VCWN-06-000008 - The system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.

Information

It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. To ensure the appropriate personnel are alerted if an audit failure occurs a vCenter alarm can be created to trigger when an ESXi host can no longer reach its syslog server.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions >> Right click in the empty space and select New Alarm. On the General tab provide an alarm name and description, Select Hosts for alarm type and 'Monitor for specific events occurring on this object', check 'Enable this alarm'. On the Triggers tab click Add and in the event column enter 'esx.problem.vmsyslogd.remote.failure' and click OK.

Note - This alarm will only trigger if syslog is configured for TCP or SSL connections and not UDP.

See Also

http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_vCenter_Server_for_Windows_V1R4_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5a., CAT|III, CCI|CCI-000139, Group-ID|V-63953, Rule-ID|SV-78443r1_rule, STIG-ID|VCWN-06-000008, Vuln-ID|V-63953

Plugin: VMware

Control ID: fe65af48bc7e157a03cd95943e3b5fb8bd97f8aa4e40b2ac438855dbbd343565