VCST-70-000050 - Security Token Service log data and records must be backed up onto a different system or media.

Information

Protection of Security Token Service log data includes ensuring log data is not accidentally lost or deleted. Backing up Security Token Service log records to an unrelated system or onto separate media than the system the web server is running on helps to ensure that, in the event of a catastrophic system failure, the log records will be retained.

Satisfies: SRG-APP-000125-WSR-000071, SRG-APP-000358-WSR-000163

Solution

Navigate to and open:

/etc/vmware-syslog/vmware-services-sso-services.conf

Create the file if it does not exist.

Set the contents of the file as follows:

#vmidentity logs
input(type='imfile'
File='/var/log/vmware/sso/activedirectoryservice.log'
Tag='activedirectoryservice'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/lookupsvc-init.log'
Tag='ssolookupsvc-init'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/openidconnect.log'
Tag='openidconnect'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/ssoAdminServer.log'
Tag='ssoadminserver'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/svcaccountmgmt.log'
Tag='svcaccountmgmt'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
input(type='imfile'
File='/var/log/vmware/sso/tokenservice.log'
Tag='tokenservice'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}Z'
Facility='local0')
#sts health log
input(type='imfile'
File='/var/log/vmware/sso/sts-health-status.log.*'
Tag='sts-health-status'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2} [[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2},[[:digit:]]{0,4}'
Facility='local0')
#sts runtime log
input(type='imfile'
File='/var/log/vmware/sso/sts-runtime.log.*'
Tag='sts-runtime'
PersistStateInterval='200'
Severity='info'
Facility='local0')
#gclogFile.0.current log
input(type='imfile'
File='/var/log/vmware/sso/gclogFile.*.current'
Tag='gclog'
PersistStateInterval='200'
Severity='info'
startmsg.regex='^[[:digit:]]{4}-[[:digit:]]{1,2}-[[:digit:]]{1,2}T[[:digit:]]{1,2}:[[:digit:]]{1,2}:[[:digit:]]{1,2}.[[:digit:]]{0,3}+[[:digit:]]{0,4}'
Facility='local0')
#tomcat log
input(type='imfile'
File='/var/log/vmware/sso/tomcat/localhost_access.log'
Tag='sso-tomcat'
PersistStateInterval='200'
Severity='info'
Facility='local0')
#vmdir log
input(type='imfile'
File='/var/log/vmware/vmdir/*.log'
Tag='vmdir'
PersistStateInterval='200'
Severity='info'
Facility='local0')
#vmafd log
input(type='imfile'
File='/var/log/vmware/vmafd/*.log'
Tag='vmafd'
PersistStateInterval='200'
Severity='info'
Facility='local0')

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), 800-53|AU-9(2), CAT|II, CCI|CCI-001348, CCI|CCI-001851, Rule-ID|SV-256775r889295_rule, STIG-ID|VCST-70-000050, Vuln-ID|V-256775

Plugin: Unix

Control ID: a787c5feadf45194903eccecb4bb8a55bbe08a3b64d3e4aab12232b767bbf107