The ESXi host must verify certificates for SSL syslog endpoints.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258779	ESXI-80-000224	SV-258779r933398_rule		Medium

Description
When sending syslog data to a remote host, ESXi can be configured to use any combination of TCP, UDP, and SSL transports. When using SSL, the server certificate must be validated to ensure that the host is connecting to a valid syslog server.

STIG	Date
VMware vSphere 8.0 ESXi Security Technical Implementation Guide	2023-10-11

Details

Check Text ( C-62519r933396_chk )
If SSL is not used for a syslog target, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Syslog.global.logCheckSSLCerts" value and verify it is set to "true". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts If the "Syslog.global.logCheckSSLCerts" setting is not set to "true", this is a finding.

Check Text ( C-62519r933396_chk )

If SSL is not used for a syslog target, this is not applicable.

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Select the "Syslog.global.logCheckSSLCerts" value and verify it is set to "true".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts

If the "Syslog.global.logCheckSSLCerts" setting is not set to "true", this is a finding.

Fix Text (F-62428r933397_fix)
To configure SSL syslog endpoint certificate checking, it must be turned on and the trusted certificate chain must be added to ESXi's trusted store. From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Syslog.global.logCheckSSLCerts" value and configure it to "true". Copy the PEM formatted trusted CA certificate so that is accessible to the host and append the contents to /etc/vmware/ssl/castore.pem by running the following command: # >> /etc/vmware/ssl/castore.pem or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost \| Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts \| Set-AdvancedSetting -Value "true" Copy the PEM formatted trusted CA certificate so that is accessible to the host. $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.security.certificatestore.add.CreateArgs() $arguments.filename = $esxcli.system.security.certificatestore.add.Invoke($arguments)

Fix Text (F-62428r933397_fix)

To configure SSL syslog endpoint certificate checking, it must be turned on and the trusted certificate chain must be added to ESXi's trusted store.

From the vSphere Client go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Click "Edit". Select the "Syslog.global.logCheckSSLCerts" value and configure it to "true".

Copy the PEM formatted trusted CA certificate so that is accessible to the host and append the contents to /etc/vmware/ssl/castore.pem by running the following command:

# >> /etc/vmware/ssl/castore.pem

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts | Set-AdvancedSetting -Value "true"

Copy the PEM formatted trusted CA certificate so that is accessible to the host.

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.certificatestore.add.CreateArgs()
$arguments.filename =
$esxcli.system.security.certificatestore.add.Invoke($arguments)