HAProxy must be configured to use syslog.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-89189	VRAU-HA-000360	SV-99839r1_rule		Medium

Description
There are many aspects of appropriate web server logging for security. Storage capacity must be adequate. ISSO and SA must receive warnings and alerts when storage capacity is filled to 75%. Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers. This requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.

Description

There are many aspects of appropriate web server logging for security. Storage capacity must be adequate. ISSO and SA must receive warnings and alerts when storage capacity is filled to 75%. Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analysis of events, and backup and archiving of event records enterprise-wide. The web server and related components are required to be capable of writing logs to centralized audit log servers. This requirement can be met by configuring the web server to utilize a dedicated log tool that meets this requirement.

STIG	Date
VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide	2018-10-12

Details

Check Text ( C-88881r2_chk )
Navigate to and open /etc/haproxy/haproxy.cfg Navigate to the "globals" section. Verify that the "globals" section contains the "log" keyword, and that the "log" option contains the local0 syslog facility as its parameter. If properly configured, the "globals" section will contain the following: global log 127.0.0.1 local0 If the local0 syslog facility is not configured, this is a finding. Navigate to the "defaults" section. Verify that the "defaults" section contains the "log" keyword with the global value. Verify that an option keyword has been configured with the "httplog" value. If properly configured, the "defaults" section will contain the following: defaults log global option httplog Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to the each frontend section. Verify that the "log" keyword has not been set for each frontend. If the "log" keyword is present in a frontend, this is a finding. Navigate to and open /etc/rsyslog.d/vcac.conf. Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility. If the local0 syslog facility does not refer to a valid log file, this is a finding. Navigate to and open the local0 syslog log file. Verify that HAProxy is logging start and stop events to the log file. If the log file is not recording HAProxy start and stop events, this is a finding.

Check Text ( C-88881r2_chk )

Navigate to and open /etc/haproxy/haproxy.cfg

Navigate to the "globals" section.

Verify that the "globals" section contains the "log" keyword, and that the "log" option contains the local0 syslog facility as its parameter.

If properly configured, the "globals" section will contain the following:

global
log 127.0.0.1 local0

If the local0 syslog facility is not configured, this is a finding.

Navigate to the "defaults" section.

Verify that the "defaults" section contains the "log" keyword with the global value.

Verify that an option keyword has been configured with the "httplog" value.

If properly configured, the "defaults" section will contain the following:

defaults
log global
option httplog

Navigate to and open the following files:

/etc/haproxy/conf.d/30-vro-config.cfg
/etc/haproxy/conf.d/20-vcac.cfg

Navigate to the each frontend section.

Verify that the "log" keyword has not been set for each frontend.

If the "log" keyword is present in a frontend, this is a finding.

Navigate to and open /etc/rsyslog.d/vcac.conf.

Review the configured syslog facilities and determine the location of the log file for the local0 syslog facility.

If the local0 syslog facility does not refer to a valid log file, this is a finding.

Navigate to and open the local0 syslog log file.

Verify that HAProxy is logging start and stop events to the log file.

If the log file is not recording HAProxy start and stop events, this is a finding.

Fix Text (F-95931r2_fix)
Navigate to and open /etc/rsyslog.d/vcac.conf. Configure the local0 syslog facility to write to an appropriate log file. Navigate to and open /etc/haproxy/haproxy.cfg. Configure the "globals" section with the following: log 127.0.0.1 local0 Configure the "defaults" section with both of the following: log global option httplog Navigate to and open the following files: /etc/haproxy/conf.d/30-vro-config.cfg /etc/haproxy/conf.d/20-vcac.cfg Navigate to each frontend section. Remove any log options from each frontend.

Fix Text (F-95931r2_fix)

Navigate to and open /etc/rsyslog.d/vcac.conf.

Configure the local0 syslog facility to write to an appropriate log file.

Navigate to and open /etc/haproxy/haproxy.cfg.

Configure the "globals" section with the following:

log 127.0.0.1 local0

Configure the "defaults" section with both of the following:

log global
option httplog

Navigate to and open the following files:

/etc/haproxy/conf.d/30-vro-config.cfg
/etc/haproxy/conf.d/20-vcac.cfg

Navigate to each frontend section.

Remove any log options from each frontend.