tc Server API must produce log records containing sufficient information to establish what type of events occurred.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-88837 | VROM-TC-000165 | SV-99487r1_rule | Medium |
| Description |
|---|
| After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically process “GET” and “POST” requests clients. These will help investigators understand what happened. |
| STIG | Date |
|---|---|
| VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide | 2018-10-12 |
Details
| Check Text ( C-88529r1_chk ) |
|---|
| At the command prompt, execute the following command: tail /storage/log/vcops/log/suite-api/localhost_access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If HTTP "GET" and/or "POST" events are not being recorded, this is a finding. |
| Fix Text (F-95579r1_fix) |
|---|
| Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/conf/server.xml. Navigate to and locate Configure the Note: The “AccessLogValve” should be configured as follows: pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." suffix=".txt"/> |