Navigate

Check: VCST-80-000014

VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) STIG: VCST-80-000014 (in versions v2 r1 through v1 r1)

Title

The vCenter STS service must produce log records containing sufficient information regarding event details. (Cat II impact)

Discussion

Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. Tomcat can be configured with an "AccessLogValve", a component that can be inserted into the request processing pipeline to provide robust access logging. The "AccessLogValve" creates log files in the same format as those created by standard web servers. When "AccessLogValve" is properly configured, log files will contain all the forensic information necessary in the case of a security incident. Satisfies: SRG-APP-000095-AS-000056, SRG-APP-000016-AS-000013, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000080-AS-000045, SRG-APP-000089-AS-000050, SRG-APP-000090-AS-000051, SRG-APP-000091-AS-000052, SRG-APP-000343-AS-000030, SRG-APP-000375-AS-000211, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000503-AS-000228

Check Content

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]/@pattern' /usr/lib/vmware-sso/vmware-sts/conf/server.xml Example result: pattern="%t %I [Request] "%{User-Agent}i" %{X-Forwarded-For}i/%h:%{remote}p %l %u to local %{local}p - "%r" %H %m %U%q [Response] %s - %b bytes [Perf] process %Dms / commit %Fms / conn [%X]" Required elements: %h %{X-Forwarded-For}i %l %t %u "%r" %s %b If the log pattern does not contain the required elements in any order, this is a finding.

Fix Text

Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Inside the <Host> node, find the "AccessLogValve" <Valve> node and replace the "pattern" element as follows: pattern="%t %I [Request] "%{User-Agent}i" %{X-Forwarded-For}i/%h:%{remote}p %l %u to local %{local}p - "%r" %H %m %U%q [Response] %s - %b bytes [Perf] process %Dms / commit %Fms / conn [%X]" Restart the service with the following command: # vmon-cli --restart sts

Additional Identifiers

Rule ID: SV-258974r960891_rule

Vulnerability ID: V-258974

Group Title: SRG-APP-000095-AS-000056

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000067	Employ automated mechanisms to monitor remote access methods.
CCI-000130	Ensure that audit records contain information that establishes what type of event occurred.
CCI-000131	Ensure that audit records containing information that establishes when the event occurred.
CCI-000132	Ensure that audit records containing information that establishes where the event occurred.
CCI-000133	Ensure that audit records containing information that establishes the source of the event.
CCI-000134	Ensure that audit records containing information that establishes the outcome of the event.
CCI-000166	Provide irrefutable evidence that an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
CCI-000169	Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components.
CCI-000171	Allow organization-defined personnel or roles to select the event types that are to be logged by specific components of the system.
CCI-000172	Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
CCI-001487	Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
CCI-001889	Record time stamps for audit records that meet organization-defined granularity of time measurement.
CCI-002234	Log the execution of privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-6(9)	Log Use of Privileged Functions
AC-17(1)	Monitoring and Control
AU-3	Content of Audit Records
AU-8	Time Stamps
AU-10	Non-repudiation
AU-12	Audit Record Generation