Check: PHTN-67-000129
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000129
(in versions v1 r6 through v1 r1)
Title
The Photon operating system must be configured to offload audit logs to a syslog server. (Cat II impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000447-GPOS-00201
Check Content
At the command prompt, execute the following command: # grep -v "^#" /etc/vmware-syslog/stig-services-auditd.conf Expected result: input(type="imfile" File="/var/log/audit/audit.log" Tag="auditd" Severity="info" Facility="local0") If the file does not exist, this is a finding. If the output of the command does not match the expected result above, this is a finding.
Fix Text
Open /etc/vmware-syslog/stig-services-auditd.conf with a text editor. Create the file if it does not exist. Set the contents of the file as follows: input(type="imfile" File="/var/log/audit/audit.log" Tag="auditd" Severity="info" Facility="local0")
Additional Identifiers
Rule ID: SV-239072r877390_rule
Vulnerability ID: V-239072
Group Title: SRG-OS-000342-GPOS-00133
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
CCI-002702 |
The information system shuts the information system down, restarts the information system, and/or initiates organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered. |