Check: ESXI-67-000030
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000030
(in versions v1 r3 through v1 r1)
Title
The ESXi host must produce audit records containing information to establish what type of events occurred. (Cat III impact)
Discussion
Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Satisfies: SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310
Check Content
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.log.level" value and verify it is set to "info". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level If the "Config.HostAgent.log.level" setting is not set to "info", this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.
Fix Text
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Config.HostAgent.log.level" value, and configure it to "info". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"
Additional Identifiers
Rule ID: SV-239285r674784_rule
Vulnerability ID: V-239285
Group Title: SRG-OS-000037-VMM-000150
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
CCI-000171 |
The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. |