Check: PHTN-67-000040
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000040
(in versions v1 r6 through v1 r2)
Title
The Photon operating system must configure rsyslog to offload system logs to a central server. (Cat II impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Proper configuration of rsyslog ensures that information critical to forensic analysis of security events is available for future action without any manual offloading or cron jobs. Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000479-GPOS-00224
Check Content
At the command line, execute the following command: # cat /etc/vmware-syslog/syslog.conf The output should be similar to the following (*.* or AO approved logging events): *.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format If no line is returned or if the line is commented or no valid syslog server is specified, this is a finding. OR Navigate to https://<hostname>:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Syslog Configuration". If no site-specific syslog server is configured, this is a finding.
Fix Text
Open /etc/vmware-syslog/syslog.conf with a text editor. Remove any existing content and create a new remote server configuration line. For UDP (*.* or AO approved logging events): *.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format For TCP (*.* or AO approved logging events): *.* @@<syslog server>:port;RSYSLOG_syslogProtocol23Format OR Navigate to https://<hostname>:5480 to access the VAMI. Authenticate and navigate to "Syslog Configuration". Click "Edit" in the top right. Configure a remote syslog server and click "OK".
Additional Identifiers
Rule ID: SV-239112r856041_rule
Vulnerability ID: V-239112
Group Title: SRG-OS-000205-GPOS-00083
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001312 |
The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
CCI-001683 |
The information system notifies organization-defined personnel or roles for account creation actions. |
CCI-001684 |
The information system notifies organization-defined personnel or roles for account modification actions. |
CCI-001685 |
The information system notifies organization-defined personnel or roles for account disabling actions. |
CCI-001686 |
The information system notifies organization-defined personnel or roles for account removal actions. |
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |