The Juniper router must be configured to automatically audit account removal actions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-91101	JUNI-ND-000120	SV-101201r1_rule		Medium

Description
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.

Description

Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.

STIG	Date
Juniper Router NDM Security Technical Implementation Guide	2019-12-10

Details

Check Text ( C-90255r2_chk )
Review the router configuration to determine if it audits the deletion of accounts. This requirement can be met by ensuring that configuration changes are logged as shown in the following example: system { syslog { file LOG_FILE { change-log info; } } } Note: The parameter “any” can be in place of “change-log” as this will log everything. Also, a syslog server can be configured in addition to or in lieu of logging to a file as shown in the example below. system { syslog { host 10.1.58.2 { any info; } file LOG_FILE { change-log info; } console { any error; } } } If the deletion of accounts is not audited, this is a finding.

Check Text ( C-90255r2_chk )

Review the router configuration to determine if it audits the deletion of accounts. This requirement can be met by ensuring that configuration changes are logged as shown in the following example:

system {
syslog {
file LOG_FILE {
change-log info;
}
}
}

Note: The parameter “any” can be in place of “change-log” as this will log everything. Also, a syslog server can be configured in addition to or in lieu of logging to a file as shown in the example below.

system {
syslog {
host 10.1.58.2 {
any info;
}
file LOG_FILE {
change-log info;
}
console {
any error;
}
}
}

If the deletion of accounts is not audited, this is a finding.

Fix Text (F-97299r2_fix)
Configure the router to audit the deletion of accounts. This requirement can be met by ensuring that configuration changes are logged as shown in the following example: [edit system] set syslog file LOG_FILE change-log info Note: The parameter “any” can be in place of “change-log” as this will log everything. Also, a syslog server can be configured in addition to or in lieu of logging to a file as shown in the example below. set syslog host 10.1.58.2 any info

Fix Text (F-97299r2_fix)

Configure the router to audit the deletion of accounts. This requirement can be met by ensuring that configuration changes are logged as shown in the following example:

[edit system]
set syslog file LOG_FILE change-log info

Note: The parameter “any” can be in place of “change-log” as this will log everything. Also, a syslog server can be configured in addition to or in lieu of logging to a file as shown in the example below.

set syslog host 10.1.58.2 any info