UCF STIG Viewer Logo

The Photon operating system must configure rsyslog to offload system logs to a central server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239112 PHTN-67-000040 SV-239112r816625_rule Medium
Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Proper configuration of rsyslog ensures that information critical to forensic analysis of security events is available for future action without any manual offloading or cron jobs. Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000479-GPOS-00224
STIG Date
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide 2022-06-17

Details

Check Text ( C-42323r816623_chk )
At the command line, execute the following command:

# cat /etc/vmware-syslog/syslog.conf

The output should be similar to the following (*.* or AO approved logging events):

*.* @:port;RSYSLOG_syslogProtocol23Format

If no line is returned or if the line is commented or no valid syslog server is specified, this is a finding.

OR

Navigate to https://:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Syslog Configuration".

If no site-specific syslog server is configured, this is a finding.
Fix Text (F-42282r816624_fix)
Open /etc/vmware-syslog/syslog.conf with a text editor.

Remove any existing content and create a new remote server configuration line.

For UDP (*.* or AO approved logging events):

*.* @:port;RSYSLOG_syslogProtocol23Format

For TCP (*.* or AO approved logging events):

*.* @@:port;RSYSLOG_syslogProtocol23Format

OR

Navigate to https://:5480 to access the VAMI.

Authenticate and navigate to "Syslog Configuration".

Click "Edit" in the top right.

Configure a remote syslog server and click "OK".