The Juniper EX switch must be configured to offload audit records onto a different system or media than the system being audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253937	JUEX-NM-000600	SV-253937r879886_rule		Medium

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

STIG	Date
Juniper EX Series Switches Network Device Management Security Technical Implementation Guide	2023-03-23

Details

Check Text ( C-57389r846818_chk )
Check the network device configuration to determine if the device offloads audit records onto a different system or media than the system being audited. Verify the device is configured to send system events to external syslog. If the organization has a centralized repository (or repositories) for secure transfer of audit log files, verify each log file is configured to transfer files to the appropriate repository. Each log file must be configured separately. [edit system syslog] file { any info; archive size <65536..1073741824 bytes> files <1..1000> transfer-interval <5..2880 minutes> start-time "" archive-sites { "URL" password "hashed PSK" } ## SECRET-DATA } Note: The URL format is: ://@ /. The trailing slash is omitted because Junos automatically adds that when it appends the filename. host { any info; } Note: If using secure file transfer to offload log files, the Juniper device will immediately attempt to connect with the configured protocol, address, and credentials. If successful, Junos will prompt to accept an untrusted public key. If the administrator accepts that key, Junos adds it to [edit security ssh-known-hosts]. Alternately, configure the trusted public key at [edit security ssh-known-hosts] before configuring automatic file offload. If the device does not offload audit records onto a different system or media, this is a finding.

Check Text ( C-57389r846818_chk )

Check the network device configuration to determine if the device offloads audit records onto a different system or media than the system being audited.

Verify the device is configured to send system events to external syslog. If the organization has a centralized repository (or repositories) for secure transfer of audit log files, verify each log file is configured to transfer files to the appropriate repository. Each log file must be configured separately.

[edit system syslog]
file {
any info;
archive size <65536..1073741824 bytes> files <1..1000> transfer-interval <5..2880 minutes> start-time "" archive-sites {
"URL" password "hashed PSK" } ## SECRET-DATA
}
Note: The URL format is: ://@

/. The trailing slash is omitted because Junos automatically adds that when it appends the filename.
host {
any info;
}
Note: If using secure file transfer to offload log files, the Juniper device will immediately attempt to connect with the configured protocol, address, and credentials. If successful, Junos will prompt to accept an untrusted public key. If the administrator accepts that key, Junos adds it to [edit security ssh-known-hosts]. Alternately, configure the trusted public key at [edit security ssh-known-hosts] before configuring automatic file offload.

If the device does not offload audit records onto a different system or media, this is a finding.

Fix Text (F-57340r846820_fix)
Configure the network device to offload audit records onto a different system or media than the system being audited. set file any info set system syslog file any info set system syslog file archive size <65536..1073741824 bytes> set system syslog file archive files <1..1000> set system syslog file archive transfer-interval <5..2880 minutes> set system syslog file archive start-time "" set system syslog file archive archive-sites "://@/" password "" set system syslog host any info

Fix Text (F-57340r846820_fix)

Configure the network device to offload audit records onto a different system or media than the system being audited.

set file any info
set system syslog file any info
set system syslog file archive size <65536..1073741824 bytes>
set system syslog file archive files <1..1000>
set system syslog file archive transfer-interval <5..2880 minutes>
set system syslog file archive start-time ""
set system syslog file archive archive-sites "://@/" password ""
set system syslog host any info