Juniper SRX SG NDM Security Technical Implementation Guide

  • Version/Release: V3R2
  • Published: 2024-09-04
  • Released: 2024-10-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
a
The Juniper SRX Services Gateway must limit the number of concurrent sessions to a maximum of 10 or less for remote access using SSH.
AC-10 - Low - CCI-000054 - V-223180 - SV-223180r960735_rule
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
JUSX-DM-000001
Vuln IDs
  • V-223180
  • V-66549
Rule IDs
  • SV-223180r960735_rule
  • SV-81039
The connection-limit command limits the total number of concurrent SSH sessions. To help thwart brute force authentication attacks, the connection limit should be as restrictive as operationally practical Juniper Networks recommends the best practice of setting 10 (or less) for the connection-limit. This configuration will permit up to 10 users to log in to the device simultaneously, but an attempt to log an 11th user into the device will fail. The attempt will remain in a waiting state until a session is terminated and made available.
Checks: C-24853r513233_chk

Verify the Juniper SRX sets a connection-limit for the SSH protocol. Show system services ssh If the SSH connection-limit is not set to 10 or less, this is a finding.

Fix: F-24841r513234_fix

Configure the SSH protocol to limit connection and sessions per connection. [edit] set system services ssh connection-limit 10 set system services ssh max-sessions-per-connection 1

b
For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events.
AC-2 - Medium - CCI-000018 - V-223181 - SV-223181r960777_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
JUSX-DM-000015
Vuln IDs
  • V-223181
  • V-66459
Rule IDs
  • SV-223181r960777_rule
  • SV-80949
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes. An AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events. To log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.
Checks: C-24854r513236_chk

Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host <syslog server address> { any <info | any>; source-address <device address>; } -OR- host <syslog server address> { change-log <info | any>; source-address <device address>; } If an external syslog host is not configured to log facility change-log severity <info | any>, or configured for facility any severity <info | any>, this is a finding.

Fix: F-24842r513237_fix

Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>

b
For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account modification events.
AC-2 - Medium - CCI-001403 - V-223182 - SV-223182r960780_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
JUSX-DM-000016
Vuln IDs
  • V-223182
  • V-66461
Rule IDs
  • SV-223182r960780_rule
  • SV-80951
Upon gaining access to a network device, an attacker will often first attempt to modify existing accounts to increase/decrease privileges. Notification of account modification events help to mitigate this risk. Auditing account modification events provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes. An AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events. To log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.
Checks: C-24855r513239_chk

Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host &lt;syslog server address&gt; { any &lt;info | any&gt;; source-address &lt;device address&gt;; } -OR- host &lt;syslog server address&gt; { change-log &lt;info | any&gt;; source-address &lt;device address&gt;; } If an external syslog host is not configured to log facility change-log severity &lt;info | any&gt;, or configured for facility any severity &lt;info | any&gt;, this is a finding.

Fix: F-24843r513240_fix

Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>

b
For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events.
AC-2 - Medium - CCI-001404 - V-223183 - SV-223183r960783_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001404
Version
JUSX-DM-000017
Vuln IDs
  • V-223183
  • V-66463
Rule IDs
  • SV-223183r960783_rule
  • SV-80953
When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized, active accounts remain enabled and available for use when required. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes. An AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events. To log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.
Checks: C-24856r513242_chk

Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host &lt;syslog server address&gt; { any &lt;info | any&gt;; source-address &lt;device address&gt;; } -OR- host &lt;syslog server address&gt; { change-log &lt;info | any&gt;; source-address &lt;device address&gt;; } If an external syslog host is not configured to log facility change-log severity &lt;info | any&gt;, or configured for facility any severity &lt;info | any&gt;, this is a finding.

Fix: F-24844r513243_fix

Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>

b
For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account removal events.
AC-2 - Medium - CCI-001405 - V-223184 - SV-223184r960786_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001405
Version
JUSX-DM-000018
Vuln IDs
  • V-223184
  • V-66465
Rule IDs
  • SV-223184r960786_rule
  • SV-80955
Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes. An AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events. To log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.
Checks: C-24857r513245_chk

Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host &lt;syslog server address&gt; { any &lt;info | any&gt;; source-address &lt;device address&gt;; } -OR- host &lt;syslog server address&gt; { change-log &lt;info | any&gt;; source-address &lt;device address&gt;; } If an external syslog host is not configured to log facility change-log severity &lt;info | any&gt;, or configured for facility any severity &lt;info | any&gt;, this is a finding.

Fix: F-24845r513246_fix

Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>

b
The Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled.
AC-2 - Medium - CCI-002130 - V-223185 - SV-223185r961290_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002130
Version
JUSX-DM-000023
Vuln IDs
  • V-223185
  • V-66469
Rule IDs
  • SV-223185r961290_rule
  • SV-80959
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. Accounts can be disabled by configuring the account with the build-in login class "unauthorized". When the command is reissued with a different login class, the account is enabled.
Checks: C-24858r513248_chk

Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system is not configured to generate a log record when account enabling actions occur, this is a finding.

Fix: F-24846r513249_fix

The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. [edit] set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any

b
The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users.
AC-3 - Medium - CCI-000213 - V-223186 - SV-223186r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
JUSX-DM-000025
Vuln IDs
  • V-223186
  • V-66473
Rule IDs
  • SV-223186r960792_rule
  • SV-80963
To mitigate the risk of unauthorized privileged access to the device, administrators must be assigned only the privileges needed to perform the tasked assigned to their roles. Although use of an AAA server is required for non-local access for device management, the SRX must also be configured to implement the corresponding privileges upon user login. Each externally authenticated user is assigned a template that maps to a configured login class. AAA servers are usually configured to send a Vendor Specific Attribute (VSA) to the Juniper SRX. The device uses this information to determine the login class to assign to the authenticated user. Unless a VSA is returned from the AAA server, externally-authenticated users are mapped to the “remote” user by default. Remote user is a special default account in Junos OS. If this default account, or another designated remote user account, is not configured, then only externally-authenticated users with a returned VSA of a local template account are permitted login. If the remote user is configured, all externally-authenticated users without a returned VSA default to the remote user account's configured login class. All externally-authenticated users with a returned VSA inherit the login class configured for each respective template account. Junos OS provides four built-in login classes: super-user (all permissions), operator (limited permissions), read-only (no change permissions), and unauthorized (prohibits login). Because these classes are not configurable by the system administrator, they should not be used except for the unauthorized class which may be used for the remote user to deterministically prohibit logins from externally-authenticated users without a returned VSA. Therefore, all template user accounts, and the local account of last resort, should use custom, user-defined, login classes. Externally-authenticated users maintain two account names in Junos OS: the user and login names. The user name is the local template account name and the login name is the authenticated user’s external account name. Junos OS links the names to determine permissions, based upon login class, but uses the external account name for logging. Doing so permits multiple, individually-authenticated users, to be mapped to the same template account, and therefore enforce uniform permissions for each group of administrators, while also attributing any logged changes to the appropriate individual user. Template accounts are differentiated from local accounts by the presence of an authentication stanza; only the local account of last resort should have an authentication stanza.
Checks: C-24859r513251_chk

Verify all accounts are assigned a user-defined (not built-in) login class with appropriate permissions configured. If the remote user is configured, it may have a user-defined, or the built-in unauthorized login class. [edit] show system login Junos OS supports groups, which are centrally located snippets of code. This allows common configuration to be applied at one or more hierarchy levels without requiring duplicated stanzas. If there are no login-classes defined at [edit system login], then check for an apply-groups statement and verify appropriate configuration at the [edit groups] level. [edit] show groups If one or more account templates are not defined with an appropriate login class, this is a finding. If more than one local account has an authentication stanza and is not documented, this is a finding. Note: Template accounts are differentiated from local accounts by the presence of an authentication stanza.

Fix: F-24847r513252_fix

User accounts, including the account of last resort must be assigned to a login class. Configure the class parameters and privileges. [edit] Set system login class <class name> idle-timeout 10 set system login class <class name> permissions <appropriate permissions> Commit for the changes to take effect. Create and configure template user (s). [edit] set system login user <template account name> login-class <appropriate class> Note: Junos does not permit account creation without login-class assignment. Note: There are 4 pre-defined classes which should not be uses used for <class name>: Super-user, Operator, Read-only, and unauthorized. However, the Unauthorized class may be used for the remote user account to prevent logins from externally-authenticated users when a VSA is not returned from the AAA server.

a
The Juniper SRX Services Gateway must generate a log event when privileged commands are executed.
AC-6 - Low - CCI-002234 - V-223187 - SV-223187r961362_rule
RMF Control
AC-6
Severity
Low
CCI
CCI-002234
Version
JUSX-DM-000029
Vuln IDs
  • V-223187
  • V-66551
Rule IDs
  • SV-223187r961362_rule
  • SV-81041
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. All commands executed on the Juniper SRX are privileged commands. Thus, this requirement is configured using the same syslog command as CCI-000172.
Checks: C-24860r513254_chk

Verify the device generates a log event when privileged commands are executed. [edit] show system syslog If a valid syslog host server and the syslog file names are not configured to capture "any" facility and "any" event, this is a finding.

Fix: F-24848r513255_fix

Along with the other commands that constitute a complete DoD syslog configuration, the following command must be ensure privileged commands are sent to the Syslog Server. [edit] set system syslog host <IP-syslog-server> any any

a
For local accounts created on the device, the Juniper SRX Services Gateway must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
AC-7 - Low - CCI-000044 - V-223188 - SV-223188r1018645_rule
RMF Control
AC-7
Severity
Low
CCI
CCI-000044
Version
JUSX-DM-000030
Vuln IDs
  • V-223188
  • V-66553
Rule IDs
  • SV-223188r1018645_rule
  • SV-81043
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Juniper SRX is unable to comply with the 15-minute time period part of this control.
Checks: C-24861r1018644_chk

Verify the number of unsuccessful logon attempts is set to 3. [edit] show system login retry-options If the number of unsuccessful logon attempts is not set to 3, this is a finding.

Fix: F-24849r513258_fix

Configure the number of unsuccessful logon attempts for all login account, globally. [edit] set system login retry-options tries-before-disconnect 3

a
The Juniper SRX Services Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access.
AC-8 - Low - CCI-000048 - V-223189 - SV-223189r960843_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000048
Version
JUSX-DM-000032
Vuln IDs
  • V-223189
  • V-66555
Rule IDs
  • SV-223189r960843_rule
  • SV-81045
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users. The Standard Mandatory DoD Notice and Consent Banner must be displayed before the user has been authenticated.
Checks: C-24862r513260_chk

Verify the Standard Mandatory DoD Notice and Consent Banner is displayed before the user has been authenticated either locally or by the AAA server by typing the following command at the [edit system login] hierarchy level. [edit] show system login message If the Standard Mandatory DoD Notice and Consent Banner is not displayed before the user has been authenticated, this is a finding.

Fix: F-24850r513261_fix

To configure a system login message, include the message statement at the [edit] hierarchy level. This is the approved verbiage for applications that can accommodate banners of 1300 characters: [edit] set system login message "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\by using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\n" OR [edit] Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: set system login message "I've read & consent to terms in IS user agreem't>\n\n" Note: Use \n to insert a line between paragraphs where needed.

a
The Juniper SRX Services Gateway must generate log records when successful attempts to configure the device and use commands occur.
AU-12 - Low - CCI-000172 - V-223191 - SV-223191r960885_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
JUSX-DM-000040
Vuln IDs
  • V-223191
  • V-66559
Rule IDs
  • SV-223191r960885_rule
  • SV-81049
Without generating log records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. While the Juniper SRX inherently has the capability to generate log records, by default only the high facility levels are captured by default to local files. Ensure at least one Syslog server and local files are configured to support requirements. However, the Syslog itself must also be configured to filter event records so it is not overwhelmed. A best practice when configuring the external Syslog server is to add similar log-prefixes to the log file names to help and researching of central Syslog server. Another best practice is to add a match condition to limit the recorded events to those containing the regular expression (REGEX).
Checks: C-24864r513263_chk

Verify logging has been enabled and configured. [edit] show system syslog If a valid syslog host server and the syslog file names are not configured to capture "any" facility and "any" event, this is a finding.

Fix: F-24852r513264_fix

The following example commands configure Syslog and local backup files to capture DoD-defined auditable events. [edit] set system syslog user * any emergency set system syslog host <IP-syslog-server> any any set system syslog host <IP-syslog-server> source-address <MGT-IP-Address> set system syslog host <IP-syslog-server> log-prefix <host-name> set system syslog file messages any info set system syslog file messages authorization none set system syslog file messages interactive-commands none set system syslog file messages daemon none set system syslog file User-Auth authorization any set system syslog file interactive-commands interactive-commands any set system syslog file processes daemon any set system syslog file account-actions change-log any any set file account-actions match “system login user” set system syslog console any any

a
The Juniper SRX Services Gateway must generate log records when changes are made to administrator privileges.
AU-12 - Low - CCI-000172 - V-223192 - SV-223192r961800_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
JUSX-DM-000041
Vuln IDs
  • V-223192
  • V-66561
Rule IDs
  • SV-223192r961800_rule
  • SV-81051
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-24865r513266_chk

Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host &lt;syslog server address&gt; { any &lt;info | any&gt;; source-address &lt;device address&gt;; } -OR- host &lt;syslog server address&gt; { change-log &lt;info | any&gt;; source-address &lt;device address&gt;; } If an external syslog host is not configured to log facility change-log severity &lt;info | any&gt;, or configured for facility any severity &lt;info | any&gt;, this is a finding.

Fix: F-24853r513267_fix

Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>

a
The Juniper SRX Services Gateway must generate log records when administrator privileges are deleted.
AU-12 - Low - CCI-000172 - V-223193 - SV-223193r961812_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
JUSX-DM-000042
Vuln IDs
  • V-223193
  • V-66563
Rule IDs
  • SV-223193r961812_rule
  • SV-81053
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-24866r513269_chk

Verify the device logs change-log events of severity info or any to an external syslog server. [edit] show system syslog host &lt;syslog server address&gt; { any &lt;info | any&gt;; source-address &lt;device address&gt;; } -OR- host &lt;syslog server address&gt; { change-log &lt;info | any&gt;; source-address &lt;device address&gt;; } If an external syslog host is not configured to log facility change-log severity &lt;info | any&gt;, or configured for facility any severity &lt;info | any&gt;, this is a finding.

Fix: F-24854r513270_fix

Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. [edit system syslog] set host <syslog server address> any <info | any> -OR- [edit] set host <syslog server address> change-log <info | any>

a
The Juniper SRX Services Gateway must generate log records when logon events occur.
AU-12 - Low - CCI-000172 - V-223194 - SV-223194r961824_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
JUSX-DM-000043
Vuln IDs
  • V-223194
  • V-66565
Rule IDs
  • SV-223194r961824_rule
  • SV-81055
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-24867r513272_chk

Verify the device generates a log when login events occur. [edit] show system syslog host &lt;syslog server address&gt; { any &lt;info | any&gt;; source-address &lt;device address&gt;; } If an external syslog host is not configured to log, or configured for facility any severity &lt;info | any&gt;, this is a finding.

Fix: F-24855r513273_fix

Configure at least one external syslog host to log facility any and severity info or any. [edit system syslog] set host <syslog server address> any <info | any>

a
The Juniper SRX Services Gateway must generate log records when privileged commands are executed.
AU-12 - Low - CCI-000172 - V-223195 - SV-223195r961827_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
JUSX-DM-000044
Vuln IDs
  • V-223195
  • V-66567
Rule IDs
  • SV-223195r961827_rule
  • SV-81057
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-24868r513275_chk

Verify the device generates a log when login events occur. [edit] show system syslog host &lt;syslog server address&gt; { any any; source-address &lt;device address&gt;; } If an external syslog host is not configured to log, or configured for facility any severity any, this is a finding.

Fix: F-24856r513276_fix

Configure at least one external syslog host to log facility any and severity info or any. There are multiple ways to accomplish this, the following is an example. [edit system syslog] set host <syslog server address> any any

a
The Juniper SRX Services Gateway must generate log records when concurrent logons from different workstations occur.
AU-12 - Low - CCI-000172 - V-223196 - SV-223196r961833_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
JUSX-DM-000046
Vuln IDs
  • V-223196
  • V-66569
Rule IDs
  • SV-223196r961833_rule
  • SV-81059
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-24869r513278_chk

Verify the device generates a log when login events occur. [edit] show system syslog host &lt;syslog server address&gt; { any any; source-address &lt;device address&gt;; } If an external syslog host is not configured to log, or configured for facility any severity any, this is a finding.

Fix: F-24857r513279_fix

Configure at least one external syslog host to log facility any and severity info or any. There are multiple ways to accomplish this, the following is an example. [edit system syslog] set host <syslog server address> any any

a
The Juniper SRX Services Gateway must generate log records containing the full-text recording of privileged commands.
AU-3 - Low - CCI-000135 - V-223197 - SV-223197r960909_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000135
Version
JUSX-DM-000055
Vuln IDs
  • V-223197
  • V-66571
Rule IDs
  • SV-223197r960909_rule
  • SV-81061
Reconstruction of harmful events or forensic analysis is not possible if log records do not contain enough information. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. While the Juniper SRX inherently has the capability to generate log records, by default only the high facility levels are captured and only to local files. Ensure at least one Syslog server and local files are configured to support requirements. However, the Syslog itself must also be configured to filter event records so it is not overwhelmed. A best practice when configuring the external Syslog server is to add similar log-prefixes to the log file names to help and researching of central Syslog server. Another best practice is to add a match condition to limit the recorded events to those containing the regular expression (REGEX).
Checks: C-24870r513281_chk

Verify logging has been enabled and configured. [edit] show system syslog If at least one valid syslog host server and the syslog file names are not configured to capture "any" facility and "any" event, this is a finding.

Fix: F-24858r513282_fix

The following commands configure syslog to record any use of any command, including privileged commands. Configure Syslog and local backup files to capture DoD-defined auditable events. [edit] set system syslog user * any emergency set system syslog host <IP-syslog-server> any any set system syslog host <IP-syslog-server> source-address <MGT-IP-Address> set system syslog host <IP-syslog-server> log-prefix <host-name> set system syslog file messages any info set system syslog file messages authorization none set system syslog file messages interactive-commands none set system syslog file messages daemon none set system syslog file User-Auth authorization any set system syslog file interactive-commands interactive-commands any set system syslog file processes daemon any set system syslog file account-actions change-log any any set file account-actions match “system login user” set system syslog console any any

b
For local log files, the Juniper SRX Services Gateway must allocate log storage capacity in accordance with organization-defined log record storage requirements so that the log files do not grow to a size that causes operational issues.
AU-4 - Medium - CCI-001849 - V-223198 - SV-223198r961392_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001849
Version
JUSX-DM-000056
Vuln IDs
  • V-223198
  • V-66477
Rule IDs
  • SV-223198r961392_rule
  • SV-80967
In order to ensure network devices have a sufficient storage capacity in which to write the logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The amount allocated for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, and how long the logs are kept on the device. Since the Syslog is the primary audit log, the local log is not essential to keep archived for lengthy periods, thus the allocated space on the device should be low.
Checks: C-24871r513284_chk

To verify the file size for the local system log is set. [edit] show system syslog View the archive size setting of the local log files. If all local log files are not set to an organizational-defined size, this is a finding.

Fix: F-24859r513285_fix

Enter the following commands in the [edit system syslog] hierarchy. [edit system syslog] set file <log filename> any any archive size <file size> file <number of archives>

b
The Juniper SRX Services Gateway must generate an immediate system alert message to the management console when a log processing failure is detected.
AU-5 - Medium - CCI-001858 - V-223199 - SV-223199r961401_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001858
Version
JUSX-DM-000059
Vuln IDs
  • V-223199
  • V-66479
Rule IDs
  • SV-223199r961401_rule
  • SV-80969
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Without an immediate alert for critical system issues, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). Automated alerts can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. While this requirement also applies to the configuration of the event monitoring system (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers), the Juniper SRX can also be configured to generate a message to the administrator console or send via email for immediate messages. Syslog and SNMP trap events with a facility of "daemon" pertaining to errors encountered by system processes.
Checks: C-24872r513287_chk

Verify the system Syslog has been configured to display an alert on the console for the emergency and critical levels of the daemon facility. [edit] show system syslog If the system is not configured to generate a system alert message when a component failure is detected, this is a finding.

Fix: F-24860r513288_fix

The following commands configure syslog to immediately display any emergency level or daemon alert events to the management console. The message will display on any currently logged on administrator's console. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog user * any emergency set system syslog user * daemon alert set system syslog user * daemon critical

b
The Juniper SRX Services Gateway must record time stamps for log records using Coordinated Universal Time (UTC).
AU-8 - Medium - CCI-001890 - V-223201 - SV-223201r961443_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
JUSX-DM-000065
Vuln IDs
  • V-223201
  • V-66483
Rule IDs
  • SV-223201r961443_rule
  • SV-80973
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. UTC is normally used in DoD; however, Greenwich Mean Time (GMT) may be used if needed for mission requirements.
Checks: C-24874r513290_chk

Verify the time zone is set to UTC. [edit] show system time-zone If the time zone is not set to UTC, this is a finding.

Fix: F-24862r513291_fix

The following command sets the time zone to UTC. [edit] set system time-zone UTC

b
The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.
- Medium - CCI-003980 - V-223202 - SV-223202r1015750_rule
RMF Control
Severity
Medium
CCI
CCI-003980
Version
JUSX-DM-000077
Vuln IDs
  • V-223202
  • V-66485
Rule IDs
  • SV-223202r1015750_rule
  • SV-80975
Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code changes and upgrades for all network devices. For example audit admins and the account of last resort are not allowed to perform this task.
Checks: C-24875r513293_chk

To verify role-based access control has been configured, view the settings for each login class defined. [edit] show system login View all login classes to see which roles are assigned the "Maintenance" or "request system software add" permissions. If login classes for user roles that are not authorized to install and update software are configured, this is a finding.

Fix: F-24863r997563_fix

Configure the Juniper SRX to allow only the information system security manager (ISSM) user account (or administrators/roles appointed by the ISSM) to select which auditable events are to be audited. To ensure this is the case, each ISSM-appointed role on the AAA must be configured for least privilege using the following stanzas for each role. [edit] show system login Use the delete command or retype the command to remove the permission "Maintenance" or "request system software add" from any class that is not authorized to upgrade software on the device. An explicitly Deny for the command "request system software add" can also be used if some Maintenance commands are permitted.

b
If the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface.
CM-6 - Medium - CCI-000366 - V-223203 - SV-223203r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000084
Vuln IDs
  • V-223203
  • V-66015
Rule IDs
  • SV-223203r961863_rule
  • SV-80505
The loopback interface is a logical interface and has no physical port. Since the interface and addresses ranges are well-known, this port must be filtered to protect the Juniper SRX from attacks.
Checks: C-24876r513296_chk

If the loopback interface is not used, this is not applicable. Verify the loopback interface is protected by firewall filters. [edit] show interfaces lo0 If the loopback interface is not configured with IPv6 and IPv4 firewall filters, this is a finding.

Fix: F-24864r513297_fix

If the loopback interface is used, configure firewall filters. The following is an example of configuring a loopback address with filters on the device. It shows the format of both IPv4 and IPv6 addresses being applied to the interface. The first two commands show firewall filters being applied to the interface. [edit] set interfaces lo0 unit 0 family inet filter input protect_re set interfaces lo0 unit 0 family inet6 filter input protect_re-v6 set interfaces lo0 unit 0 family inet address 1.1.1.250/32 set interfaces lo0 unit 0 family inet6 address 2100::250/128

a
The Juniper SRX Services Gateway must have the number of rollbacks set to 5 or more.
CM-6 - Low - CCI-000366 - V-223204 - SV-223204r961863_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
JUSX-DM-000087
Vuln IDs
  • V-223204
  • V-66595
Rule IDs
  • SV-223204r961863_rule
  • SV-81085
Backup of the configuration files allows recovery in case of corruption, misconfiguration, or catastrophic failure. The maximum number of rollbacks for the SRX is 50 while the default is 5 which is recommended as a best practice. Increasing this backup configuration number will result in increased disk usage and increase the number of files to manage. Organizations should not set the value to zero.
Checks: C-24877r513299_chk

To view the current setting for maximum number of rollbacks enter the following command. [edit] show system max-configuration-rollbacks If the number of back up configurations is not set to an organization-defined value which is 5 or more, this is a finding.

Fix: F-24865r513300_fix

To configure number of backup configurations to be stored in the configuration partition enter the following command at the configuration hierarchy. [edit] set system max-configuration-rollbacks <organization-defined number>

b
The Juniper SRX Services Gateway must be configured to synchronize internal information system clocks with the primary and secondary NTP servers for the network.
CM-6 - Medium - CCI-000366 - V-223205 - SV-223205r1015751_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000094
Vuln IDs
  • V-223205
  • V-66487
Rule IDs
  • SV-223205r1015751_rule
  • SV-80977
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on log events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources.
Checks: C-24878r513302_chk

Verify the Juniper SRX is configured to synchronize internal information system clocks with the primary and secondary NTP sources. [edit] show system ntp If the Juniper SRX is not configured to synchronize internal information system clocks with an NTP server, this is a finding.

Fix: F-24866r513303_fix

The following commands allow the device to keep time synchronized with the network. To designate a primary NTP server, add the “prefer” keyword to the server statement. [edit] set system ntp server <NTP-server1-IP> prefer set system ntp source-address <MGT-IP-Address> set system ntp server <NTP-server2-IP> set system ntp source-address <MGT-IP-Address>

b
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.
CM-6 - Medium - CCI-000366 - V-223206 - SV-223206r997567_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000095
Vuln IDs
  • V-223206
  • V-66489
Rule IDs
  • SV-223206r997567_rule
  • SV-80979
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat. Audit records for administrator accounts access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. The Juniper SRX supports three methods of user authentication: local password authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus (TACACS+). RADIUS and TACACS+ are remote access methods used for management of the Juniper SRX. The local password method will be configured for use only for the account of last resort. To completely set up AAA authentication, create a user template account (the default name is remote) and specify a system authentication server and an authentication order. See CCI-000213 for more details. The remote user template is not a logon account. Once the AAA server option is configured, any remote or nonlocal access attempts are redirected to the AAA server. Since individual user accounts are not defined on the SRX, the authentication server must be used to manage individual account settings.
Checks: C-24879r513305_chk

Verify the Juniper SRX is configured to support the use of AAA services to centrally manage user authentication and logon settings. From the CLI operational mode enter: show system radius-server or show system tacplus-server If the Juniper SRX has not been configured to support the use RADIUS and/or TACACS+ servers to centrally manage authentication and logon settings for remote and nonlocal access, this is a finding.

Fix: F-24867r997566_fix

Configure the Juniper SRX to support the use of AAA services to centrally manage user authentication and logon settings. To completely set up AAA authentication, use a user template account (the default name is remote) and specify a system authentication server and an authentication order. [edit] set system tacplus-server address <server ipaddress> port 1812 secret <shared secret> or [edit] set system radius-server address <server ipaddress> port 1812 secret <shared secret> Note: DOD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device. Also see CCI-000213 for further details.

b
The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates.
CM-6 - Medium - CCI-000366 - V-223207 - SV-223207r997572_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000105
Vuln IDs
  • V-223207
  • V-66493
Rule IDs
  • SV-223207r997572_rule
  • SV-80983
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs. The SRX generates a key-pair and a CSR. The CSR is sent to the approved Certification Authority (CA), who signs it and returns it as a certificate. That certificate is then installed. The process to obtain a device PKI certificate requires the generation of a Certificate Signing Request (CSR), submission of the CSR to a CA, approval of the request by an RA, and retrieval of the issued certificate from the CA.
Checks: C-24880r997570_chk

To validate that the certificate was loaded, type the following command: show security pki local-certificate View the installed device certificates. If any of the certificates have the name or identifier of a nonapproved source in the Issuer field, this is a finding.

Fix: F-24868r997571_fix

Generate a new key-pair from a DOD-approved certificate issuer. Sites must consult the PKI/PKI pages on the https://cyber.mil/ website for procedures for NIPRNet and SIPRNet. RSA: request security pki generate-key-pair certificate-id <cert name> type rsa size <512 | 1024 | 2048 | 4096> ECDSA: request security pki generate-key-pair certificate-id <cert_name> type ecdsa size <256 | 384> Generate a CSR from RSA key-pair using the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha1 | sha256> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> Generate a CSR from ECDSA key-pair use the following command and options. request security generate-certificate-request certificate-id <cert_name_from_key_file> digest <sha256 | sha384> domain <FQDN> email <admin_email> ip-address <ip_address> subject “CN=<hostname>,DC=<domain_part>,DC=<TLD_domain>,O=<organization>,OU=<organization_dept>, L=<city>,ST=<state>,C=<us>” filename <path/filename> If no filename is specified, the CSR is displayed on the standard out (terminal) After receiving the approved certificate from the CA, enter the following command and options to upload the certificate. request security pki local-certificate certificate-id <cert_name_from_key_file> filename <path/filename_of_uploaded_certificate> From the operational mode of the hierarchy: set security certificates local new load-key-file /var/tmp/new.pem Type the following command to load the X.509 certificate into the certificate store in operations mode. >request security pki local-certificate load certificate-id <ID> filename <PATH TO CERTIFICATE FILE> For this example, assume the transferred the X.509 certificate called "device-cert.crt" to the /var/tmp directory on the SRXD. The following command will load the device-cert.crt certificate file and associate it with the public/private keypair named “device-keypair” generated in a previous step. >request security pki local-certificate load certificate-id device-keypair filename /var/tmp/device-cert.crt

b
The Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-223208 - SV-223208r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
JUSX-DM-000108
Vuln IDs
  • V-223208
  • V-66497
Rule IDs
  • SV-223208r960966_rule
  • SV-80987
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. The control plane is responsible for operating most of the system services on the SRX. The control plane is responsible not only for acting as the interface for the administrator operating the device, but also for controlling the operation of the chassis, pushing the configuration to the data plane, and operating the daemons that provide functionality to the system. The control plane operates the Junos OS, which is a FreeBSD variant. The Juniper SRX control plane services include, but are not limited to, the following: Management Daemon (MGD), Routing Protocol Daemon (RPD) (e.g., RIP, OSPF, IS-IS, BGP, PIM, IPv6 counterparts), User interfaces (SSH, J-Web, NetConf), File system interfaces (SCP), Syslogd (DNS, DHCP, NTP, ICMP, ARP/ND, SNMP), Chassisd, JSRPD (HA clustering).
Checks: C-24881r513311_chk

Entering the following commands from the configuration level of the hierarchy. [edit] show system services If functions, ports, protocols, and services identified on the PPSM CAL are not disabled, this is a finding.

Fix: F-24869r513312_fix

Ensure functions, ports, protocols, and services identified on the PPSM CAL are not used for system services configuration. [edit] show system services Compare the services that are enabled, including the port, services, protocols, and functions. Consult the Juniper knowledge base and configuration guides to determine the commands for disabling each port, protocol, service, or function that is not in compliance with the PPSM CAL and vulnerability assessments.

b
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.
CM-7 - Medium - CCI-000382 - V-223209 - SV-223209r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
JUSX-DM-000109
Vuln IDs
  • V-223209
  • V-66499
Rule IDs
  • SV-223209r960966_rule
  • SV-80989
If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Tools used for nonlocal management and diagnostics with the Juniper SRX include SSH but may also include compatible enterprise maintenance and diagnostics servers. Regardless of the tool used, the Juniper SRX must permit only the use of protocols with the capability to be configured securely with integrity protections. Specifically, use SSH instead of Telnet, SCP instead of FTP, and SNMPv3 rather than other versions SNMP.
Checks: C-24882r513314_chk

Verify nonsecure protocols are not enabled for management access by viewing the enabled system services. From the operational hierarchy: &gt; show config | match "set system services" | display set From the configuration hierarchy: [edit] show snmp show system services telnet show system services ftp show system services ssh If nonsecure protocols and protocol versions such as Telnet, FTP, SNMPv1, SNMPv2c, or SSHv1 are enabled, this is a finding.

Fix: F-24870r513315_fix

Remove or deny nonsecure protocols to prevent their usage for nonlocal management and diagnostic communications. Use the delete command to disable services that should not be enabled. Example deletion commands: [edit] delete system services telnet delete system services ftp delete snmp v1 delete snmp v2c delete set system services ssh protocol-version v1

b
The Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-223210 - SV-223210r961506_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
JUSX-DM-000110
Vuln IDs
  • V-223210
  • V-66501
Rule IDs
  • SV-223210r961506_rule
  • SV-80991
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk, such as remote connections. The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; thus, a CAT 1 finding is allocated in CCI-000803. However, MD5 is preferred to no authentication at all. The trusted-key statement permits authenticating NTP servers. The Juniper SRX supports multiple keys, multiple NTP servers, and different keys for each server; add the “key ” parameter to the server statement to associate a key with a specific server.
Checks: C-24883r513317_chk

Verify the Juniper SRX is configured to synchronize internal information system clocks with the primary and secondary NTP sources. [edit] show system ntp If the NTP configuration is not configured to use authentication, this is a finding.

Fix: F-24871r513318_fix

The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; therefore, it violates CCI-000803, which is a CAT 1. However, MD5 is preferred to no authentication at all. The following commands configure the Juniper SRX to use MD5 authentication keys. set system ntp authentication-key 1 type md5 set system ntp authentication-key 1 value "$9$EgfcrvX7VY4ZEcwgoHjkP5REyv87" set system ntp authentication-key 2 type md5 set system ntp authentication-key 2 value "kP5$EgvVfcrwgoY4X7ZEcH$9j RExz50" set system ntp server <NTP_server_IP> key 1 set system ntp server <NTP_server_IP> prefer set system ntp server <NTP_server_IP> key 2 set system ntp trusted-key 1 set system ntp trusted-key 2

c
If SNMP is enabled, the Juniper SRX Services Gateway must use and securely configure SNMPv3.
CM-7 - High - CCI-000382 - V-223211 - SV-223211r960966_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
JUSX-DM-000111
Vuln IDs
  • V-223211
  • V-66451
Rule IDs
  • SV-223211r960966_rule
  • SV-80941
To prevent non-secure protocol communications with the organization's local SNMPv3 services, the SNMP client on the Juniper SRX must be configured for proper identification and strong cryptographically-based protocol for authentication. SNMPv3 defines a user-based security model (USM), and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. The Junos operating system allows the use of SNMPv3 to monitor or query the device for management purposes. Junos does not allow SNMPv3, of any type, to be used to make configuration changes to the device. SNMPv3 is disabled by default and must be enabled for use. SNMPv3 is the DoD-preferred method for monitoring the device securely. If SNMPv3 is not being used, it must be disabled. The following commands will configure SNMPv3. The Junos operating system allows the use of FIPS approved protocols for both authentication (SHA1) and for privacy (AES128). These protocols should be used to ensure secure management connections.
Checks: C-24884r513320_chk

Verify SNMPv3 is enabled and configured. [edit] show snmp If an SNMP stanza does not exist, this is not a finding. If SNMPv3 is not configured to meet DoD requirements, this is a finding. If versions earlier than SNMPv3 are enabled, this is a finding.

Fix: F-24872r513321_fix

Enable and configure SNMPv3 and configure a trap and community string. [edit] set snmp location <LOCATION-NAME> set snmp v3 usm local-engine user <USER-NAME> privacy-AES128 set snmp v3 vacm security-to-group security-model usm security-name <SECURITY-NAME> group <GROUP-NAME> set snmp v3 vacm access group <GROUP-NAME> default-context-prefix security-model usm security-level privacy read-view all set snmp v3 vacm access group <GROUP-NAME> default-context-prefix security-model usm security-level privacy notify-view all set snmp v3 target-address <target-address-name> tag-list <SNMP-trap-receiver> set snmp v3 target-address <TARGER-ADDRESS-NAME> target-parameters <PARMS-NAME> set snmp v3 target-parameters <PARMS-NAME> parameters message-processing-model v3 set snmp v3 target-parameters <PARMS-NAME> parameters security-model usm set snmp v3 target-parameters <PARMS-NAME> parameters security-level privacy set snmp v3 target-parameters <PARMS-NAME> parameters security-name <SECURITY-NAME> set snmp v3 target-parameters <PARMS-NAME> notify-filter device-traps set snmp v3 notify <SNMP-TRAPS> type trap set snmp v3 notify <SNMP-TRAPS> tag <SNMP-TRAP-RECEIVER> set snmp v3 notify-filter device-traps oid jnxChassisTraps include set snmp v3 notify-filter device-traps oid jnxChassisOKTraps include set snmp v3 notify-filter device-traps oid system include set snmp v3 notify-filter device-traps oid .1 include set snmp v3 notify-filter device-traps oid snmpMIBObjects include set snmp engine-id use-mac-address set snmp view all oid .1 include set snmp view all oid system include set snmp view all oid jnxBoxAnatomy include set snmp view all oid snmpMIBObjects include

b
The Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account.
CM-7 - Medium - CCI-000382 - V-223212 - SV-223212r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
JUSX-DM-000112
Vuln IDs
  • V-223212
  • V-66503
Rule IDs
  • SV-223212r960966_rule
  • SV-80993
Since the identity of the root account is well-known for systems based upon Linux or UNIX and this account does not have a setting to limit access attempts, there is risk of a brute force attack on the password. Root access would give superuser access to an attacker. Preventing attackers from remotely accessing management functions using root account mitigates the risk that unauthorized individuals or processes may gain superuser access to information or privileges. A separate account should be used for access and then the administrator can sudo to root when necessary.
Checks: C-24885r513323_chk

Use the CLI to view this setting for disabled for SSH. [edit] show system services ssh root-login If SSH is not disabled for the root user, this is a finding.

Fix: F-24873r513324_fix

From the configuration mode, enter the following commands to disable root-login using SSH. [edit] set system services ssh root-login deny

b
The Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account.
CM-7 - Medium - CCI-000382 - V-223213 - SV-223213r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
JUSX-DM-000113
Vuln IDs
  • V-223213
  • V-66507
Rule IDs
  • SV-223213r960966_rule
  • SV-80997
Restricting the privilege to create a UNIX-level shell limits access to this powerful function. System administrators, regardless of their other permissions, will need to also know the root password for this access, thus limiting the possibility of malicious or accidental circumvention of security controls.
Checks: C-24886r513326_chk

Verify each login class is configured to deny access to the UNIX shell. [edit] show system login If each configured login class is not configured to deny access to the UNIX shell, this is a finding.

Fix: F-24874r513327_fix

For each login class, add the following command to the stanza. [edit] set system login class <class name> deny-commands "(start shell)"

b
The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.
CM-7 - Medium - CCI-000382 - V-223214 - SV-223214r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
JUSX-DM-000114
Vuln IDs
  • V-223214
  • V-66509
Rule IDs
  • SV-223214r960966_rule
  • SV-80999
Use this configuration option to prevent a user from creating an SSH tunnel over a CLI session to the Juniper SRX via SSH. This type of tunnel could be used to forward TCP traffic, bypassing any firewall filters or ACLs, allowing unauthorized access.
Checks: C-24887r513329_chk

Use the CLI to view this setting for disabled for SSH. [edit] show system services ssh If TCP forwarding is not disabled for the root user, this is a finding.

Fix: F-24875r513330_fix

From the configuration mode, enter the following commands to disable TCP forwarding for the SSH protocol. [edit] set system services ssh no-tcp-forwarding

b
The Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort.
CM-7 - Medium - CCI-000382 - V-223215 - SV-223215r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
JUSX-DM-000115
Vuln IDs
  • V-223215
  • V-66511
Rule IDs
  • SV-223215r960966_rule
  • SV-81001
Without centralized management, credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Local accounts are configured using the local password authentication method which does not meet the multifactor authentication criteria. The account of last resort is a group authenticator which does not provide nonrepudiation, thus must be used only rare cases where the device must be accessed using the local console and an individual authenticator is not possible, including when network access is not available.
Checks: C-24888r513332_chk

Verify only a single local account has an authentication stanza and that the name is the account of last resort. [edit] show system login user &lt;account of last resort&gt; { uid 2001; class &lt;appropriate class name&gt;; authentication { &lt;--- This stanza permits local login encrypted-password "$sha2$22895$aVBPaRVa$o6xIqNSYg9D7yt8pI47etAjZV9uuwHrhAFT6R021HNsy"; ## SECRET-DATA } } OR user &lt;template account&gt; { uid 2001; class &lt;appropriate class name&gt;; } If accounts other than the account of last resort contain an authentication stanza, and that account is not documented, this is a finding.

Fix: F-24876r513333_fix

If more than one account has an authentication stanza, and it is not documented, delete the authentication stanza (if the account is a template account) or the entire account (if the account is unauthorized or no longer needed). To delete a template account: [edit] delete system login user <account name> authentication commit To delete an unneeded or unauthorized account: [edit] delete system login user <account name>

b
The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.
IA-2 - Medium - CCI-001941 - V-223216 - SV-223216r960993_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001941
Version
JUSX-DM-000124
Vuln IDs
  • V-223216
  • V-66513
Rule IDs
  • SV-223216r960993_rule
  • SV-81003
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. There are 2 approved methods for accessing the Juniper SRX which are, in order of preference, the SSH protocol and the console port.
Checks: C-24889r513335_chk

Verify SSH is configured to use a replay-resistant authentication mechanism. [edit] show system services ssh If SSH is not configured to use the MAC authentication protocol, this is a finding.

Fix: F-24877r513336_fix

Configure SSH to use a replay-resistant authentication mechanism. The following is an example stanza. [edit] set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh macs hmac-sha1 set system services ssh macs hmac-sha1-96

b
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce a minimum 15-character password length.
- Medium - CCI-004066 - V-223217 - SV-223217r1015752_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
JUSX-DM-000128
Vuln IDs
  • V-223217
  • V-66515
Rule IDs
  • SV-223217r1015752_rule
  • SV-81005
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Compliance with this requirement also prevents the system from being configured with default or no passwords.
Checks: C-24890r513338_chk

Verify the SRX password enforces this complexity requirement. In configuration mode, enter the following command. [edit] show system login password If the minimum password length for local accounts is not set to at least a 15-character length, this is a finding.

Fix: F-24878r997573_fix

Set the global password option for all accounts created on the Juniper SRX. [edit] set system login password minimum-length 15 Note: This setting only enforces the minimum character password length for newly created passwords. The password of the existing account must be changed if it is not already complaint. To set or change the root user password, in configuration mode enter the following command. [edit] set system root-authentication plain-text-password When prompted, enter the password for the root user. Retype new password to confirm To set or change the account of last resort, in configuration mode enter the following command. [edit] set system login user <name of the account of last resort> plain-text-password When prompted, enter the password for the root user. Retype new password to confirm.

b
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by setting the password change type to character sets.
- Medium - CCI-004066 - V-223218 - SV-223218r1015753_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
JUSX-DM-000129
Vuln IDs
  • V-223218
  • V-66517
Rule IDs
  • SV-223218r1015753_rule
  • SV-81007
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. The password change-type command specifies whether a minimum number of character-sets or a minimum number of character-set transitions are enforced. The DOD requires this setting be set to character-sets.
Checks: C-24891r997575_chk

Verify the default local password enforces password complexity by setting the password change type to character sets. [edit] show system login password If the password change-type is not set to character-sets, this is a finding.

Fix: F-24879r997576_fix

Configure the default local password to enforce password complexity by setting the password change type to character sets. [edit] set system login password change-type character-sets

b
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one uppercase character be used.
- Medium - CCI-004066 - V-223219 - SV-223219r1015754_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
JUSX-DM-000130
Vuln IDs
  • V-223219
  • V-66519
Rule IDs
  • SV-223219r1015754_rule
  • SV-81009
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-24892r997578_chk

Verify the default local password enforces password complexity by requiring at least one uppercase character be used. [edit] show system login password If the minimum-upper-cases is not set to at least 1, this is a finding.

Fix: F-24880r997579_fix

Configure the default local password to enforce password complexity by requiring at least one uppercase character be used. [edit] set system login password minimum-upper-cases 1

b
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one lowercase character be used.
- Medium - CCI-004066 - V-223220 - SV-223220r1015755_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
JUSX-DM-000131
Vuln IDs
  • V-223220
  • V-66521
Rule IDs
  • SV-223220r1015755_rule
  • SV-81011
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-24893r997581_chk

Verify the default local password enforces password complexity by requiring at least one lowercase character be used. [edit] show system login password If the minimum-lower-cases is not set to at least 1, this is a finding.

Fix: F-24881r997582_fix

Configure the default local password to enforce password complexity by requiring at least one lowercase character be used. [edit] set system login password minimum-lower-cases 1

b
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one numeric character be used.
- Medium - CCI-004066 - V-223221 - SV-223221r1015756_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
JUSX-DM-000132
Vuln IDs
  • V-223221
  • V-66523
Rule IDs
  • SV-223221r1015756_rule
  • SV-81013
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-24894r513350_chk

Verify the default local password enforces password complexity by requiring at least one numeric character be used. [edit] show system login password If the minimum numerics are not set to at least 1, this is a finding.

Fix: F-24882r997584_fix

Configure the default local password to enforce password complexity by requiring at least one numeric character be used. [edit] set system login password minimum -numerics to 1

b
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one special character be used.
- Medium - CCI-004066 - V-223222 - SV-223222r1015757_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
JUSX-DM-000133
Vuln IDs
  • V-223222
  • V-66525
Rule IDs
  • SV-223222r1015757_rule
  • SV-81015
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-24895r513353_chk

Verify the default local password enforces password complexity by requiring at least one special character be used. [edit] show system login password If the minimum-punctuation is not set to at least 1, this is a finding.

Fix: F-24883r513354_fix

Configure the default local password to enforce password complexity by requiring at least one special character be used. [edit] set system login password minimum-punctuations 1

b
For local accounts using password authentication (i.e., the root account and the account of last resort) the Juniper SRX Services Gateway must use the SHA1 or later protocol for password authentication.
IA-5 - Medium - CCI-000197 - V-223223 - SV-223223r961029_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
JUSX-DM-000136
Vuln IDs
  • V-223223
  • V-66527
Rule IDs
  • SV-223223r961029_rule
  • SV-81017
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. The password format command is an optional command that specifies the hash algorithm used for authenticating passwords. The options are MD5, SHA1, or DES. SHA1 is recommended because it is a FIPS-approved algorithm and provides stronger security.
Checks: C-24896r513356_chk

Verify the default local password enforces this requirement by entering the following in configuration mode. [edit] show system login password If the password format is not set to SHA-1, this is a finding.

Fix: F-24884r513357_fix

Enter the configuration mode on the Juniper SRX, set the password option for the local user account of last resort using the following command. [edit] set system login password format sha1

c
For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA to protect the integrity of maintenance and diagnostic communications.
MA-4 - High - CCI-002890 - V-223224 - SV-223224r961554_rule
RMF Control
MA-4
Severity
High
CCI
CCI-002890
Version
JUSX-DM-000146
Vuln IDs
  • V-223224
  • V-66453
Rule IDs
  • SV-223224r961554_rule
  • SV-80943
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The Juniper SRX allows the use of SNMP to monitor or query the device in support of diagnostics information. SNMP cannot be used to make configuration changes; however, it is a valuable diagnostic tool. SNMP is disabled by default and must be enabled for use. SNMPv3 is the DoD-required version, but must be configured to be used securely.
Checks: C-24897r513359_chk

Verify SNMP is configured for version 3. [edit] show snmp v3 If SNMPv3 is not configured for version 3 using SHA, this is a finding.

Fix: F-24885r513360_fix

Configure snmp to use version 3 with SHA authentication. [edit] set snmp v3 usm local-engine user <NAME> authentication-sha

b
For nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configure SSHv2 Message Authentication Code (MAC) algorithms to protect the integrity of maintenance and diagnostic communications.
MA-4 - Medium - CCI-002890 - V-223225 - SV-223225r961554_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-002890
Version
JUSX-DM-000147
Vuln IDs
  • V-223225
  • V-66529
Rule IDs
  • SV-223225r961554_rule
  • SV-81019
To protect the integrity of nonlocal maintenance sessions, SSHv2 with MAC algorithms for integrity checking must be configured. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The SSHv2 protocol suite includes Layer 7 protocols such as SCP and SFTP which can be used for secure file transfers.
Checks: C-24898r513362_chk

Verify SSHv2 and MAC algorithms for integrity checking. [edit] show system services ssh If SSHv2 and integrity options are not configured in compliance with DoD requirements, this is a finding.

Fix: F-24886r513363_fix

Configure SSH integrity options to comply with DoD requirements. [edit] set system services ssh protocol-version v2 set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh macs hmac-sha1 set system services ssh macs hmac-sha1-96

c
For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
MA-4 - High - CCI-003123 - V-223226 - SV-223226r961557_rule
RMF Control
MA-4
Severity
High
CCI
CCI-003123
Version
JUSX-DM-000149
Vuln IDs
  • V-223226
  • V-66455
Rule IDs
  • SV-223226r961557_rule
  • SV-80945
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. To protect the confidentiality of nonlocal maintenance sessions, SNMPv3 with AES encryption to must be configured to provide confidentiality. The Juniper SRX allows the use of SNMPv3 to monitor or query the device in support of diagnostics information. SNMP cannot be used to make configuration changes; however, it is a valuable diagnostic tool. SNMP is disabled by default and must be enabled for use. SNMPv3 is the DoD-required version, but must be configured to be used securely.
Checks: C-24899r513365_chk

Verify SNMPv3 is configured with privacy options. [edit] show snmp v3 If SNMPv3, AES encryption, and other privacy options are not configured, this is a finding.

Fix: F-24887r513366_fix

Configure SNMP to use version 3 with privacy options. The following is an example. [edit] set snmp location <NAME> set snmp v3 usm local-engine user <NAME> privacy-AES128 set snmp v3 vacm security-to-group security-model usm security-name <NAME> group <NAMEGROUP> set snmp v3 vacm access group <NAME-GROUP> default-context-prefix security-model usm security-level privacy read-view all set snmp v3 vacm access group <NAME-GROUP> default-context-prefix security-model usm security-level privacy notify-view all

b
For nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configured SSHv2 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
MA-4 - Medium - CCI-003123 - V-223227 - SV-223227r961557_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-003123
Version
JUSX-DM-000150
Vuln IDs
  • V-223227
  • V-66531
Rule IDs
  • SV-223227r961557_rule
  • SV-81021
To protect the confidentiality of nonlocal maintenance sessions when using SSH communications, SSHv2, AES ciphers, and key-exchange commands are configured. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The SSHv2 protocol suite includes Layer 7 protocols such as SCP and SFTP which can be used for secure file transfers. The key-exchange commands limit the key exchanges to FIPS and DoD-approved methods.
Checks: C-24900r513368_chk

Verify SSHv2, AES ciphers, and key-exchange commands are configured to protect confidentiality. [edit] show system services ssh If SSHv2, AES ciphers, and key-exchange commands are not configured to protect confidentiality, this is a finding.

Fix: F-24888r513369_fix

Configure SSH confidentiality options to comply with DoD requirements. [edit] set system services ssh protocol-version v2 set system services ssh ciphers aes256-ctr set system services ssh ciphers aes256-cbc set system services ssh ciphers aes192-ctr set system services ssh ciphers aes192-cbc set system services ssh ciphers aes128-ctr set system services ssh ciphers aes128-cbc set system services ssh key-exchange dh-group14-sha1 set system services ssh key-exchange group-exchange-sha2 set system services ssh key-exchange ecdh-sha2-nistp256 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp521

b
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured.
MA-4 - Medium - CCI-003123 - V-223228 - SV-223228r961557_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-003123
Version
JUSX-DM-000152
Vuln IDs
  • V-223228
  • V-66533
Rule IDs
  • SV-223228r961557_rule
  • SV-81023
Add a firewall filter to protect the management interface. Note: The dedicated management interface (if present), and an interface placed in the functional zone management, will not participate in routing network traffic. It will only support device management traffic. The host-inbound-traffic feature of the SRX is an additional layer of security for system services. This function can be configured on either a per zone or a per interface basis within each individual security zone. By default, a security zone has all system services disabled, which means that it will not accept any inbound management or protocol requests on the control plane without explicitly enabling the service at either the interface or zone in the security zone stanzas.
Checks: C-24901r513371_chk

Verify only those zones where management functionality is allowed have host-inbound-traffic system-services configured and that protocols such as HTTP and HTTPS are not assigned to these zones. [edit] show security zones functional-zone management If zones configured for host-inbound-traffic system-services have protocols other than SSH configured, this is a finding.

Fix: F-24889r513372_fix

Remove host-inbound-traffic systems-services option from zones not authorized for management traffic. Remove unauthorized protocols (e.g., HTTP, HTTPS) from management zones that are configured to allow host-inbound-traffic system-services.

b
The Juniper SRX Services Gateway must terminate a device management session after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
SC-10 - Medium - CCI-001133 - V-223231 - SV-223231r961068_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
JUSX-DM-000156
Vuln IDs
  • V-223231
  • V-66537
Rule IDs
  • SV-223231r961068_rule
  • SV-81027
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session. Quickly terminating an idle session also frees up resources. This requirement does not mean that the device terminates all sessions or network access; it only ends the inactive session. User accounts, including the account of last resort must be assigned to a login class. Configure all login classes with an idle timeout value. Pre-defined classes do not support configurations, therefore should not be used for DoD implementations. The root account cannot be assigned to a login-class which is why it is critical that this account be secured in accordance with DoD policy.
Checks: C-24904r513380_chk

Verify idle-timeout is set for 10 minutes. [edit] show system login If a timeout value of 10 or less is not set for each class, this is a finding.

Fix: F-24892r513381_fix

Configure all login classes with an idle timeout value. [edit] set system login-class <class name> idle-timeout 10 All users must be set to a login-class; however, to ensure that the CLI is set to a default timeout value, enter the following in operational mode: set cli idle-timeout 10

b
The Juniper SRX Services Gateway must terminate a device management session if the keep-alive count is exceeded.
SC-10 - Medium - CCI-001133 - V-223232 - SV-223232r961068_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
JUSX-DM-000157
Vuln IDs
  • V-223232
  • V-66539
Rule IDs
  • SV-223232r961068_rule
  • SV-81029
Configuring the keep-alive for management protocols mitigates the risk of an open connection being hijacked by an attacker. The keep-alive messages and the interval between each message are used to force the system to disconnect a user that has lost network connectivity to the device. This differs from inactivity timeouts because the device does not wait the 10 minutes to log the user out but, instead, immediately logs the user out if the number of keep-alive messages are exceeded. The interval between messages should also be configured. These values should be set to an organization-defined value based on mission requirements and network performance.
Checks: C-24905r513383_chk

Verify this setting by entering the following commands in configuration mode. [edit] show system services ssh If the keep-alive count and keep-alive interval is not set to an organization-defined value, this is a finding.

Fix: F-24893r513384_fix

Configure this setting by entering the following commands in configuration mode. [edit] set system services ssh client-alive-count-max <organization-defined value> set system services ssh client-alive-interval <organization-defined value>

b
The Juniper SRX Services Gateway must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.
SC-5 - Medium - CCI-002385 - V-223233 - SV-223233r961620_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
JUSX-DM-000162
Vuln IDs
  • V-223233
  • V-66541
Rule IDs
  • SV-223233r961620_rule
  • SV-81031
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Juniper SRX uses the system commands, system internet-options, and screens to mitigate the impact of DoS attacks on device availability.
Checks: C-24906r513386_chk

Verify the system options are configured to protect against DoS attacks. [edit] show system show system internet-options If the system and system-options which limit the effects of common types of DoS attacks are not configured in compliance with DoD requirements, this is a finding.

Fix: F-24894r513387_fix

Configure the system and system-options to protect against DoS attacks. [edit] set system no-redirects set system no-ping-record-route set system no-ping-time-stamp set system internet-options icmpv4-rate-limit packet-rate 50 set system internet-options icmpv6-rate-limit packet-rate 50 set system internet-options no-ipip-path-mtu-discovery set system internet-options no-source-quench set system internet-options tcp-drop-synfin-set set system internet-options no-ipv6-path-mtu-discovery set system internet-options no-tcp-reset drop-all-tcp

b
The Juniper SRX Services Gateway must limit the number of sessions per minute to an organization-defined number for SSH to protect remote access management from unauthorized access.
SC-5 - Medium - CCI-002385 - V-223234 - SV-223234r961620_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
JUSX-DM-000163
Vuln IDs
  • V-223234
  • V-66543
Rule IDs
  • SV-223234r961620_rule
  • SV-81033
The rate-limit command limits the number of SSH session attempts allowed per minute which helps limit an attacker's ability to perform DoS attacks. The rate limit should be as restrictive as operationally practical. Juniper Networks recommends a best practice of 4 for the rate limit, however the limit should be as restrictive as operationally practical. User connections that exceed the rate-limit will be closed immediately after the connection is initiated. They will not be in a waiting state.
Checks: C-24907r513389_chk

Verify the Juniper SRX sets a connection-limit for the SSH protocol. Show system services ssh If the SSH connection-limit is not set to 4 or an organization-defined value, this is a finding.

Fix: F-24895r513390_fix

Configure the SSH protocol with a rate limit. [edit] set system services ssh rate-limit 4 Note: Juniper Networks recommends a best practice of 4 for the rate limit; however, the limit should be as restrictive as operationally practical.

a
The Juniper SRX Services Gateway must implement service redundancy to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself.
SC-5 - Low - CCI-002385 - V-223235 - SV-223235r961620_rule
RMF Control
SC-5
Severity
Low
CCI
CCI-002385
Version
JUSX-DM-000164
Vuln IDs
  • V-223235
  • V-66603
Rule IDs
  • SV-223235r961620_rule
  • SV-81093
Service redundancy, may reduce the susceptibility to some DoS attacks. Organizations must consider the need for service redundancy in accordance with DoD policy. If service redundancy is required then this technical control is applicable. The Juniper SRX can configure your system to monitor the health of the interfaces belonging to a redundancy group.
Checks: C-24908r513392_chk

If service redundancy is not required by the organization's policy, this is not a finding. Verify the configuration is working properly: [edit] show chassis cluster interfaces command. If service redundancy is not configured, this is a finding.

Fix: F-24896r513393_fix

Interfaces can be monitored by a redundancy group for automatic failover to another node. Assign a weight to the interface to be monitored. This configuration is an extremely complex configuration. Consult the vendor documentation. Set the chassis cluster node ID and cluster ID. Configure the chassis cluster management interface. Configure the chassis cluster fabric. Configure the chassis cluster redundancy group Specify the interface to be monitored by a redundancy group. Specify the interface to be monitored by a redundancy group. Example: [edit] set chassis cluster redundancy-group 1 interface-monitor ge-6/0/2 weight 255

b
The Juniper SRX Services Gateway must be configured to use Junos 12.1 X46 or later to meet the minimum required version for DoD.
CM-6 - Medium - CCI-000366 - V-223236 - SV-223236r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000166
Vuln IDs
  • V-223236
  • V-66547
Rule IDs
  • SV-223236r961863_rule
  • SV-81037
Earlier versions of Junos may have reached the end of life cycle support by the vendor. Junos 12.1X46 is not a UC APL certified version, while 12.1X46 is UC APL Certified. The SRX with Junos 12.1X46 has been NIAP certified as a firewall and VPN. Junos 12.1X46 contains a number of enhancements, particularly related to IPv6, that are relevant to the STIG.
Checks: C-24909r513395_chk

Verify the version installed is Junos 12.1 X46 or later. In operational mode, type the following: show version If the Junos version installed is not 12.1 X46 or later, this is a finding.

Fix: F-24897r513396_fix

Follow the manufacturer's instructions for upgrading the Junos version. Software updates must be from an approved site and follow approved DoD procedures and verification processes in accordance with site testing procedures.

c
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must explicitly deny the use of J-Web.
CM-7 - High - CCI-000382 - V-223237 - SV-223237r960966_rule
RMF Control
CM-7
Severity
High
CCI
CCI-000382
Version
JUSX-DM-000167
Vuln IDs
  • V-223237
  • V-66605
Rule IDs
  • SV-223237r960966_rule
  • SV-81095
If unsecured functions (lacking FIPS-validated cryptographic mechanisms) are used for management sessions, the contents of those sessions are susceptible to manipulation, potentially allowing alteration and hijacking. J-Web (configured using the system services web-management option) does not meet the DoD requirement for management tools. It also does not work with all Juniper SRX hardware. By default, the web interface is disabled; however, it is easily enabled.
Checks: C-24910r513398_chk

Verify web-management is not enabled. [edit] show system services web-management If a stanza exists that configures web-management service options, this is a finding.

Fix: F-24898r513399_fix

Remove the web-management service. [edit] delete system services web-management

b
The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
AU-12 - Medium - CCI-000169 - V-229014 - SV-229014r961863_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
JUSX-DM-000007
Vuln IDs
  • V-229014
  • V-66457
Rule IDs
  • SV-229014r961863_rule
  • SV-80947
Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. These conditions will vary across environments and network device types. The Juniper SRX can be configured to limit login times or to logout users after a certain time period if desired by the organization. These setting are configured as options on the login class to which they apply.
Checks: C-31329r518218_chk

If the organization does not have a requirement for triggered, automated logout, this is not a finding. Obtain a list of organization-defined triggered, automated requirements that are required for the Juniper SRX. To verify configuration of special user access controls. [edit] show system login View time-based or other triggers which are configured to control automated logout. If the organization has documented requirements for triggered, automated termination and they are not configured, this is a finding.

Fix: F-31306r518219_fix

To configure user access on specific days of the week for a specified duration, include the allowed-days, access-start, and access-end statements. The following is an example of a configuration for a class which would automatically log out users. Consult the Juniper SRX documentation for other options. [edit system login] class class-name allowed-days [ days-of-the-week ]; class class-name access-start HH:MM; class class-name access-end HH:MM;

b
For local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created.
AU-12 - Medium - CCI-000171 - V-229015 - SV-229015r961863_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
JUSX-DM-000019
Vuln IDs
  • V-229015
  • V-66443
Rule IDs
  • SV-229015r961863_rule
  • SV-80933
An authorized insider or individual who maliciously creates a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously created. Automated mechanisms can be used to send automatic alerts or notifications. Such automatic alerts or notifications can be conveyed in a variety of ways (e.g., telephonically, via electronic mail, via text message, or via websites). The ALG must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel. Alerts must be sent immediately to designated individuals. Alerts may be sent via NMS, SIEM, Syslog configuration, SNMP trap or notice, or manned console message. Although, based on policy, administrator accounts must be created on the AAA server, thus this requirement addresses the creation of unauthorized accounts on the Juniper SRX itself. This does not negate the need to address this requirement on the AAA server and the event monitoring server (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers).
Checks: C-31330r518221_chk

Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system is not configured to display account creation actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.

Fix: F-31307r518222_fix

Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message. The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any> set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any

b
The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified.
AU-5 - Medium - CCI-000139 - V-229016 - SV-229016r961863_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
JUSX-DM-000020
Vuln IDs
  • V-229016
  • V-66445
Rule IDs
  • SV-229016r961863_rule
  • SV-80935
An authorized insider or individual who maliciously modifies a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously modified. Automated mechanisms can be used to send automatic alerts or notifications. Such automatic alerts or notifications can be conveyed in a variety of ways (e.g., telephonically, via electronic mail, via text message, or via websites). The ALG must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel. Alerts must be sent immediately to designated individuals. Alerts may be sent via NMS, SIEM, Syslog configuration, SNMP trap or notice, or manned console message. Although, based on policy, administrator accounts must be modified on the AAA server, thus this requirement addresses the modification of unauthorized accounts on the Juniper SRX itself. This does not negate the need to address this requirement on the AAA server and the event monitoring server (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers).
Checks: C-31331r518224_chk

Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system does not display account modification actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.

Fix: F-31308r518225_fix

Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message. The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any> set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any

b
The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled.
AU-5 - Medium - CCI-000140 - V-229017 - SV-229017r961863_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
JUSX-DM-000021
Vuln IDs
  • V-229017
  • V-66467
Rule IDs
  • SV-229017r961863_rule
  • SV-80957
An authorized insider or individual who maliciously disables a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously disabled. Automated mechanisms can be used to send automatic alerts or notifications. Such automatic alerts or notifications can be conveyed in a variety of ways (e.g., telephonically, via electronic mail, via text message, or via websites). The ALG must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel. Alerts must be sent immediately to designated individuals. Alerts may be sent via NMS, SIEM, Syslog configuration, SNMP trap or notice, or manned console message. Although, based on policy, administrator accounts must be disabled on the AAA server, this requirement addresses the disabling of unauthorized accounts on the Juniper SRX itself. This does not negate the need to address this requirement on the AAA server and the event monitoring server (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers).
Checks: C-31332r518227_chk

Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system does not display account disabling actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.

Fix: F-31309r518228_fix

Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message. The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any> set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any

b
The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted.
CM-6 - Medium - CCI-000366 - V-229018 - SV-229018r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000022
Vuln IDs
  • V-229018
  • V-66447
Rule IDs
  • SV-229018r961863_rule
  • SV-80937
An authorized insider or individual who maliciously delete a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously deleted. Automated mechanisms can be used to send automatic alerts or notifications. Such automatic alerts or notifications can be conveyed in a variety of ways (e.g., telephonically, via electronic mail, via text message, or via websites). The ALG must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel. Alerts must be sent immediately to designated individuals. Alerts may be sent via NMS, SIEM, Syslog configuration, SNMP trap or notice, or manned console message. Although, based on policy, administrator accounts must be deleted on the AAA server, this requirement addresses the deletion of unauthorized accounts on the Juniper SRX itself. This does not negate the need to address this requirement on the AAA server and the event monitoring server (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers). Accounts can be disabled by configuring the account with the built-in login class "unauthorized". When the command is reissued with a different login class, the account is enabled.
Checks: C-31333r518230_chk

Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system is not configured to display account deletion actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.

Fix: F-31310r518231_fix

The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any> set system syslog host <IP-syslog-server> any any set system syslog file account-actions change-log any any

b
The Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions.
CM-6 - Medium - CCI-000366 - V-229019 - SV-229019r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000024
Vuln IDs
  • V-229019
  • V-66471
Rule IDs
  • SV-229019r961863_rule
  • SV-80961
In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). Accounts can be disabled by configuring the account with the built-in login class "unauthorized". When the command is reissued with a different login class, the account is enabled.
Checks: C-31334r518233_chk

Verify the device is configured to display change-log events of severity info. [edit] show system syslog If the system is not configured to display account enabling actions on the management console, this is a finding.

Fix: F-31311r518234_fix

The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). [edit] set system syslog users * change-log <info | any>

a
The Juniper SRX Services Gateway must allow only the information system security manager (ISSM) (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs.
CM-6 - Low - CCI-000366 - V-229021 - SV-229021r1015758_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
JUSX-DM-000039
Vuln IDs
  • V-229021
  • V-66557
Rule IDs
  • SV-229021r1015758_rule
  • SV-81047
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The primary audit log permissions are set on the Syslog server, not the Juniper SRX. However, it is a best practice to also keep local logs for troubleshooting and backup. These logs are subject to access control requirements. This configuration is a two-step process. Part of the configuration must be performed on the AAA server. After a user successfully logs on, the AAA sever passes the template or role of the user to the Juniper SRX. Each AAA template or role is mapped to a login class on the Juniper SRX. On the Juniper SRX, the class name, audit-admin, is recommended as a best practice because it follows the naming convention used in NIAP testing and is self-documenting.
Checks: C-31336r518239_chk

Verify only the ISSM (or administrators or roles appointed by the ISSM) have permission to configure and control audit events. [edit] show system login class show system login View permissions for the audit-admin class (audit-admin is an example class name; local policy may dictate another name). View class assignment for all users and template users configured on the Juniper SRX. If user templates or users are other than the ISSM (or administrators or roles appointed by the ISSM) have permission to select which auditable events are to be audited, this is a finding.

Fix: F-31313r518240_fix

Configure the Juniper SRX to allow only the ISSM user account (or administrators/roles appointed by the ISSM) to select which auditable events are to be audited. To ensure this is the case, each ISSM-appointed role on the AAA must be configured for least privilege using the following stanzas for each role. For audit-admin role: [edit] set system login class audit-admin permissions [ security trace maintenance ] set system login class audit-admin allow-commands "^clear (log|security log)" set system login class audit-admin deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" set system login class audit-admin security-role audit-administrator set system login user audit-officer class audit-admin For the crypto admin role: [edit] set system login class crypto-admin permissions [ admin-control configure maintenance security-control system-control trace ] set system login class crypto-admin allow-commands "^request system set-encryption-key" set system login class crypto-admin deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" set system login class crypto-admin allow-configuration-regexps "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation" set system login class crypto-admin security-role crypto-administrator For the security-admin role: [edit] set system login class security-admin permissions all set system login class security-admin deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell" set system login class security-admin deny-configuration-regexps "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication| encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key- generation" set system login class security-admin security-role security-administrator For the ids-admin role: [edit] set system login class ids-admin permissions [ configure maintenance security-control trace ] set system login class ids-admin allow-configuration-regexps "security alarms potential-violation idp" "security log exclude .* event-id IDP_.*" set system login class ids-admin deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older- than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures| ike-phase1-failures|ike-phase2-failures|key-generation-self-test| non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" set system login class ids-admin deny-configuration-regexps "security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)" set system login class ids-admin security-role ids-admin For the crypto-officer class: [edit] set system login user crypto-officer class crypto-admin set system login user security-officer class security-admin set system login user ids-officer class ids-admin

a
For local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs.
CM-6 - Low - CCI-000366 - V-229022 - SV-229022r1015759_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
JUSX-DM-000060
Vuln IDs
  • V-229022
  • V-66573
Rule IDs
  • SV-229022r1015759_rule
  • SV-81063
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Without this alert, the security personnel may be unaware of an impending failure of the log capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). Automated alerts can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. While this requirement also applies to the event monitoring system (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers), the Juniper SRX must also be configured to generate a message to the administrator console. Syslog and SNMP trap events with a facility of "daemon" pertain to errors encountered by system processes.
Checks: C-31337r518242_chk

Verify the system Syslog has been configured to display an alert on the console for the emergency and alert levels of the daemon facility. [edit] show system syslog If the system is not configured to generate a message to the system management console when a log processing failure occurs, this is a finding.

Fix: F-31314r518243_fix

The following commands configure syslog to immediately display any emergency level or daemon alert events to the management console. The message will display on any currently logged on administrator's console. [edit] set system syslog user * any emergency set system syslog user * daemon alert set system syslog user * daemon critical

b
In the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally.
CM-6 - Medium - CCI-000366 - V-229023 - SV-229023r1015760_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000061
Vuln IDs
  • V-229023
  • V-66481
Rule IDs
  • SV-229023r1015760_rule
  • SV-80971
It is critical that when the network device is at risk of failing to process logs as required, it take action to mitigate the failure. Log processing failures include: software/hardware errors; failures in the log capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to log failure depend upon the nature of the failure mode. Since availability is an overriding concern given the role of the Juniper SRX in the enterprise, the system must not be configured to shut down in the event of a log processing failure. The system will be configured to log events to local files, which will provide a log backup. If communication with the Syslog server is lost or the server fails, the network device must continue to queue log records locally. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local log data with the collection server. A best practice is to add log-prefixes to the log file names to help in researching the events and filters to prevent log overload. Another best practice is to add a match condition to limit the recorded events to those containing the regular expression (REGEX). Thus, the Juniper SRX will inherently and continuously capture events to local files to guard against the loss of connectivity to the primary and secondary events server.
Checks: C-31338r518245_chk

Verify logging has been enabled and configured to capture to local log files in case connection with the primary and secondary log servers is lost. [edit] show system syslog If local log files are not configured to capture events, this is a finding.

Fix: F-31315r997561_fix

The following example commands configure local backup files to capture DOD-defined auditable events. [edit] set system syslog file messages any info set system syslog file messages authorization none set system syslog file messages interactive-commands none set system syslog file messages daemon none set system syslog file User-Auth authorization any set system syslog file interactive-commands interactive-commands any set system syslog file processes daemon any set system syslog file account-actions change-log any any set file account-actions match "system login user" set system syslog console any any

b
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally apply authentication and logon settings for remote and nonlocal access for device management.
CM-6 - Medium - CCI-000366 - V-229024 - SV-229024r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000096
Vuln IDs
  • V-229024
  • V-66491
Rule IDs
  • SV-229024r961863_rule
  • SV-80981
Centralized application (e.g., TACACS+, RADIUS) of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat. Audit records for administrator accounts access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. This requirement references identification and authentication and does not prevent the configuration of privileges using the remote template account (CCI-000213).
Checks: C-31339r518248_chk

Verify the Juniper SRX is configured to support the use of AAA services to centrally apply user authentication and logon settings. From the CLI operational mode enter: show system radius-server or show system tacplus-server If the Juniper SRX has not been configured to support the use of RADIUS and/or TACACS+ servers to centrally apply authentication and logon settings for remote and nonlocal access, this is a finding.

Fix: F-31316r518249_fix

Configure the Juniper SRX to support the use of AAA services to centrally apply user authentication and logon settings. [edit] set system tacplus-server address <server ipaddress> port 1812 secret <shared secret> or [edit] set system radius-server address <server ipaddress> port 1812 secret <shared secret>

c
The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
CM-6 - High - CCI-000366 - V-229025 - SV-229025r1015761_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
JUSX-DM-000097
Vuln IDs
  • V-229025
  • V-66449
Rule IDs
  • SV-229025r1015761_rule
  • SV-80939
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat. Audit records for administrator accounts access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. The Juniper SRX supports three methods of user authentication: local password authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus (TACACS+). RADIUS and TACACS+ are remote access methods used for management of the Juniper SRX. The local password method will be configured for use only for the account of last resort; however, it will not be used for remote and nonlocal access or this will result in a CAT 1 finding (CCI-000765). This requirement references identification and authentication and does not prevent the configuration of privileges using the remote template account (CCI-000213).
Checks: C-31340r518251_chk

Verify the Juniper SRX is configured to forward logon requests to a RADIUS or TACACS+. From the CLI operational mode enter: show system radius-server or show system tacplus-server If the Juniper SRX is not configured to use at least one RADIUS or TACACS+ server, this is a finding.

Fix: F-31317r997568_fix

Configure the Juniper SRX to forward logon requests to a RADIUS or TACACS+. Remove local users configured on the device (CCI-000213) so the AAA server cannot default to using a local account. [edit] set system tacplus-server address <server ipaddress> port 1812 secret <shared secret> or [edit] set system radius-server address <server ipaddress> port 1812 secret <shared secret> Note: DOD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device.

a
The Juniper SRX Services Gateway must specify the order in which authentication servers are used.
CM-6 - Low - CCI-000366 - V-229026 - SV-229026r961863_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
JUSX-DM-000098
Vuln IDs
  • V-229026
  • V-66597
Rule IDs
  • SV-229026r961863_rule
  • SV-81087
Specifying an authentication order implements an authentication, authorization, and accounting methods list to be used, thus allowing the implementation of redundant or backup AAA servers. These commands also ensure that a default method or order will not be used by the device (e.g., local passwords). The Juniper SRX must specify the order in which authentication is attempted by including the authentication-order statement in the authentication server configuration. Remote logon using password results in a CAT 1 finding (CCI-000765) for failure to use two-factor authentication. Thus, if the account of last resort uses only password authentication, this configuration prevents remote access. DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device.
Checks: C-31341r518254_chk

Verify a RADIUS or TACACS+ server order has been configured. From operational mode enter the command: show system authentication-order If the authentication-order for either or both RADIUS or TACACS+ server order has not been configured, this is a finding. If the authentication-order includes the password method, this is a finding.

Fix: F-31318r518255_fix

Add an external RADIUS or TACACS+ server, and specify the port number and shared secret of the server. Remote logon using password results in a CAT 1 finding (CCI-000765) for failure to use two-factor authentication. Thus, if the account of last resort uses only password authentication, this configuration prevents remote access. DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device. [edit] set system authentication-order tacplus or [edit] set system authentication-order radius From operational mode enter the command: show system authentication-order If password is set as an option, remove this command from the configuration. [edit] delete system authentication-order password

a
The Juniper SRX Services Gateway must detect the addition of components and issue a priority 1 alert to the ISSM and SA, at a minimum.
CM-6 - Low - CCI-000366 - V-229027 - SV-229027r961863_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
JUSX-DM-000099
Vuln IDs
  • V-229027
  • V-66599
Rule IDs
  • SV-229027r961863_rule
  • SV-81089
The network device must automatically detect the installation of unauthorized software or hardware onto the device itself. Monitoring may be accomplished on an ongoing basis or by periodic monitoring. Automated mechanisms can be implemented within the network device and/or in another separate information system or device. If the addition of unauthorized components or devices is not automatically detected, then such components or devices could be used for malicious purposes, such as transferring sensitive data to removable media for compromise. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system).
Checks: C-31342r518257_chk

Verify SNMP is configured to capture chassis and device traps. If Syslog or a console method is used, verify that method instead. [edit] show snmp v3 If an immediate alert is not sent via SNMPv3 or another method, this is a finding.

Fix: F-31319r518258_fix

Update the SNMP configuration with the following device trap settings. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). set snmp v3 notify-filter device-traps oid jnxChassisTraps include set snmp v3 notify-filter device-traps oid jnxChassisOKTraps include set snmp v3 notify-filter device-traps oid system include set snmp v3 notify-filter device-traps oid .1 include set snmp v3 notify-filter device-traps oid

b
The Juniper SRX Services Gateway must generate an alarm or send an alert message to the management console when a component failure is detected.
CM-6 - Medium - CCI-000366 - V-229028 - SV-229028r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000106
Vuln IDs
  • V-229028
  • V-66495
Rule IDs
  • SV-229028r961863_rule
  • SV-80985
Component (e.g., chassis, file storage, file corruption) failure may cause the system to become unavailable, which could result in mission failure since the network would be operating without a critical security traffic inspection or access function. Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). Automated alerts can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites. While this requirement also applies to the event monitoring system (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers), the Juniper SRX must also be configured to generate a message to the administrator console. Syslog and SNMP trap events with a facility of "daemon" pertain to errors encountered by system processes.
Checks: C-31343r518260_chk

Verify the system Syslog has been configured to display an alert on the console for the emergency and critical levels of the daemon facility. [edit] show system syslog If the system is not configured to generate a system alert message when a component failure is detected, this is a finding.

Fix: F-31320r518261_fix

The following commands configure syslog to immediately display any emergency level or daemon alert events to the management console. The message will display on any currently logged on administrator's console. [edit] set system syslog user * any emergency set system syslog user * daemon critical set system syslog user * daemon alert

b
The Juniper SRX Services Gateway must reveal log messages or management console alerts only to the ISSO, ISSM, and SA roles).
CM-6 - Medium - CCI-000366 - V-229029 - SV-229029r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
JUSX-DM-000165
Vuln IDs
  • V-229029
  • V-66545
Rule IDs
  • SV-229029r961863_rule
  • SV-81035
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state. Additionally, sensitive account information must not be revealed through error messages to unauthorized personnel or their designated representatives. Although, based on policy, administrator accounts must be created on the AAA server, thus this requirement addresses the creation of unauthorized accounts on the Juniper SRX itself. This does not negate the need to address this requirement on the AAA server and the event monitoring server (e.g., Syslog, Security Information and Event Management [SIEM], or SNMP servers).
Checks: C-31344r518263_chk

Obtain a list of authorized user names that are authorized to view the audit log and console notification messages. Verify classes are created that separate administrator roles based on authorization. View user classes and class members by typing the following commands. [edit] show system login View class assignment for all users and template users configured on the Juniper SRX. Users with login classes audit-admin, security-admin, and system-admin have permission to view error message in logs and/or notifications. If classes or users that are not authorized to have access to the logs (e.g., crypto-admin) have permissions to view or access error message in logs and/or notifications, this is a finding.

Fix: F-31321r518264_fix

Configure login classes and permissions and assign only authorized users to each class. [edit] show system login If any classes are mapped to the audit-admin, security-admin, or system-admin login templates, delete the command from the class by typing delete in front of the command or retyping the command with the permission removed from the list. Example configuration: set system login class audit-admin allow-commands "(show log *)|(clear log *)|(monitor log *)" set system login class audit-admin allow-configuration "(system syslog)" set system login class emergency permissions all set system login class emergency login-alarms set system login class security-admin login-alarms set system login class system-admin login-alarms