Title

Virtual machines (VMs) must enable logging. (Cat II impact)

Discussion

The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including, but not limited to, power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations and machine clones. Due to the value these logs provide for the continued availability of each VM and potential security incidents, these logs must be enabled.

Check Content

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced. Ensure that the checkbox next to "Enable logging" is checked. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {$_.ExtensionData.Config.Flags.EnableLogging -ne "True"} If logging is not enabled, this is a finding.

Fix Text

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced. Click the checkbox next to "Enable logging". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.Flags = New-Object VMware.Vim.VirtualMachineFlagInfo $spec.Flags.enableLogging = $true (Get-VM -Name <vmname>).ExtensionData.ReconfigVM($spec)

Additional Identifiers

Rule ID: SV-258720r959010_rule

Vulnerability ID: V-258720

Group Title: SRG-OS-000480-VMM-002000

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.