Check: VCUI-67-000005
VMware vSphere 6.7 UI Tomcat STIG:
VCUI-67-000005
(in versions v1 r3 through v1 r2)
Title
vSphere UI must record user access in a format that enables monitoring of remote access. (Cat II impact)
Discussion
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. Tomcat can be configured with an "AccessLogValve", a component that can be inserted into the request processing pipeline to provide robust access logging. The AccessLogValve creates log files in the same format as those created by standard web servers. When AccessLogValve is properly configured, log files will contain all the forensic information necessary in the case of a security incident. Satisfies: SRG-APP-000016-WSR-000005, SRG-APP-000089-WSR-000047, SRG-APP-000095-WSR-000056, SRG-APP-000096-WSR-000057, SRG-APP-000097-WSR-000058, SRG-APP-000098-WSR-000059, SRG-APP-000098-WSR-000060, SRG-APP-000099-WSR-000061, SRG-APP-000100-WSR-000064, SRG-APP-000374-WSR-000172, SRG-APP-000375-WSR-000171
Check Content
At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/server.xml | xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern - Expected result: pattern="%h %{x-forwarded-for}i %l %u %t %r %s %b %{#hashedSessionId#}s %I %D" If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/server.xml. Ensure the log pattern in the "org.apache.catalina.valves.AccessLogValve" node is set to the following: pattern="pattern="%h %{x-forwarded-for}i %l %u %t %r %s %b %{#hashedSessionId#}s %I %D""
Additional Identifiers
Rule ID: SV-239686r879521_rule
Vulnerability ID: V-239686
Group Title: SRG-APP-000016-WSR-000005
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000067 |
The information system monitors remote access methods. |
CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-001462 |
The information system provides the capability for authorized users to capture/record and log content related to a user session. |
CCI-001464 |
The information system initiates session audits at system start-up. |
CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |
CCI-001889 |
The information system records time stamps for audit records that meet organization-defined granularity of time measurement. |
CCI-001890 |
The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |