Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-243078 | VCTR-67-000008 | SV-243078r719644_rule | Medium |
Description |
---|
It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. To ensure the appropriate personnel are alerted if an audit failure occurs, a vCenter alarm can be created to trigger when an ESXi host can no longer reach its syslog server. |
STIG | Date |
---|---|
VMware vSphere 6.7 vCenter Security Technical Implementation Guide | 2021-04-16 |
Check Text ( C-46353r719475_chk ) |
---|
From the vSphere Client, go to Hosts and Clusters >> select a vCenter Server >> Configure >> More >> Alarm Definitions. Verify there is an alarm created to alert if an ESXi host can no longer reach its syslog server. The alarm definition will have a rule for the "Remote logging host has become unreachable" event. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "esx.problem.vmsyslogd.remote.failure"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created and enabled to alert when syslog failures occur, this is a finding. |
Fix Text (F-46310r719643_fix) |
---|
From the vSphere Client, go to Hosts and Clusters >> select a vCenter Server >> Configure >> More >> Alarm Definitions. Click "Add". Provide an alarm name and description. Select "Hosts" from the "Target type" dropdown menu. Click "Next". Paste "esx.problem.vmsyslogd.remote.failure" in the line after IF and press "Enter". Select "Show as Warning" for severity. Click "Next". Configure any other options as desired, enable alarm, and finish. Note: This alarm will only trigger if syslog is configured for TCP or SSL connections and not UDP. |