6.12.4 Ensure Local Logging is Set for Authentication and Authorization Events

Information

Logging data for Authentication and Authorization events should be saved to a local file.

Rationale:

Authentication and Authorization events are generated whenever a user logs in to the router or performs an action which requires Authorization, such as making a change.

This information can provide a record of activity on the JUNOS Device when responding to both Security Incidents and Operational Issues.

A local SYSLOG file should be configured to record all Authentication and Authorization related events, which are both generated by the authorization facility.

Impact:

Authentication and Authorization events will be logged to the configured file in the JUNOS Device's /var/log/ folder. You may wish to specify the size of files to be recorded, the number of zipped older files the JUNOS Devices should keep and automatic archiving settings to appropriate values for the device and environment you are using. Details of the related commands are linked in the References section.

Solution

To configure a local SYSLOG file for Auth events, issue the following command from the [edit system syslog] hierarchy;

[edit system syslog]
user@host#set file <filename> authorization any

Default Value:

Authorization events at Info level are logged to the /var/log/messages file by default on most JUNOS systems, but the additional events from the any level are not recorded by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv7|6.2

Plugin: Juniper

Control ID: 47e05a930def867c5434e63681aedd4dc90970248f501ed7abc848d949ac804d