← Back to VMware vSphere 8.0 ESXi Security Technical Implementation Guide

V-258743

CAT II (Medium)

The ESXi host must allocate audit record storage capacity to store at least one week's worth of audit records.

Rule ID

SV-258743r933290_rule

STIG

VMware vSphere 8.0 ESXi Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001849

Discussion

In order to ensure ESXi has sufficient storage capacity in which to write the audit logs, audit record storage capacity should be configured. If a central audit record storage facility is available, the local storage capacity should be sufficient to hold audit records that would accumulate during anticipated interruptions in delivery of records to the facility.

Check Content

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Select the "Syslog.global.auditRecord.storageCapacity" value and verify it is set to "100".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacity

If the "Syslog.global.auditRecord.storageCapacity" setting is not set to 100, this is a finding.

Fix Text

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Advanced System Settings.

Click "Edit". Select the "Syslog.global.auditRecord.storageCapacity" value and configure it to "100".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacity | Set-AdvancedSetting -Value 100