Check: VCTR-67-000036
VMware vSphere 6.7 vCenter STIG:
VCTR-67-000036
(in versions v1 r4 through v1 r1)
Title
The vCenter Server must produce audit records containing information to establish what type of events occurred. (Cat II impact)
Discussion
Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
Check Content
From the vSphere Client, go to Hosts and Clusters >> select a vCenter Server >> Configure >> Settings >> Advanced Settings. Verify that "config.log.level" value is set to "info". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.log.level Verify it is set to "info". If the "config.log.level" value is not set to "info" or does not exist, this is a finding.
Fix Text
From the vSphere Client, go to Hosts and Clusters >> select a vCenter Server >> Configure >> Settings >> Advanced Settings. Click "Edit Settings" and configure the "config.log.level" setting to "info". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.log.level | Set-AdvancedSetting -Value info
Additional Identifiers
Rule ID: SV-243098r879845_rule
Vulnerability ID: V-243098
Group Title: SRG-APP-000474
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002702 |
The information system shuts the information system down, restarts the information system, and/or initiates organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered. |
Controls
Number | Title |
---|---|
SI-6 |
Security Function Verification |