6.1.4 Recommend Accounting of Interactive Commands (where External AAA is used)

Information

Where External AAA is used, Interactive Command Accounting Events should be sent to either TACACS+ or RADIUS.

Rationale:

To protect any asset, including a Juniper router, you have to have a record of who logged in or attempted to login as well as who made changes to the configuration and when. For additional security you should also keep records of all commands issued, who issued them and when.

This is not possible in all deployments due to the additional load, network traffic and storage requirements. For most scenarios the high resource use is outweighed by the benefits that the command history provides, particularly in responding to an incident or fault.

JUNOS can log these events to RADIUS and/or TACACS+ servers to allow reliable, centralized records to be kept for all of the devices in your network.

Solution

Configure Accounting of Logins and Configuration Changes by entering the following commands under the [edit system accounting] hierarchy;

[edit system accounting]
user@host#set events [change-log interactive-commands login]

The interactive-commands should be selected at a minimum, although in many cases you may also wish to add change-log and login accounting.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Juniper

Control ID: aa91536116facb3f2f3629a7c20eb72c6f683790b06e2006ae8d6fdb9909aca9