Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Persistent logging for all ESXi hosts must be configured.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-99999-ESXI5-000132 | SRG-OS-99999-ESXI5-000132 | SRG-OS-99999-ESXI5-000132_rule | Medium |
| Description |
|---|
| ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of logs are stored at any time, in addition, log files will be reinitialized upon each reboot. This presents a security risk as user activity logged on the host is only stored temporarily and will not persistent across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-99999-ESXI5-000132_chk ) |
|---|
| Temporarily disable Lockdown Mode. As root, log in to the ESXi Shell and verify "/scratch" is not linked to "/tmp/scratch". # ls -al / If "/scratch" is linked to "/tmp/scratch", this is a finding. Re-enable Lockdown Mode on the host. |
| Fix Text (F-SRG-OS-99999-ESXI5-000132_fix) |
|---|
| From the vSphere Client, select the ESXi hosts and click "Configuration >> Advanced Settings >> Syslog >> global" and specify a datastore and directory location, other than /tmp/scratch, for 'Syslog.global.logDir'. |