• No results found

SYSLOG

In document Juniper JUNOS 8.x / 9.x / 10.x (Page 160-165)

6. System

6.14 SYSLOG

SYSLOG is a standard protocol for forwarding and handling log information in an IP Network.

Options for system logging and the SYSLOG service are configured under the [edit system syslog] hierarchy.

6.14.1 Require external SYSLOG server (Level 1, Scorable)

Description:

Logging data must be sent to at least one external SYSLOG server.

Rationale:

Log information from a router can be vital to detecting an attack against the router or to analysis of faults or attacks after the fact. Because of this, one of the first tasks an attacker will attempt to accomplish after gaining access to a router is to alter or delete logs to cover their tracks.

161 | P a g e

To prevent an attacker or a fault denying you access to log data, it is vital to send it to at least one external server using the SYSLOG protocol.

Remediation:

SYSLOG data is recorded locally by default, you can configure external SYSLOG servers by issuing the following command from the[edit system] hierarchy;

[edit system]

user@host#set syslog host <SYSLOG_SERVER> <FACILITY> <SEVERITY>

Details of Facility and Severity are given in the next two sections.

In most cases the explicit-priority options should be set so that Priority data (the facility and severity of a message) is sent to the server, this is the default on most routers and may be required for compatibility with many SYSLOG servers.

Audit:

From the command prompt, execute the following command:

[edit]

user@host#show system syslog | match “host” | count

The above command should return an Integer value equal to or greater than 1.

Default Value:

SYSLOG information is not sent to remote hosts by default, but is kept locally.

References:

1. Router Security Configuration Guide, Version 1.1b, Page 130, National Security Agency (NSA)

2. Payment Card Industry Data Security Standard (PCI DSS), Version 1.2, Requirement 10

6.14.2 Require external SYSLOG with all Facilities (Level 1, Scorable)

Description:

Logging data must be sent to at least one external SYSLOG server from all SYSLOG Facilities.

Rationale:

SYSLOG entries are generated by a range of sources on a JUNOS router, such as Daemon for events from system processes or PFE for events encountered by the Packet Forwarding Engine. These sources are referred to as Facilities and, in order to ensure that you are

162 | P a g e

recording a full picture of the routers health and security events from all facilities should be logged to at least one external SYSLOG server.

Remediation:

SYSLOG data is recorded locally by default, you can configure external SYSLOG servers by issuing the following command from the[edit system] hierarchy;

[edit system]

user@host#set syslog host <SYSLOG_SERVER> any <SEVERITY>

The facility is set by the any keyword following the server’s hostname or IP address. Details of Severity settings are given in the next section.

In most cases the explicit-priority options should be set so that Priority data (the facility and severity of a message) is sent to the server, this is the default on most routers and may be required for compatibility with many SYSLOG servers.

Audit:

From the command prompt, execute the following command:

[edit]

user@host#show services | match „syslog host * any *‟ | count

The above command should return an Integer value equal to or greater than 1.

Default Value:

SYSLOG information is not sent to remote hosts by default, but is kept locally.

References:

1. Router Security Configuration Guide, Version 1.1b, Page 130, National Security Agency (NSA)

2. Payment Card Industry Data Security Standard (PCI DSS), Version 1.2, Requirement 10

6.14.3 Require external SYSLOG with at least Informational Severity Level

(Level 1, Scorable)

Description:

Logging data must be sent to at least one external SYSLOG server for all events from at least Informational (6) Severity.

163 | P a g e

SYSLOG entries are logged with an associated Severity Level indicating how serious the event is. There are eight possible levels, which are as follows:

0 – Emergency 1 – Alert 2 – Critical 3 – Error 4 – Warning 5 – Notice 6 – Informational 7 – Debug

To ensure that critical information is not missed Syslog Severity should be set to Informational (6) or Debug (7).

Remediation:

SYSLOG data is recorded locally by default, you can configure external SYSLOG servers by issuing the following command from the[edit system] hierarchy;

[edit system]

user@host#set syslog host <SYSLOG_SERVER> <FACILITY> 6

The facility is set by the any keyword following the server’s hostname or IP address (see previous requirements).

In most cases the explicit-priority options should be set so that Priority data (the facility and severity of a message) is sent to the server; this is the default on most routers and may be required for compatibility with many SYSLOG servers.

Audit:

From the command prompt, execute the following command:

[edit]

user@host#show system | match „syslog host * 6 *‟ | count

The above command should return an Integer value equal to or greater than 1.

Default Value:

SYSLOG information is not sent to remote hosts by default, but is kept locally.

References:

1. Router Security Configuration Guide, Version 1.1b, Page 130, National Security Agency (NSA)

164 | P a g e

2. Payment Card Industry Data Security Standard (PCI DSS), Version 1.2, Requirement 10

3. Cisco IOS Benchmark, Version 2.2, Requirement 1.2.3.5, Center for Internet Security

6.14.4 Require external SYSLOG with at least Informational Severity Level

(Level 1, Scorable)

Description:

Logging data must be sent to at least one external SYSLOG server for all events from at least Informational (6) Severity.

Rationale:

SYSLOG entries are logged with an associated Severity Level indicating how serious the event is. There are eight possible levels, which are as follows:

0 – Emergency 1 – Alert 2 – Critical 3 – Error 4 – Warning 5 – Notice 6 – Informational 7 – Debug

To ensure that critical information is not missed Syslog Severity should be set to Informational (6) or Debug (7).

Remediation:

SYSLOG data is recorded locally by default, you can configure external SYSLOG servers by issuing the following command from the[edit system] hierarchy;

[edit system]

user@host#set syslog host <SYSLOG_SERVER> <FACILITY> 6

The facility is set by the any keyword following the server’s hostname or IP address (see previous requirements).

In most cases the explicit-priority options should be set so that Priority data (the facility and severity of a message) is sent to the server, this is the default on most routers and may be required for compatibility with many SYSLOG servers.

Audit:

165 | P a g e

[edit]

user@host#show system | match „syslog host * 6|7 *‟ | count

The above command should return an Integer value equal to or greater than 1.

Default Value:

SYSLOG information is not sent to remote hosts by default, but is kept locally.

References:

1. Router Security Configuration Guide, Version 1.1b, Page 130, National Security Agency (NSA)

2. Payment Card Industry Data Security Standard (PCI DSS), Version 1.2, Requirement 10

3. Cisco IOS Benchmark, Version 2.2, Requirement 1.2.3.5, Center for Internet Security

In document Juniper JUNOS 8.x / 9.x / 10.x (Page 160-165)
Download now "Juniper JUNOS 8.x / 9...."

Outline

Related documents