STIGQter: STIG Summary: VMware vSphere 6.7 EAM Tomcat Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

ESX Agent Manager must record user access in a format that enables monitoring of remote access.

DISA Rule

SV-239376r674700_rule

Vulnerability Number

V-239376

Group Title

SRG-APP-000016-WSR-000005

Rule Version

VCEM-67-000005

Severity

CAT II

CCI(s)

• CCI-000067 - The information system monitors remote access methods.
• CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
• CCI-000131 - The information system generates audit records containing information that establishes when an event occurred.
• CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.
• CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
• CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
• CCI-001462 - The information system provides the capability for authorized users to capture/record and log content related to a user session.
• CCI-001464 - The information system initiates session audits at system start-up.
• CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
• CCI-001889 - The information system records time stamps for audit records that meet organization-defined granularity of time measurement.
• CCI-001890 - The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

Weight

10

Fix Recommendation

Navigate to and open:

/usr/lib/vmware-eam/web/conf/server.xml

Add the following line at the very top of the <Host> node.

<Valve className="org.apache.catalina.valves.RemoteIpValve" httpServerPort="80" httpsServerPort="443" protocolHeader="x-forwarded-proto" proxiesHeader="x-forwarded-by" remoteIpHeader="x-forwarded-for" requestAttributesEnabled="true" internalProxies="127\.0\.0\.1"/>

Inside the <Host> node, remove the existing "AccessLogValve" <Valve> node entirely and replace it with the following line:

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${eam.catalina.logdir}" pattern="%h %{X-Forwarded-For}i %l %u %t [%I] &quot;%r&quot; %s %b [Processing time %D msec] &quot;%{User-Agent}i&quot;" resolveHosts="false" prefix="localhost_access_log" suffix=".txt"/>

Check Contents

At the command prompt, execute the following command:

# xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern /usr/lib/vmware-eam/web/conf/server.xml

Expected result:

pattern="%h %{X-Forwarded-For}i %l %u %t [%I] &quot;%r&quot; %s %b [Processing time %D msec] &quot;%{User-Agent}i&quot;"

If the output does not match the expected result, this is a finding.

Vulnerability Number

V-239376

Documentable

False

Rule Version

VCEM-67-000005

Severity Override Guidance

At the command prompt, execute the following command:

# xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern /usr/lib/vmware-eam/web/conf/server.xml

Expected result:

pattern="%h %{X-Forwarded-For}i %l %u %t [%I] &quot;%r&quot; %s %b [Processing time %D msec] &quot;%{User-Agent}i&quot;"

If the output does not match the expected result, this is a finding.

Check Content Reference

M

Target Key

5328

Comments