STIGQter: STIG Summary: VMware vSphere 6.7 Virgo-Client Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

vSphere Client must record user access in a format that enables monitoring of remote access.

DISA Rule

SV-239751r679542_rule

Vulnerability Number

V-239751

Group Title

SRG-APP-000016-WSR-000005

Rule Version

VCFL-67-000009

Severity

CAT II

CCI(s)

• CCI-000067 - The information system monitors remote access methods.
• CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
• CCI-000131 - The information system generates audit records containing information that establishes when an event occurred.
• CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.
• CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
• CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
• CCI-001462 - The information system provides the capability for authorized users to capture/record and log content related to a user session.
• CCI-001464 - The information system initiates session audits at system start-up.
• CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
• CCI-001889 - The information system records time stamps for audit records that meet organization-defined granularity of time measurement.
• CCI-001890 - The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

Weight

10

Fix Recommendation

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml.

Ensure the log pattern in the "org.apache.catalina.valves.AccessLogValve" node is set to the following:

pattern="%h %{x-forwarded-for}i %l %u %t "%r" %s %b %{#hashedSessionId#}s %I %D"

Check Contents

At the command prompt, execute the following command:

# xmllint --format /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern -

Expected result:

pattern="%h %{x-forwarded-for}i %l %u %t "%r" %s %b %{#hashedSessionId#}s %I %D"

If the output does not match the expected result, this is a finding.

Vulnerability Number

V-239751

Documentable

False

Rule Version

VCFL-67-000009

Severity Override Guidance

At the command prompt, execute the following command:

# xmllint --format /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern -

Expected result:

pattern="%h %{x-forwarded-for}i %l %u %t "%r" %s %b %{#hashedSessionId#}s %I %D"

If the output does not match the expected result, this is a finding.

Check Content Reference

M

Target Key

5336

Comments