VCST-70-000050 - Security Token Service log data and records must be backed up onto a different system or media.

Information

Protection of Security Token Service log data includes ensuring log data is not accidentally lost or deleted. Backing up Security Token Service log records to an unrelated system or onto separate media than the system the web server is running on helps to ensure that, in the event of a catastrophic system failure, the log records will be retained.

Satisfies: SRG-APP-000125-WSR-000071, SRG-APP-000358-WSR-000163

Solution

Navigate to and open:

/etc/vmware-syslog/vmware-services-sso-services.conf

Create the file if it does not exist.

Set the contents of the file as follows:

#vmidentity logs
input(type='imfile'
File='/var/log/vmware/sso/activedirectoryservice.log'
Tag='activedirectoryservice'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/lookupsvc-init.log'
Tag='ssolookupsvc-init'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/openidconnect.log'
Tag='openidconnect'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/ssoAdminServer.log'
Tag='ssoadminserver'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/svcaccountmgmt.log'
Tag='svcaccountmgmt'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/tokenservice.log'
Tag='tokenservice'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
#sts health log
input(type='imfile'
File='/var/log/vmware/sso/sts-health-status.log.*'
Tag='sts-health-status'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2} [[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2},[[:digit:]]{0,4}'
Facility='local0')
#sts runtime log
input(type='imfile'
File='/var/log/vmware/sso/sts-runtime.log.*'
Tag='sts-runtime'
PersistStateInterval='200'
Severity='info'
Facility='local0')
#gclogFile.0.current log
input(type='imfile'
File='/var/log/vmware/sso/gclogFile.*.current'
Tag='gclog'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}+[[:digit:]]{0,4}'
Facility='local0')
#tomcat log
input(type='imfile'
File='/var/log/vmware/sso/tomcat/localhost_access.log'
Tag='sso-tomcat'
PersistStateInterval='200'
Severity='info'
Facility='local0')
#vmdir log
input(type='imfile'
File='/var/log/vmware/vmdir/*.log'
Tag='vmdir'
PersistStateInterval='200'
Severity='info'
Facility='local0')
#vmafd log
input(type='imfile'
File='/var/log/vmware/vmafd/*.log'
Tag='vmafd'
PersistStateInterval='200'
Severity='info'
Facility='local0')

Item Details

Audit Name: DISA STIG VMware vSphere 7.0 STS Tomcat v1r2

Category: AUDIT AND ACCOUNTABILITY

Plugin: Unix

Control ID: a787c5feadf45194903eccecb4bb8a55bbe08a3b64d3e4aab12232b767bbf107

Detections

Analytics

VCST-70-000050 - Security Token Service log data and records must be backed up onto a different system or media.

Information

Solution

See Also

Item Details