STIGQter: STIG Summary: VMware vSphere 6.7 UI Tomcat Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

vSphere UI must record user access in a format that enables monitoring of remote access.

DISA Rule

SV-239686r679252_rule

Vulnerability Number

V-239686

Group Title

SRG-APP-000016-WSR-000005

Rule Version

VCUI-67-000005

Severity

CAT II

CCI(s)

• CCI-000067 - The information system monitors remote access methods.
• CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
• CCI-000131 - The information system generates audit records containing information that establishes when an event occurred.
• CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.
• CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
• CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-001462 - The information system provides the capability for authorized users to capture/record and log content related to a user session.
• CCI-001464 - The information system initiates session audits at system start-up.
• CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
• CCI-001889 - The information system records time stamps for audit records that meet organization-defined granularity of time measurement.
• CCI-001890 - The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

Weight

10

Fix Recommendation

Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/server.xml.

Ensure the log pattern in the "org.apache.catalina.valves.AccessLogValve" node is set to the following:

pattern="%h %{x-forwarded-for}i %l %u %t "%r" %s %b %{#hashedSessionId#}s %I %D"

Check Contents

At the command prompt, execute the following command:

# xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/server.xml | xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern -

Expected result:

pattern="%h %{x-forwarded-for}i %l %u %t "%r" %s %b %{#hashedSessionId#}s %I %D"

If the output does not match the expected result, this is a finding.

Vulnerability Number

V-239686

Documentable

False

Rule Version

VCUI-67-000005

Severity Override Guidance

At the command prompt, execute the following command:

# xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/server.xml | xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern -

Expected result:

pattern="%h %{x-forwarded-for}i %l %u %t "%r" %s %b %{#hashedSessionId#}s %I %D"

If the output does not match the expected result, this is a finding.

Check Content Reference

M

Target Key

5334

Comments