Check: VCLD-67-000014
VMware vSphere 6.7 VAMI-lighttpd STIG:
VCLD-67-000014
(in versions v1 r3 through v1 r2)
Title
Rsyslog must be configured to monitor VAMI logs. (Cat II impact)
Discussion
For performance reasons, rsyslog file monitoring is preferred over configuring VAMI to send events to a syslog facility. Without ensuring that logs are created, that rsyslog configs are created, and that those configs are loaded, the log file monitoring and shipping will not be effective. Satisfies: SRG-APP-000125-WSR-000071, SRG-APP-000358-WSR-000063, SRG-APP-000358-WSR-000163
Check Content
Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # grep -v "^#" /etc/vmware-syslog/stig-services-vami.conf Expected result: input(type="imfile" File="/opt/vmware/var/log/lighttpd/access.log" Tag="vami-access" Severity="info" Facility="local0") If the file does not exist, this is a finding. If the output of the command does not match the expected result above, this is a finding.
Fix Text
Navigate to and open /etc/vmware-syslog/stig-services-vami.conf. Create the file if it does not exist. Set the contents of the file as follows: input(type="imfile" File="/opt/vmware/var/log/lighttpd/access.log" Tag="vami-access" Severity="info" Facility="local0")
Additional Identifiers
Rule ID: SV-239722r879582_rule
Vulnerability ID: V-239722
Group Title: SRG-APP-000125-WSR-000071
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001348 |
The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited. |
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |