VCTR-67-000008 - The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.

Information

It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

To ensure the appropriate personnel are alerted if an audit failure occurs, a vCenter alarm can be created to trigger when an ESXi host can no longer reach its syslog server.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to Hosts and Clusters >> select a vCenter Server >> Configure >> More >> Alarm Definitions.

Click 'Add'.

Provide an alarm name and description.

Select 'Hosts' from the 'Target type' dropdown menu.

Click 'Next'.

Paste 'esx.problem.vmsyslogd.remote.failure' in the line after IF and press 'Enter'.

Select 'Show as Warning' for severity.

Click 'Next'.

Configure any other options as desired, enable alarm, and finish.

Note: This alarm will only trigger if syslog is configured for TCP or SSL connections and not UDP.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5a., CAT|II, CCI|CCI-000139, Rule-ID|SV-243078r879570_rule, STIG-ID|VCTR-67-000008, Vuln-ID|V-243078

Plugin: VMware

Control ID: 5011e574faa3a631b526adac8012b37ce48c443dc9f9edc8685873aba187a160