ESXI-70-000030 - The ESXi host must produce audit records containing information to establish what type of events occurred.

Information

Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Satisfies: SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310

Solution

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click 'Edit'.

Select the 'Config.HostAgent.log.level' value and configure it to 'info'.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value 'info'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12b., CAT|II, CCI|CCI-000130, CCI|CCI-000171, Rule-ID|SV-256396r885969_rule, STIG-ID|ESXI-70-000030, Vuln-ID|V-256396

Plugin: VMware

Control ID: aa1258d4c80fd01c576ebb312ae6d988c34b6e585c54b7433a8eaccf8bbd27ad