The vCenter PostgreSQL service must initiate session auditing upon startup.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259170	VCPG-80-000009	SV-259170r935414_rule		Medium

Description
Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it needs to be in operation for the whole time the database management system (DBMS) is running.

STIG	Date
VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide	2023-10-29

Details

Check Text ( C-62910r935412_chk )
At the command prompt, run the following command: # /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW log_destination;" Example result: stderr If "log_destination" is not set to "stderr" or "syslog", this is a finding.

Fix Text (F-62819r935413_fix)
A script is included with vCenter to generate a PostgreSQL STIG configuration. At the command prompt, run the following commands: # chmod +x /opt/vmware/vpostgres/current/bin/vmw_vpg_config/vmw_vpg_config.py # /opt/vmware/vpostgres/current/bin/vmw_vpg_config/vmw_vpg_config.py --action stig_enable --pg-data-dir /storage/db/vpostgres # chmod -x /opt/vmware/vpostgres/current/bin/vmw_vpg_config/vmw_vpg_config.py Restart the PostgreSQL service by running the following command: # vmon-cli --restart vmware-vpostgres

Fix Text (F-62819r935413_fix)

A script is included with vCenter to generate a PostgreSQL STIG configuration.

At the command prompt, run the following commands:

# chmod +x /opt/vmware/vpostgres/current/bin/vmw_vpg_config/vmw_vpg_config.py
# /opt/vmware/vpostgres/current/bin/vmw_vpg_config/vmw_vpg_config.py --action stig_enable --pg-data-dir /storage/db/vpostgres
# chmod -x /opt/vmware/vpostgres/current/bin/vmw_vpg_config/vmw_vpg_config.py

Restart the PostgreSQL service by running the following command:

# vmon-cli --restart vmware-vpostgres