Auditing is not configured on the ESX Server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15844	ESX0450	SV-16785r1_rule		Medium

Description
Audit utilities can extract information about specific users and processes from the audit files. The IAO/SA will ensure audit files are only accessible to authorized personnel. Auditing will be configured to immediately alert personnel of any unusual or inappropriate activity with potential IA implications. All users, including root, will be audited. The system administrator will rotate and compress the audit logs one or more times a day to reduce space and the time required for log searches and reviews. Audit data will be backed up weekly onto a different system or media than the system being audited. Utilizing an audit server will ease the attention required by audit logs and provide compliance with the requirement for the backup of audit data. Auditing will be configured according to section 3.16 of the UNIX STIG. Audit logs and audit files must be analyzed at regular intervals. Such files can quickly grow to large proportions. To keep the size of log files and audit files within a useful range, the evaluation intervals should not be impractically short, but short enough to allow a clear examination. Collected data will be examined and analyzed daily to detect any compromise or attempted compromise of system security.

Description

Audit utilities can extract information about specific users and processes from the audit files. The IAO/SA will ensure audit files are only accessible to authorized personnel. Auditing will be configured to immediately alert personnel of any unusual or inappropriate activity with potential IA implications. All users, including root, will be audited. The system administrator will rotate and compress the audit logs one or more times a day to reduce space and the time required for log searches and reviews. Audit data will be backed up weekly onto a different system or media than the system being audited. Utilizing an audit server will ease the attention required by audit logs and provide compliance with the requirement for the backup of audit data. Auditing will be configured according to section 3.16 of the UNIX STIG. Audit logs and audit files must be analyzed at regular intervals. Such files can quickly grow to large proportions. To keep the size of log files and audit files within a useful range, the evaluation intervals should not be impractically short, but short enough to allow a clear examination. Collected data will be examined and analyzed daily to detect any compromise or attempted compromise of system security.

STIG	Date
VMware ESX 3 Server	2016-05-13

Details

Check Text ( C-16192r1_chk )
On the ESX Server service console perform the following command: #ps –ef \| grep auditd Verify the auditd daemon is running. If it is not, this is a finding.

Fix Text (F-15798r1_fix)
Configure LAUS on the ESX Server. LAUS is included on the ESX distribution media. The procedures to install it are as follows: laus-libs-0.1-76RHEL3.i386.rpm is installed, but laus-0.1-76RHEL3.i386.rpm is not. 1. Mount the ISO image / CD-ROM to VMware/RPMS, and install via # rpm -ivh laus- 0.1-76RHEL3.i386.rpm 2. Run the following command from the shell # service audit start 3. Run the following commands to test to see if LAUS is configured. These commands will produce output: # /usr/sbin/aucat OR # /usr/sbin/augrep.

Fix Text (F-15798r1_fix)

Configure LAUS on the ESX Server. LAUS is included on the ESX distribution media. The procedures to install it are as follows:
laus-libs-0.1-76RHEL3.i386.rpm is installed, but laus-0.1-76RHEL3.i386.rpm is not.
1. Mount the ISO image / CD-ROM to VMware/RPMS, and install via # rpm -ivh laus- 0.1-76RHEL3.i386.rpm
2. Run the following command from the shell # service audit start
3. Run the following commands to test to see if LAUS is configured. These commands will produce output: # /usr/sbin/aucat OR # /usr/sbin/augrep.