The NSX Distributed Firewall must off-load audit records onto a centralized log server.

From VMware NSX Distributed Firewall Security Technical Implementation Guide

Associated with: CCI-001851

SV-83755r1_rule The NSX Distributed Firewall must off-load audit records onto a centralized log server.

Vulnerability discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. This does not apply to audit logs generated on behalf of the device itself (management).

Check content

Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click "Manage" >> "Advanced System Settings", and enter "Syslog.global.logHost" in the filter. Verify the correct setting for "Syslog.global.logHost" to the hostname of your syslog server. If this setting does not specify the appropriate syslog server on each ESXi host, this is a finding.

Fix text

Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click "Manage" >> "Advanced System Settings", and enter "Syslog.global.logHost" in the filter. Verify the correct setting for "Syslog.global.logHost" to the hostname of your syslog server. Verify each ESXi host is set to a remote syslog server.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.