The vCenter PostgreSQL service must off-load audit data to a separate log management facility.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259185 | VCPG-80-000122 | SV-259185r935459_rule | Medium |
| Description |
|---|
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. The database management system (DBMS) may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide | 2023-10-29 |
Details
| Check Text ( C-62925r935457_chk ) |
|---|
| By default there is a vmware-services-vmware-vpostgres.conf rsyslog and vmware-services-vmware-postgres-archiver.conf configuration file that includes the service logs when syslog is configured on vCenter but it must be verified. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-vmware-vpostgres.conf Expected result: # vmware-vpostgres first logs stdout, before loading configuration input(type="imfile" File="/var/log/vmware/vpostgres/serverlog.stdout" Tag="vpostgres-first" Severity="info" Facility="local0") # vmware-vpostgres first logs stderr, before loading configuration input(type="imfile" File="/var/log/vmware/vpostgres/serverlog.stderr" Tag="vpostgres-first" Severity="info" Facility="local0") # vmware-vpostgres logs input(type="imfile" File="/var/log/vmware/vpostgres/postgresql-*.log" Tag="vpostgres" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-vmware-postgres-archiver.conf Expected result: # vmware-postgres-archiver stdout log input(type="imfile" File="/var/log/vmware/vpostgres/pg_archiver.log.stdout" Tag="postgres-archiver" Severity="info" Facility="local0") # vmware-postgres-archiver stderr log input(type="imfile" File="/var/log/vmware/vpostgres/pg_archiver.log.stderr" Tag="postgres-archiver" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding. |
| Fix Text (F-62834r935458_fix) |
|---|
| Navigate to and open: /etc/vmware-syslog/vmware-services-vmware-vpostgres.conf Create the file if it does not exist. Set the contents of the file as follows: # vmware-vpostgres first logs stdout, before loading configuration input(type="imfile" File="/var/log/vmware/vpostgres/serverlog.stdout" Tag="vpostgres-first" Severity="info" Facility="local0") # vmware-vpostgres first logs stderr, before loading configuration input(type="imfile" File="/var/log/vmware/vpostgres/serverlog.stderr" Tag="vpostgres-first" Severity="info" Facility="local0") # vmware-vpostgres logs input(type="imfile" File="/var/log/vmware/vpostgres/postgresql-*.log" Tag="vpostgres" Severity="info" Facility="local0") Navigate to and open: /etc/vmware-syslog/vmware-services-vmware-postgres-archiver.conf Create the file if it does not exist. Set the contents of the file as follows: # vmware-postgres-archiver stdout log input(type="imfile" File="/var/log/vmware/vpostgres/pg_archiver.log.stdout" Tag="postgres-archiver" Severity="info" Facility="local0") # vmware-postgres-archiver stderr log input(type="imfile" File="/var/log/vmware/vpostgres/pg_archiver.log.stderr" Tag="postgres-archiver" Severity="info" Facility="local0") |