STIGQter: STIG Summary: VMware vSphere 6.7 Photon OS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The Photon operating system must configure rsyslog to offload system logs to a central server.

DISA Rule

SV-239112r675144_rule

Vulnerability Number

V-239112

Group Title

SRG-OS-000205-GPOS-00083

Rule Version

PHTN-67-000040

Severity

CAT II

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
• CCI-001683 - The information system notifies organization-defined personnel or roles for account creation actions.
• CCI-001684 - The information system notifies organization-defined personnel or roles for account modification actions.
• CCI-001685 - The information system notifies organization-defined personnel or roles for account disabling actions.
• CCI-001686 - The information system notifies organization-defined personnel or roles for account removal actions.
• CCI-001851 - The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

Weight

10

Fix Recommendation

Open /etc/vmware-syslog/syslog.conf with a text editor.

Remove any existing content and create a new remote server configuration line.

For UDP:

*.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format

For TCP:

*.* @@<syslog server>:port;RSYSLOG_syslogProtocol23Format

OR

Navigate to https://<hostname>:5480 to access the VAMI.

Authenticate and navigate to "Syslog Configuration".

Click "Edit" in the top right.

Configure a remote syslog server and click "OK".

Check Contents

At the command line, execute the following command:

# cat /etc/vmware-syslog/syslog.conf

The output should be similar to the following:

*.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format

If no line is returned or if the line is commented or no valid syslog server is specified, this is a finding.

OR

Navigate to https://<hostname>:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Syslog Configuration".

If no site-specific syslog server is configured, this is a finding.

Vulnerability Number

V-239112

Documentable

False

Rule Version

PHTN-67-000040

Severity Override Guidance

At the command line, execute the following command:

# cat /etc/vmware-syslog/syslog.conf

The output should be similar to the following:

*.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format

If no line is returned or if the line is commented or no valid syslog server is specified, this is a finding.

OR

Navigate to https://<hostname>:5480 to access the Virtual Appliance Management Interface (VAMI). Authenticate and navigate to "Syslog Configuration".

If no site-specific syslog server is configured, this is a finding.

Check Content Reference

M

Target Key

5323

Comments