for the root user. Retype new password to confirm To set or change the account of last resort, in configuration mode enter the following command. [edit] set system login user <name of the account of last resort> plain-text-password When prompted, enter the password for the root user. Retype new password to confirm.
Verify the default local password enforces password complexity by setting the password change type to character sets. [edit] show system login password If the password change-type is not set to character-sets, this is a finding.
Configure the default local password to enforce password complexity by setting the password change type to character sets. [edit] set system login password change-type character-sets
Verify the default local password enforces password complexity by requiring at least one uppercase character be used. [edit] show system login password If the minimum-upper-cases is not set to at least 1, this is a finding.
Configure the default local password to enforce password complexity by requiring at least one uppercase character be used. [edit] set system login password minimum-upper-cases 1
Verify the default local password enforces password complexity by requiring at least one lowercase character be used. [edit] show system login password If the minimum-lower-cases is not set to at least 1, this is a finding.
Configure the default local password to enforce password complexity by requiring at least one lowercase character be used. [edit] set system login password minimum-lower-cases 1
Verify the default local password enforces password complexity by requiring at least one numeric character be used. [edit] show system login password If the minimum numerics are not set to at least 1, this is a finding.
Configure the default local password to enforce password complexity by requiring at least one numeric character be used. [edit] set system login password minimum -numerics to 1
Verify the default local password enforces password complexity by requiring at least one special character be used. [edit] show system login password If the minimum-punctuation is not set to at least 1, this is a finding.
Configure the default local password to enforce password complexity by requiring at least one special character be used. [edit] set system login password minimum-punctuations 1
Verify the default local password enforces this requirement by entering the following in configuration mode. [edit] show system login password If the password format is not set to SHA-1, this is a finding.
Enter the configuration mode on the Juniper SRX, set the password option for the local user account of last resort using the following command. [edit] set system login password format sha1
Verify SNMP is configured for version 3. [edit] show snmp v3 If SNMPv3 is not configured for version 3 using SHA, this is a finding.
Configure snmp to use version 3 with SHA authentication. [edit] set snmp v3 usm local-engine user <NAME> authentication-sha
Verify SSHv2 and MAC algorithms for integrity checking. [edit] show system services ssh If SSHv2 and integrity options are not configured in compliance with DoD requirements, this is a finding.
Configure SSH integrity options to comply with DoD requirements. [edit] set system services ssh protocol-version v2 set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh macs hmac-sha1 set system services ssh macs hmac-sha1-96
Verify SNMPv3 is configured with privacy options. [edit] show snmp v3 If SNMPv3, AES encryption, and other privacy options are not configured, this is a finding.
Configure SNMP to use version 3 with privacy options. The following is an example. [edit] set snmp location <NAME> set snmp v3 usm local-engine user <NAME> privacy-AES128 set snmp v3 vacm security-to-group security-model usm security-name <NAME> group <NAMEGROUP> set snmp v3 vacm access group <NAME-GROUP> default-context-prefix security-model usm security-level privacy read-view all set snmp v3 vacm access group <NAME-GROUP> default-context-prefix security-model usm security-level privacy notify-view all
Verify SSHv2, AES ciphers, and key-exchange commands are configured to protect confidentiality. [edit] show system services ssh If SSHv2, AES ciphers, and key-exchange commands are not configured to protect confidentiality, this is a finding.
Configure SSH confidentiality options to comply with DoD requirements. [edit] set system services ssh protocol-version v2 set system services ssh ciphers aes256-ctr set system services ssh ciphers aes256-cbc set system services ssh ciphers aes192-ctr set system services ssh ciphers aes192-cbc set system services ssh ciphers aes128-ctr set system services ssh ciphers aes128-cbc set system services ssh key-exchange dh-group14-sha1 set system services ssh key-exchange group-exchange-sha2 set system services ssh key-exchange ecdh-sha2-nistp256 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp521
Verify only those zones where management functionality is allowed have host-inbound-traffic system-services configured and that protocols such as HTTP and HTTPS are not assigned to these zones. [edit] show security zones functional-zone management If zones configured for host-inbound-traffic system-services have protocols other than SSH configured, this is a finding.
Remove host-inbound-traffic systems-services option from zones not authorized for management traffic. Remove unauthorized protocols (e.g., HTTP, HTTPS) from management zones that are configured to allow host-inbound-traffic system-services.
Verify idle-timeout is set for 10 minutes. [edit] show system login If a timeout value of 10 or less is not set for each class, this is a finding.
Configure all login classes with an idle timeout value. [edit] set system login-class <class name> idle-timeout 10 All users must be set to a login-class; however, to ensure that the CLI is set to a default timeout value, enter the following in operational mode: set cli idle-timeout 10
Verify this setting by entering the following commands in configuration mode. [edit] show system services ssh If the keep-alive count and keep-alive interval is not set to an organization-defined value, this is a finding.
Configure this setting by entering the following commands in configuration mode. [edit] set system services ssh client-alive-count-max <organization-defined value> set system services ssh client-alive-interval <organization-defined value>
Verify the system options are configured to protect against DoS attacks. [edit] show system show system internet-options If the system and system-options which limit the effects of common types of DoS attacks are not configured in compliance with DoD requirements, this is a finding.
Configure the system and system-options to protect against DoS attacks. [edit] set system no-redirects set system no-ping-record-route set system no-ping-time-stamp set system internet-options icmpv4-rate-limit packet-rate 50 set system internet-options icmpv6-rate-limit packet-rate 50 set system internet-options no-ipip-path-mtu-discovery set system internet-options no-source-quench set system internet-options tcp-drop-synfin-set set system internet-options no-ipv6-path-mtu-discovery set system internet-options no-tcp-reset drop-all-tcp
Verify the Juniper SRX sets a connection-limit for the SSH protocol. Show system services ssh If the SSH connection-limit is not set to 4 or an organization-defined value, this is a finding.
Configure the SSH protocol with a rate limit. [edit] set system services ssh rate-limit 4 Note: Juniper Networks recommends a best practice of 4 for the rate limit; however, the limit should be as restrictive as operationally practical.
If service redundancy is not required by the organization's policy, this is not a finding. Verify the configuration is working properly: [edit] show chassis cluster interfaces command. If service redundancy is not configured, this is a finding.
Interfaces can be monitored by a redundancy group for automatic failover to another node. Assign a weight to the interface to be monitored. This configuration is an extremely complex configuration. Consult the vendor documentation. Set the chassis cluster node ID and cluster ID. Configure the chassis cluster management interface. Configure the chassis cluster fabric. Configure the chassis cluster redundancy group Specify the interface to be monitored by a redundancy group. Specify the interface to be monitored by a redundancy group. Example: [edit] set chassis cluster redundancy-group 1 interface-monitor ge-6/0/2 weight 255
Verify the version installed is Junos 12.1 X46 or later. In operational mode, type the following: show version If the Junos version installed is not 12.1 X46 or later, this is a finding.
Follow the manufacturer's instructions for upgrading the Junos version. Software updates must be from an approved site and follow approved DoD procedures and verification processes in accordance with site testing procedures.
Verify web-management is not enabled. [edit] show system services web-management If a stanza exists that configures web-management service options, this is a finding.
Remove the web-management service. [edit] delete system services web-management
If the organization does not have a requirement for triggered, automated logout, this is not a finding. Obtain a list of organization-defined triggered, automated requirements that are required for the Juniper SRX. To verify configuration of special user access controls. [edit] show system login View time-based or other triggers which are configured to control automated logout. If the organization has documented requirements for triggered, automated termination and they are not configured, this is a finding.
To configure user access on specific days of the week for a specified duration, include the allowed-days, access-start, and access-end statements. The following is an example of a configuration for a class which would automatically log out users. Consult the Juniper SRX documentation for other options. [edit system login] class class-name allowed-days [ days-of-the-week ]; class class-name access-start HH:MM; class class-name access-end HH:MM;
Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system is not configured to display account creation actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.
Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message. The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any> set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any
Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system does not display account modification actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.
Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message. The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any> set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any
Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system does not display account disabling actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.
Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message. The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any> set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any
Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system is not configured to display account deletion actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.
The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any> set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any
Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system is not configured to display account enabling actions on the management console, this is a finding.
The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any>
Verify only the ISSM (or administrators or roles appointed by the ISSM) have permission to configure and control audit events. [edit] show system login class show system login View permissions for the audit-admin class (audit-admin is an example class name; local policy may dictate another name). View class assignment for all users and template users configured on the Juniper SRX. If user templates or users are other than the ISSM (or administrators or roles appointed by the ISSM) have permission to select which auditable events are to be audited, this is a finding.
Configure the Juniper SRX to allow only the ISSM user account (or administrators/roles appointed by the ISSM) to select which auditable events are to be audited. To ensure this is the case, each ISSM-appointed role on the AAA must be configured for least privilege using the following stanzas for each role. For audit-admin role: [edit] set system login class audit-admin permissions [ security trace maintenance ] set system login class audit-admin allow-commands "^clear (log|security log)" set system login class audit-admin deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" set system login class audit-admin security-role audit-administrator set system login user audit-officer class audit-admin For the crypto admin role: [edit] set system login class crypto-admin permissions [ admin-control configure maintenance security-control system-control trace ] set system login class crypto-admin allow-commands "^request system set-encryption-key" set system login class crypto-admin deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" set system login class crypto-admin allow-configuration-regexps "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation" set system login class crypto-admin security-role crypto-administrator For the security-admin role: [edit] set system login class security-admin permissions all set system login class security-admin deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell" set system login class security-admin deny-configuration-regexps "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication| encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key- generation" set system login class security-admin security-role security-administrator For the ids-admin role: [edit] set system login class ids-admin permissions [ configure maintenance security-control trace ] set system login class ids-admin allow-configuration-regexps "security alarms potential-violation idp" "security log exclude .* event-id IDP_.*" set system login class ids-admin deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older- than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures| ike-phase1-failures|ike-phase2-failures|key-generation-self-test| non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" set system login class ids-admin deny-configuration-regexps "security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)" set system login class ids-admin security-role ids-admin For the crypto-officer class: [edit] set system login user crypto-officer class crypto-admin set system login user security-officer class security-admin set system login user ids-officer class ids-admin
Verify the system Syslog has been configured to display an alert on the console for the emergency and alert levels of the daemon facility. [edit] show system syslog If the system is not configured to generate a message to the system management console when a log processing failure occurs, this is a finding.
The following commands configure syslog to immediately display any emergency level or daemon alert events to the management console. The message will display on any currently logged on administrator's console. [edit] set system syslog user * any emergency set system syslog user * daemon alert set system syslog user * daemon critical
Verify logging has been enabled and configured to capture to local log files in case connection with the primary and secondary log servers is lost. [edit] show system syslog If local log files are not configured to capture events, this is a finding.
The following example commands configure local backup files to capture DOD-defined auditable events. [edit] set system syslog file messages any info set system syslog file messages authorization none set system syslog file messages interactive-commands none set system syslog file messages daemon none set system syslog file User-Auth authorization any set system syslog file interactive-commands interactive-commands any set system syslog file processes daemon any set system syslog file account-actions change-log any any set file account-actions match "system login user" set system syslog console any any
Verify the Juniper SRX is configured to support the use of AAA services to centrally apply user authentication and logon settings. From the CLI operational mode enter: show system radius-server or show system tacplus-server If the Juniper SRX has not been configured to support the use of RADIUS and/or TACACS+ servers to centrally apply authentication and logon settings for remote and nonlocal access, this is a finding.
Configure the Juniper SRX to support the use of AAA services to centrally apply user authentication and logon settings. [edit] set system tacplus-server address <server ipaddress> port 1812 secret <shared secret> or [edit] set system radius-server address <server ipaddress> port 1812 secret <shared secret>
Verify the Juniper SRX is configured to forward logon requests to a RADIUS or TACACS+. From the CLI operational mode enter: show system radius-server or show system tacplus-server If the Juniper SRX is not configured to use at least one RADIUS or TACACS+ server, this is a finding.
Configure the Juniper SRX to forward logon requests to a RADIUS or TACACS+. Remove local users configured on the device (CCI-000213) so the AAA server cannot default to using a local account. [edit] set system tacplus-server address <server ipaddress> port 1812 secret <shared secret> or [edit] set system radius-server address <server ipaddress> port 1812 secret <shared secret> Note: DOD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device.
Verify a RADIUS or TACACS+ server order has been configured. From operational mode enter the command: show system authentication-order If the authentication-order for either or both RADIUS or TACACS+ server order has not been configured, this is a finding. If the authentication-order includes the password method, this is a finding.
Add an external RADIUS or TACACS+ server, and specify the port number and shared secret of the server. Remote logon using password results in a CAT 1 finding (CCI-000765) for failure to use two-factor authentication. Thus, if the account of last resort uses only password authentication, this configuration prevents remote access. DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device. [edit] set system authentication-order tacplus or [edit] set system authentication-order radius From operational mode enter the command: show system authentication-order If password is set as an option, remove this command from the configuration. [edit] delete system authentication-order password
Verify SNMP is configured to capture chassis and device traps. If Syslog or a console method is used, verify that method instead. [edit] show snmp v3 If an immediate alert is not sent via SNMPv3 or another method, this is a finding.
Update the SNMP configuration with the following device trap settings. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). set snmp v3 notify-filter device-traps oid jnxChassisTraps include set snmp v3 notify-filter device-traps oid jnxChassisOKTraps include set snmp v3 notify-filter device-traps oid system include set snmp v3 notify-filter device-traps oid .1 include set snmp v3 notify-filter device-traps oid
Verify the system Syslog has been configured to display an alert on the console for the emergency and critical levels of the daemon facility. [edit] show system syslog If the system is not configured to generate a system alert message when a component failure is detected, this is a finding.
The following commands configure syslog to immediately display any emergency level or daemon alert events to the management console. The message will display on any currently logged on administrator's console. [edit] set system syslog user * any emergency set system syslog user * daemon critical set system syslog user * daemon alert
Obtain a list of authorized user names that are authorized to view the audit log and console notification messages. Verify classes are created that separate administrator roles based on authorization. View user classes and class members by typing the following commands. [edit] show system login View class assignment for all users and template users configured on the Juniper SRX. Users with login classes audit-admin, security-admin, and system-admin have permission to view error message in logs and/or notifications. If classes or users that are not authorized to have access to the logs (e.g., crypto-admin) have permissions to view or access error message in logs and/or notifications, this is a finding.
Configure login classes and permissions and assign only authorized users to each class. [edit] show system login If any classes are mapped to the audit-admin, security-admin, or system-admin login templates, delete the command from the class by typing delete in front of the command or retyping the command with the permission removed from the list. Example configuration: set system login class audit-admin allow-commands "(show log *)|(clear log *)|(monitor log *)" set system login class audit-admin allow-configuration "(system syslog)" set system login class emergency permissions all set system login class emergency login-alarms set system login class security-admin login-alarms set system login class system-admin login-alarms