Check: VMW1-00-000500
VMware Workspace ONE UEM STIG:
VMW1-00-000500
(in versions v2 r1 through v1 r1)
Title
The Workspace ONE UEM server must be configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. Note: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices. (Cat II impact)
Discussion
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. Since the Workspace ONE UEM server has limited capability to store mobile device log files and perform analysis and reporting of mobile device log files, the Workspace ONE UEM server must have the capability to transfer log files to an audit log management server. SFR ID: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1)
Check Content
Review the Workspace ONE UEM server configuration settings and verify the server is configured to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. 3. If "Syslog Integration" is set to "DISABLED", this is a finding. 4. Examine the syslog configuration (server hostname, protocol, port, syslog facility, message tag, message content) for conformance with operational standards. If any are not set according to the standards, this is a finding. Note: Workspace ONE UEM server logs include logs of MDM events and logs transferred to the Workspace ONE UEM server by MDM agents of managed devices.
Fix Text
Configure the Workspace ONE UEM server to transfer Workspace ONE UEM server logs to another server for storage, analysis, and reporting. On the MDM console, do the following: 1. Authenticate to the Workspace ONE UEM console as the administrator. 2. Navigate to Groups & Settings >> All Settings >> System >> Enterprise Integration >> Syslog. 3. Set "Syslog Integration" to "ENABLED". 4. Configure syslog server hostname, protocol, port, syslog facility, message tag, message content according to organizational standards. 5. Click "SAVE". 6. Verify changes save successfully and Workspace ONE UEM server can transfer audit logs to the new syslog server.
Additional Identifiers
Rule ID: SV-221640r588007_rule
Vulnerability ID: V-221640
Group Title: PP-MDM-411054
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
Number | Title |
---|---|
AU-4 (1) |
Transfer To Alternate Storage |