The Photon operating system must configure rsyslog to offload system logs to a central server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239112	PHTN-67-000040	SV-239112r856041_rule		Medium

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Proper configuration of rsyslog ensures that information critical to forensic analysis of security events is available for future action without any manual offloading or cron jobs. Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000479-GPOS-00224

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Proper configuration of rsyslog ensures that information critical to forensic analysis of security events is available for future action without any manual offloading or cron jobs. Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000479-GPOS-00224

STIG	Date
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide	2022-09-27

Details

Check Text ( C-42323r816623_chk )
At the command line, execute the following command: # cat /etc/vmware-syslog/syslog.conf The output should be similar to the following (. or AO approved logging events): . @:port;RSYSLOG_syslogProtocol23Format If no line is returned or if the line is commented or no valid syslog server is specified, this is a finding. OR Navigate to https://:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Syslog Configuration". If no site-specific syslog server is configured, this is a finding.

Check Text ( C-42323r816623_chk )

At the command line, execute the following command:

# cat /etc/vmware-syslog/syslog.conf

The output should be similar to the following (*.* or AO approved logging events):

*.* @:port;RSYSLOG_syslogProtocol23Format

If no line is returned or if the line is commented or no valid syslog server is specified, this is a finding.

OR

Navigate to https://:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Syslog Configuration".

If no site-specific syslog server is configured, this is a finding.

Fix Text (F-42282r816624_fix)
Open /etc/vmware-syslog/syslog.conf with a text editor. Remove any existing content and create a new remote server configuration line. For UDP (. or AO approved logging events): . @:port;RSYSLOG_syslogProtocol23Format For TCP (. or AO approved logging events): . @@:port;RSYSLOG_syslogProtocol23Format OR Navigate to https://:5480 to access the VAMI. Authenticate and navigate to "Syslog Configuration". Click "Edit" in the top right. Configure a remote syslog server and click "OK".

Fix Text (F-42282r816624_fix)

Open /etc/vmware-syslog/syslog.conf with a text editor.

Remove any existing content and create a new remote server configuration line.

For UDP (*.* or AO approved logging events):

*.* @:port;RSYSLOG_syslogProtocol23Format

For TCP (*.* or AO approved logging events):

*.* @@:port;RSYSLOG_syslogProtocol23Format

OR

Navigate to https://:5480 to access the VAMI.

Authenticate and navigate to "Syslog Configuration".

Click "Edit" in the top right.

Configure a remote syslog server and click "OK".