Virtual machine OS log files are not saved before rollback.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15906 | ESX1100 | SV-16848r1_rule | Medium |
| Description |
|---|
| Traditionally, a physical server’s lifetime can be envisioned as a straight line where the current state of the machine is a static point forward as software executes, configuration changes made, and software is installed. In a virtual environment the virtual machine state is more akin to a tree, where at any point the execution can fork into N different branches. These different branches are the multiple instances of the virtual machine running or existing at any point in time. Branches are caused by taking multiple snapshots in a continuous manner. These multiple virtual machines may be rolled back to previous states in their execution and activity that was once logged may be lost if the log files are not archived before the rollback. |
| STIG | Date |
|---|---|
| VMware ESX 3 Server | 2016-05-13 |
Details
| Check Text ( C-16266r1_chk ) |
|---|
| Typically the OS log files are sent to a syslog server. Ask the IAO/SA the location of all archived OS logs that were saved before any rollback or revert to snapshot of the virtual machine. Correlate the logs to the rollback time to ensure that they are legitimate. If no logs have been saved, this is a finding. |
| Fix Text (F-15867r1_fix) |
|---|
| Archive all virtual machine OS log files before any virtual machine rollback. |