Nutanix AOS must restrict error messages only to authorized users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254116	NUTX-AP-000490	SV-254116r846436_rule		Medium

Description
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages created by the application server. All application server user accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.

Description

If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages created by the application server. All application server user accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.

STIG	Date
Nutanix AOS 5.20.x Application Security Technical Implementation Guide	2022-08-24

Details

Check Text ( C-57601r846434_chk )
The Nutanix AOS application server log files are owned by the Nutanix user and have a file permission of "640". Step 1. Identify actual file name by looking at alert_manager.INFO, which is a symlink, the actual rotating file name. $ sudo ls -al /home/nutanix/data/logs/alert_manager.INFO lrwxrwxrwx. 1 nutanix nutanix 75 Nov 1 17:50 /home/nutanix/data/logs/alert_manager.INFO -> alert_manager.ntnx-.nutanix.log.INFO. Step 2. Execute a stat command on the actual application server log file name. $ sudo stat -c "%a %n" /home/nutanix/data/logs/alert_manager.ntnx-.nutanix.log.INFO. 640 /home/nutanix/data/logs/alert_manager.ntnx.nutanix.log.INFO. If the output of the actual log file name is not "640", this is a finding.

Check Text ( C-57601r846434_chk )

The Nutanix AOS application server log files are owned by the Nutanix user and have a file permission of "640".

Step 1. Identify actual file name by looking at alert_manager.INFO, which is a symlink, the actual rotating file name.
$ sudo ls -al /home/nutanix/data/logs/alert_manager.INFO
lrwxrwxrwx. 1 nutanix nutanix 75 Nov 1 17:50 /home/nutanix/data/logs/alert_manager.INFO -> alert_manager.ntnx-.nutanix.log.INFO.

Step 2. Execute a stat command on the actual application server log file name.
$ sudo stat -c "%a %n" /home/nutanix/data/logs/alert_manager.ntnx-.nutanix.log.INFO.
640 /home/nutanix/data/logs/alert_manager.ntnx.nutanix.log.INFO.

If the output of the actual log file name is not "640", this is a finding.

Fix Text (F-57552r846435_fix)
Configure Nutanix AOS Prism Elements application server log file permissions, run the following command: $ sudo salt-call state.sls security/CVM/interactivenutanixCVM