Check: ESXI-67-100004
VMware vSphere 6.7 ESXi STIG:
ESXI-67-100004
(in version v1 r1)
Title
The ESXi host must centrally review and analyze audit records from multiple components within the system by configuring remote logging. (Cat II impact)
Discussion
Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and provides a long-term audit record. Satisfies: SRG-OS-000051-VMM-000230, SRG-OS-000058-VMM-000270, SRG-OS-000059-VMM-000280
Check Content
From the vSphere Client, select the ESXi host and go to Configuration >> Advanced Settings. Select the "Syslog.global.logHost" value and verify it is set to a site-specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the "Syslog.global.logHost" value is not set to a site-specific syslog server, this is a finding.
Fix Text
From the vSphere Client, select the ESXi host and go to Configuration >> Advanced Settings. Select the "Syslog.global.logHost" value and configure it to a site-specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"
Additional Identifiers
Rule ID: SV-239330r674919_rule
Vulnerability ID: V-239330
Group Title: SRG-OS-000051-VMM-000230
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
CCI-000163 |
The information system protects audit information from unauthorized modification. |
CCI-000164 |
The information system protects audit information from unauthorized deletion. |