16:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Juniper SRX Services Gateway NDM Security Technical Implementation Guide"}],false,["$","$L20",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","3","R","3"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Dec 20, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"Juniper_SRX_SG_NDM_STIG","children":"Juniper_SRX_SG_NDM_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":68}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","network",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"network"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",8]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",43]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",17]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20Services%20Gateway%20NDM%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20Services%20Gateway%20NDM%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20Services%20Gateway%20NDM%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y25M01_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L21",null,{"checks":[{"id":"e296e75a-90d8-47a9-82f3-c17a7a4e7ac3","vulnId":"V-223180","severity":"low","ruleTitle":"The Juniper SRX Services Gateway must limit the number of concurrent sessions to a maximum of 10 or less for remote access using SSH.","description":"The connection-limit command limits the total number of concurrent SSH sessions. To help thwart brute force authentication attacks, the connection limit should be as restrictive as operationally practical\n\nJuniper Networks recommends the best practice of setting 10 (or less) for the connection-limit.\n\nThis configuration will permit up to 10 users to log in to the device simultaneously, but an attempt to log an 11th user into the device will fail. The attempt will remain in a waiting state until a session is terminated and made available.","checkContent":"Verify the Juniper SRX sets a connection-limit for the SSH protocol.\n\nShow system services ssh\n\nIf the SSH connection-limit is not set to 10 or less, this is a finding.","fixText":"Configure the SSH protocol to limit connection and sessions per connection.\n\n[edit]\nset system services ssh connection-limit 10\nset system services ssh max-sessions-per-connection 1"},{"id":"49846b28-a834-4715-b2d5-43c278a63459","vulnId":"V-223181","severity":"medium","ruleTitle":"For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events.","description":"Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.\n\nAn AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events.\n\nTo log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.","checkContent":"Verify the device logs change-log events of severity info or any to an external syslog server.\n\n[edit]\nshow system syslog\n\nhost {\n any ;\n source-address ;\n}\n\n-OR-\n\nhost {\n change-log ;\n source-address ;\n}\n\nIf an external syslog host is not configured to log facility change-log severity , or configured for facility any severity , this is a finding.","fixText":"Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. \n\n[edit system syslog]\nset host any \n\n -OR-\n\n[edit]\nset host change-log "},{"id":"8625c9a6-3a0d-4ce9-b68f-6785a4bf7551","vulnId":"V-223182","severity":"medium","ruleTitle":"For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account modification events.","description":"Upon gaining access to a network device, an attacker will often first attempt to modify existing accounts to increase/decrease privileges. Notification of account modification events help to mitigate this risk. Auditing account modification events provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.\n\nAn AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events.\n\nTo log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.","checkContent":"Verify the device logs change-log events of severity info or any to an external syslog server.\n\n[edit]\nshow system syslog\n\nhost {\n any ;\n source-address ;\n}\n\n-OR-\n\nhost {\n change-log ;\n source-address ;\n}\n\nIf an external syslog host is not configured to log facility change-log severity , or configured for facility any severity , this is a finding.","fixText":"Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. \n\n[edit system syslog]\nset host any \n\n -OR-\n\n[edit]\nset host change-log "},{"id":"1f52a987-5d1e-4eb0-ad52-a746ddabf769","vulnId":"V-223183","severity":"medium","ruleTitle":"For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events.","description":"When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized, active accounts remain enabled and available for use when required. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.\n\nAn AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events.\n\nTo log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.","checkContent":"Verify the device logs change-log events of severity info or any to an external syslog server.\n\n[edit]\nshow system syslog\n\nhost {\n any ;\n source-address ;\n}\n\n-OR-\n\nhost {\n change-log ;\n source-address ;\n}\n\nIf an external syslog host is not configured to log facility change-log severity , or configured for facility any severity , this is a finding.","fixText":"Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. \n\n[edit system syslog]\nset host any \n\n -OR-\n\n[edit]\nset host change-log "},{"id":"33e81a59-5cce-46f5-acfe-4710c2ea4de5","vulnId":"V-223184","severity":"medium","ruleTitle":"For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account removal events.","description":"Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.\n\nAn AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events.\n\nTo log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.","checkContent":"Verify the device logs change-log events of severity info or any to an external syslog server.\n\n[edit]\nshow system syslog\n\nhost {\n any ;\n source-address ;\n}\n\n-OR-\n\nhost {\n change-log ;\n source-address ;\n}\n\nIf an external syslog host is not configured to log facility change-log severity , or configured for facility any severity , this is a finding.","fixText":"Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. \n\n[edit system syslog]\nset host any \n\n -OR-\n\n[edit]\nset host change-log "},{"id":"29a72b29-7d45-44c3-882a-9eae3f2483fc","vulnId":"V-223185","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.\n\nAccounts can be disabled by configuring the account with the build-in login class \"unauthorized\". When the command is reissued with a different login class, the account is enabled.","checkContent":"Verify the device is configured to display change-log events of severity info.\n\n[edit]\nshow system syslog\n\nIf the system is not configured to generate a log record when account enabling actions occur, this is a finding.","fixText":"The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration.\n\n[edit]\nset system syslog host any any\nset system syslog file account-actions change-log any any"},{"id":"6b454522-0d37-40bf-927d-216b241afb39","vulnId":"V-223186","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users.","description":"$22","checkContent":"Verify all accounts are assigned a user-defined (not built-in) login class with appropriate permissions configured. If the remote user is configured, it may have a user-defined, or the built-in unauthorized login class.\n\n[edit]\nshow system login\n\n Junos OS supports groups, which are centrally located snippets of code. This allows common configuration to be applied at one or more hierarchy levels without requiring duplicated stanzas. If there are no login-classes defined at [edit system login], then check for an apply-groups statement and verify appropriate configuration at the [edit groups] level.\n\n[edit]\nshow groups\n\nIf one or more account templates are not defined with an appropriate login class, this is a finding.\n\nIf more than one local account has an authentication stanza and is not documented, this is a finding.\n\nNote: Template accounts are differentiated from local accounts by the presence of an authentication stanza.","fixText":"User accounts, including the account of last resort must be assigned to a login class. \n\nConfigure the class parameters and privileges.\n\n[edit]\nSet system login class idle-timeout 10\nset system login class permissions \n\nCommit for the changes to take effect.\n\nCreate and configure template user (s).\n\n[edit]\nset system login user

Juniper SRX Services Gateway NDM Security Technical Implementation Guide

Checks (68)