Detections
Analytics

6.12.6 Ensure Local Logging is Set to Messages File

Information

Logging data should be saved locally to the default messages file.

Rationale:

As part of the factory-default configuration, all JUNOS devices are configured to log SYSLOG events from several Facilities to a standard /var/log/messages file.

The exact logging for this file may vary slightly by platform, but will always include critical messages from any facility and authorization messages at info level.

When responding to a Security Incident, it is not uncommon for additional external resources or JTAC support to be engaged. Removing logging to this standard location may slow down and hamper Incident Responders, particularly those who may not be familiar with organization specific standards, as they look for expected logs in this file, either manually or using automated/scripting tools.

The fact that the /var/log/messages file is missing may also be interpreted by Incident Responders as being a part of the intrusion or incident, resulting in further time being lost investigating something which is not, in this case, related to the incident.

For these reasons, the default logging to the /var/log/messages file should always be left in place on all JUNOS Devices, with any additional details or levels logged to other files as required.

Impact:

The default local logging to the /var/log/messages file will be used.

Solution

To configure a local SYSLOG messages file, issue the following commands from the [edit system syslog] hierarchy;

[edit system syslog]
user@host#set file messages any critical

[edit system syslog]
user@host#set file messages authorization info

On some JUNOS platforms, the factory-default configuration may include additional elements to be logged to the /var/log/messages file.
You can confirm what the factory-default settings for SYSLOG are on your JUNOS Device by issuing the following commands from a new configuration mode session - which does not have any outstanding changes.
First, confirm that there are no pending changes:

[edit]
user@host# show | compare

If any difference were highlighted do not proceed with the next set of commands until you have either rolled back or committed the outstanding changes.
Next load the factory-default configuration (do not commit this configuration):

[edit]
user@host# load factory-default

Now we can compare the factory-default configuration to your current Active Configuration (rollback 0):

[edit]
user@host# edit system syslog file messages

[edit system syslog file messages]
user@host# show | compare

Finally, roll the Candidate Configuration back to the current Active Configuration and quit from Configuration Mode:

[edit system syslog file messages]
user@host# top

[edit]
user@host# rollback 0
load complete

[edit]
user@host# quit

Any logging which was missing from the current Active Configuration should be added to restore the original configuration.

Default Value:

Messages from any Facility at critical Severity and from the authorization Facility at info Severity are logged to the /var/log/messages file on all JUNOS Devices. Some devices may have additional logging to this file by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv7|6.2

Plugin: Juniper

Control ID: 5450cfcdc253f1959e22af9ee339a578fa79105950193c93b86e08ea3032d600