An error occurred:

Check: ESXI-70-000084

VMware vSphere 7.0 ESXi STIG: ESXI-70-000084 (in version v1 r1)

Title

The ESXi host must enable audit logging. (Cat II impact)

Discussion

ESXi offers both local and remote audit recordkeeping to meet the requirements of the NIAP Virtualization Protection Profile and Server Virtualization Extended Package. Local records are stored on any accessible local or VMFS path. Remote records are sent to the global syslog servers configured elsewhere. To operate in the NIAP validated state, ESXi must enable and properly configure this audit system. This system is disabled by default. Note: Audit records can be viewed locally via the " /bin/auditLogReader" utility over SSH or at the ESXi shell.

Check Content

From an ESXi shell, run the following command: # esxcli system auditrecords get or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.auditrecords.get.invoke()|Format-List Example result: Audit Record Storage Active: true Audit Record Storage Capacity: 100 Audit Record Storage Directory: /scratch/auditLog Audit Remote Host Enabled: true Note: The "Audit Record Storage Directory" may differ from the default above but it must still be located on persistent storage. If audit record storage is not active and configured, this is a finding.

Fix Text

From an ESXi shell, run the following commands: Optional: Set the audit log location to persistent storage. This is set to '/scratch/auditLog' by default and does not normally need to be changed. # esxcli system auditrecords local set --directory="/full/path/here" Mandatory: # esxcli system auditrecords local set --size=100 # esxcli system auditrecords local enable # esxcli system auditrecords remote enable # esxcli system syslog reload or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.auditrecords.local.set.CreateArgs() *Optional* $arguments.directory = "/full/path/here" $arguments.size="100" $esxcli.system.auditrecords.local.set.Invoke($arguments) $esxcli.system.auditrecords.local.enable.Invoke() $esxcli.system.auditrecords.remote.enable.Invoke()

Additional Identifiers

Rule ID: SV-256436r886089_rule

Vulnerability ID: V-256436

Group Title: SRG-OS-000480-VMM-002000

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings