The Juniper EX switch must be configured to generate audit records for privileged activities or other system-level access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253934	JUEX-NM-000570	SV-253934r843835_rule		Medium

Description
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).

STIG	Date
Juniper EX Series Switches Network Device Management Security Technical Implementation Guide	2022-08-31

Details

Check Text ( C-57386r843833_chk )
Determine if the network device generates audit records for privileged activities or other system-level access. Junos logs all completed commands via the "interactive-commands" syslog facility and all configuration changes via "change-log". Successful and unsuccessful login attempts are logged using the "authorization" facility. Verify syslog is configured to capture these facilities using the logging level "info" or above. The lowest logging level, "any", is debug and will generate significant numbers of messages. The "any" logging facility (not to be confused with the severity level "any") includes authorization, change-log, and interactive-commands. Example configuration to generate audit records for privileged activities or other system-level access. [edit system syslog] file { authorization info; change-log info; interactive-commands info; } host { any info; explicit-priority; } time-format year millisecond; Note: The time-format command supports including the year and/or the time in milliseconds (both shown for clarity). The default format does not include the year and time is recorded in seconds. Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host { authorization info; change-log info; interactive-commands info; structured-data; } file { any info; structured-data; } If the network device does not generate audit records for privileged activities or other system-level access, this is a finding.

Check Text ( C-57386r843833_chk )

Determine if the network device generates audit records for privileged activities or other system-level access.

Junos logs all completed commands via the "interactive-commands" syslog facility and all configuration changes via "change-log". Successful and unsuccessful login attempts are logged using the "authorization" facility. Verify syslog is configured to capture these facilities using the logging level "info" or above. The lowest logging level, "any", is debug and will generate significant numbers of messages. The "any" logging facility (not to be confused with the severity level "any") includes authorization, change-log, and interactive-commands.

Example configuration to generate audit records for privileged activities or other system-level access.

[edit system syslog]
file {
authorization info;
change-log info;
interactive-commands info;
}
host {
any info;
explicit-priority;
}
time-format year millisecond;
Note: The time-format command supports including the year and/or the time in milliseconds (both shown for clarity). The default format does not include the year and time is recorded in seconds.

Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example:

[edit system syslog]
host {
authorization info;
change-log info;
interactive-commands info;
structured-data;
}
file {
any info;
structured-data;
}

If the network device does not generate audit records for privileged activities or other system-level access, this is a finding.

Fix Text (F-57337r843834_fix)
Configure the network device to generate audit records for privileged activities or other system-level access. set system syslog host any info set system syslog host explicit-priority set system syslog file any info set system syslog time-format year