The VMM must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-63509	ESXI-06-100030	SV-77999r1_rule		Low

Description
Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

STIG	Date
VMware vSphere ESXi 6.0 Security Technical Implementation Guide	2019-01-04

Details

Check Text ( C-64259r1_chk )
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and verify it is set to the default level of info. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost \| Get-AdvancedSetting -Name Config.HostAgent.log.level If the Config.HostAgent.log.level setting is not set to info, this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.

Check Text ( C-64259r1_chk )

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and verify it is set to the default level of info.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level

If the Config.HostAgent.log.level setting is not set to info, this is a finding.

Note: Verbose logging level is acceptable for troubleshooting purposes.

Fix Text (F-69439r1_fix)
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and configure it to info. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost \| Get-AdvancedSetting -Name Config.HostAgent.log.level \| Set-AdvancedSetting -Value "info"