Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-239192 | PHTN-67-000121 | SV-239192r675384_rule | Medium |
Description |
---|
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Proper configuration of rsyslog ensures that information critical to forensic analysis of security events is available for future action without any manual offloading or cron jobs. vCenter SSO logs do currently ship with rsyslog by default. The login information contained in the SSO logs is critical to capture for forensic and troubleshooting purposes. |
STIG | Date |
---|---|
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide | 2021-04-15 |
Check Text ( C-42403r675382_chk ) |
---|
At the command prompt, execute the following command: # grep -v "^#" /etc/vmware-syslog/stig-services-sso.conf Expected result: input(type="imfile" File="/var/log/vmware/sso/ssoAdminServer.log" Tag="ssoAdmin" Severity="info" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/vmware-identity-sts.log" Tag="ssoIdentitySTS" Severity="info" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/websso.log" Tag="ssoWeb" Severity="info" Facility="local0") If the file does not exist, this is a finding. If the output does not match the expected result, this is a finding. |
Fix Text (F-42362r675383_fix) |
---|
Open /etc/vmware-syslog/stig-services-vami.conf with a text editor. Create the file if it does not exist. Set the contents of the file as follows: input(type="imfile" File="/var/log/vmware/sso/ssoAdminServer.log" Tag="ssoAdmin" Severity="info" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/vmware-identity-sts.log" Tag="ssoIdentitySTS" Severity="info" Facility="local0") input(type="imfile" File="/var/log/vmware/sso/websso.log" Tag="ssoWeb" Severity="info" Facility="local0") |