ESXI-70-000084 - The ESXi host must enable audit logging.

Information

ESXi offers both local and remote audit recordkeeping to meet the requirements of the NIAP Virtualization Protection Profile and Server Virtualization Extended Package. Local records are stored on any accessible local or VMFS path. Remote records are sent to the global syslog servers configured elsewhere.

To operate in the NIAP validated state, ESXi must enable and properly configure this audit system. This system is disabled by default.

Note: Audit records can be viewed locally via the '/bin/auditLogReader' utility over SSH or at the ESXi shell.

Solution

From an ESXi shell, run the following commands:

Optional: Set the audit log location to persistent storage. This is set to '/scratch/auditLog' by default and does not normally need to be changed.

# esxcli system auditrecords local set --directory='/full/path/here'

Mandatory:

# esxcli system auditrecords local set --size=100
# esxcli system auditrecords local enable
# esxcli system auditrecords remote enable
# esxcli system syslog reload

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.auditrecords.local.set.CreateArgs()
*Optional* $arguments.directory = '/full/path/here'
$arguments.size='100'
$esxcli.system.auditrecords.local.set.Invoke($arguments)
$esxcli.system.auditrecords.local.enable.Invoke()
$esxcli.system.auditrecords.remote.enable.Invoke()

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-256436r919017_rule, STIG-ID|ESXI-70-000084, Vuln-ID|V-256436

Plugin: Unix

Control ID: b15683593834cb5eef5becc17f92695a4e88c426e4adc9d7de3646eb2c13eacb