UCF STIG Viewer Logo

The ESXi host must allocate audit record storage capacity to store at least one week's worth of audit records.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258743 ESXI-80-000113 SV-258743r958752_rule Medium
Description
In order to ensure ESXi has sufficient storage capacity in which to write the audit logs, audit record storage capacity should be configured. If a central audit record storage facility is available, the local storage capacity should be sufficient to hold audit records that would accumulate during anticipated interruptions in delivery of records to the facility.
STIG Date
VMware vSphere 8.0 ESXi Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62483r933288_chk )
From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Select the "Syslog.global.auditRecord.storageCapacity" value and verify it is set to "100".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacity

If the "Syslog.global.auditRecord.storageCapacity" setting is not set to 100, this is a finding.
Fix Text (F-62392r933289_fix)
From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Click "Edit". Select the "Syslog.global.auditRecord.storageCapacity" value and configure it to "100".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacity | Set-AdvancedSetting -Value 100