Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The vCenter VAMI service must off-load log records onto a different system or media from the system being logged.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259142 | VCLD-80-000022 | SV-259142r960948_rule | Medium |
| Description |
|---|
| Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained. Satisfies: SRG-APP-000125-WSR-000071, SRG-APP-000358-WSR-000063, SRG-APP-000358-WSR-000163 |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide | 2024-07-11 |
Details
| Check Text ( C-62882r935328_chk ) |
|---|
| By default there is a vmware-services-applmgmt.conf rsyslog configuration file which includes the service logs when syslog is configured on vCenter that must be verified. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-applmgmt.conf Expected result: #applmgmt.log input(type="imfile" File="/var/log/vmware/applmgmt/applmgmt.log" Tag="applmgmt" Severity="info" Facility="local0") #applmgmt-audit.log input(type="imfile" File="/var/log/vmware/applmgmt-audit/applmgmt-audit.log" Tag="applmgmt-audit" Severity="info" Facility="local0") #applmgmt-backup-restore-audit.log input(type="imfile" File="/var/log/vmware/applmgmt-audit/applmgmt-br-audit.log" Tag="applmgmt-br-audit" Severity="info" Facility="local0") #vami-access.log input(type="imfile" File="/opt/vmware/var/log/lighttpd/access.log" Tag="vami-access" Severity="info" Facility="local0") #vami-error.log input(type="imfile" File="/opt/vmware/var/log/lighttpd/error.log" Tag="vami-error" Severity="info" Facility="local0") #dcui.log input(type="imfile" File="/var/log/vmware/applmgmt/dcui.log" Tag="dcui" Severity="info" Facility="local0") #detwist.log input(type="imfile" File="/var/log/vmware/applmgmt/detwist.log" Tag="detwist" Severity="info" Facility="local0") #firewall-reload.log input(type="imfile" File="/var/log/vmware/applmgmt/firewall-reload.log" Tag="firewall-reload" Severity="info" Facility="local0") #applmgmt_vmonsvc.std* input(type="imfile" File="/var/log/vmware/applmgmt/applmgmt_vmonsvc.std*" Tag="applmgmt_vmonsvc" Severity="info" Facility="local0") #backupSchedulerCron input(type="imfile" File="/var/log/vmware/applmgmt/backupSchedulerCron.log" Tag="backupSchedulerCron" Severity="info" Facility="local0") #progress.log input(type="imfile" File="/var/log/vmware/applmgmt/progress.log" Tag="progress" Severity="info" Facility="local0") #statsmoitor-alarms input(type="imfile" File="/var/log/vmware/statsmon/statsmoitor-alarms.log" Tag="statsmoitor-alarms" Severity="info" Facility="local0") #StatsMonitor input(type="imfile" File="/var/log/vmware/statsmon/StatsMonitor.log" Tag="StatsMonitor" Severity="info" Facility="local0") #StatsMonitorStartup.log.std* input(type="imfile" File="/var/log/vmware/statsmon/StatsMonitorStartup.log.std*" Tag="StatsMonitor-Startup" Severity="info" Facility="local0") #PatchRunner input(type="imfile" File="/var/log/vmware/applmgmt/PatchRunner.log" Tag="PatchRunner" Severity="info" Facility="local0") #update_microservice input(type="imfile" File="/var/log/vmware/applmgmt/update_microservice.log" Tag="update_microservice" Severity="info" Facility="local0") #vami input(type="imfile" File="/var/log/vmware/applmgmt/vami.log" Tag="vami" Severity="info" Facility="local0") #vcdb_pre_patch input(type="imfile" File="/var/log/vmware/applmgmt/vcdb_pre_patch.*" Tag="vcdb_pre_patch" Severity="info" Facility="local0") #dnsmasq.log input(type="imfile" File="/var/log/vmware/dnsmasq.log" Tag="dnsmasq" Severity="info" Facility="local0") #procstate input(type="imfile" File="/var/log/vmware/procstate" Tag="procstate" Severity="info" Facility="local0") #backup.log input(type="imfile" File="/var/log/vmware/applmgmt/backup.log" Tag="applmgmt-backup" Severity="info" Facility="local0") #size.log input(type="imfile" File="/var/log/vmware/applmgmt/size.log" Tag="applmgmt-size" Severity="info" Facility="local0") #restore.log input(type="imfile" File="/var/log/vmware/applmgmt/restore.log" Tag="applmgmt-restore" Severity="info" Facility="local0") #reconciliation.log input(type="imfile" File="/var/log/vmware/applmgmt/reconciliation.log" Tag="applmgmt-reconciliation" Severity="info" Facility="local0") #pnid_change.log input(type="imfile" File="/var/log/vmware/applmgmt/pnid_change.log" Tag="applmgmt-pnid-change" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding. |
| Fix Text (F-62791r935329_fix) |
|---|
| Navigate to and open: /etc/vmware-syslog/vmware-services-applmgmt.conf Create the file if it does not exist. Set the contents of the file as follows: #applmgmt.log input(type="imfile" File="/var/log/vmware/applmgmt/applmgmt.log" Tag="applmgmt" Severity="info" Facility="local0") #applmgmt-audit.log input(type="imfile" File="/var/log/vmware/applmgmt-audit/applmgmt-audit.log" Tag="applmgmt-audit" Severity="info" Facility="local0") #applmgmt-backup-restore-audit.log input(type="imfile" File="/var/log/vmware/applmgmt-audit/applmgmt-br-audit.log" Tag="applmgmt-br-audit" Severity="info" Facility="local0") #vami-access.log input(type="imfile" File="/opt/vmware/var/log/lighttpd/access.log" Tag="vami-access" Severity="info" Facility="local0") #vami-error.log input(type="imfile" File="/opt/vmware/var/log/lighttpd/error.log" Tag="vami-error" Severity="info" Facility="local0") #dcui.log input(type="imfile" File="/var/log/vmware/applmgmt/dcui.log" Tag="dcui" Severity="info" Facility="local0") #detwist.log input(type="imfile" File="/var/log/vmware/applmgmt/detwist.log" Tag="detwist" Severity="info" Facility="local0") #firewall-reload.log input(type="imfile" File="/var/log/vmware/applmgmt/firewall-reload.log" Tag="firewall-reload" Severity="info" Facility="local0") #applmgmt_vmonsvc.std* input(type="imfile" File="/var/log/vmware/applmgmt/applmgmt_vmonsvc.std*" Tag="applmgmt_vmonsvc" Severity="info" Facility="local0") #backupSchedulerCron input(type="imfile" File="/var/log/vmware/applmgmt/backupSchedulerCron.log" Tag="backupSchedulerCron" Severity="info" Facility="local0") #progress.log input(type="imfile" File="/var/log/vmware/applmgmt/progress.log" Tag="progress" Severity="info" Facility="local0") #statsmoitor-alarms input(type="imfile" File="/var/log/vmware/statsmon/statsmoitor-alarms.log" Tag="statsmoitor-alarms" Severity="info" Facility="local0") #StatsMonitor input(type="imfile" File="/var/log/vmware/statsmon/StatsMonitor.log" Tag="StatsMonitor" Severity="info" Facility="local0") #StatsMonitorStartup.log.std* input(type="imfile" File="/var/log/vmware/statsmon/StatsMonitorStartup.log.std*" Tag="StatsMonitor-Startup" Severity="info" Facility="local0") #PatchRunner input(type="imfile" File="/var/log/vmware/applmgmt/PatchRunner.log" Tag="PatchRunner" Severity="info" Facility="local0") #update_microservice input(type="imfile" File="/var/log/vmware/applmgmt/update_microservice.log" Tag="update_microservice" Severity="info" Facility="local0") #vami input(type="imfile" File="/var/log/vmware/applmgmt/vami.log" Tag="vami" Severity="info" Facility="local0") #vcdb_pre_patch input(type="imfile" File="/var/log/vmware/applmgmt/vcdb_pre_patch.*" Tag="vcdb_pre_patch" Severity="info" Facility="local0") #dnsmasq.log input(type="imfile" File="/var/log/vmware/dnsmasq.log" Tag="dnsmasq" Severity="info" Facility="local0") #procstate input(type="imfile" File="/var/log/vmware/procstate" Tag="procstate" Severity="info" Facility="local0") #backup.log input(type="imfile" File="/var/log/vmware/applmgmt/backup.log" Tag="applmgmt-backup" Severity="info" Facility="local0") #size.log input(type="imfile" File="/var/log/vmware/applmgmt/size.log" Tag="applmgmt-size" Severity="info" Facility="local0") #restore.log input(type="imfile" File="/var/log/vmware/applmgmt/restore.log" Tag="applmgmt-restore" Severity="info" Facility="local0") #reconciliation.log input(type="imfile" File="/var/log/vmware/applmgmt/reconciliation.log" Tag="applmgmt-reconciliation" Severity="info" Facility="local0") #pnid_change.log input(type="imfile" File="/var/log/vmware/applmgmt/pnid_change.log" Tag="applmgmt-pnid-change" Severity="info" Facility="local0") |