VCWN-65-000008 - The vCenter Server for Windows must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.

Information

It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

To ensure the appropriate personnel are alerted if an audit failure occurs a vCenter alarm can be created to trigger when an ESXi host can no longer reach its syslog server.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions >> Click the green plus icon. Provide an alarm name and description, Select 'Hosts' from the 'Monitor' dropdown menu. Select 'specific event' next to 'Monitor for'. Enable the alarm. Click 'Next'. Add a new Trigger and paste in 'esx.problem.vmsyslogd.remote.failure' for the Event. Select 'Alert' for the Status. Click 'Next'. Add an action to send an email or a trap for 'green to yellow' and 'yellow to red' categories, configure appropriately. Click 'Finish'.

Note - This alarm will only trigger if syslog is configured for TCP or SSL connections and not UDP.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y23M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5a., CAT|III, CCI|CCI-000139, Rule-ID|SV-216831r879570_rule, STIG-ID|VCWN-65-000008, STIG-Legacy|SV-104559, STIG-Legacy|V-94729, Vuln-ID|V-216831

Plugin: VMware

Control ID: 442db2139b2ff914d4978539d3a631381934be43fca22e9dd4263f9e93153329