← Back to VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

V-241603

CAT II (Medium)

tc Server CaSa must produce log records containing sufficient information to establish when (date and time) events occurred.

Rule ID

SV-241603r879564_rule

STIG

VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000131

Discussion

After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can be configured with an “AccessLogValve”. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the “AccessLogValve” controls which data gets logged. The “%t” parameter specifies that the system time should be recorded.

Check Content

At the command prompt, execute the following command:

tail /storage/log/vcops/log/casa/localhost_access_log.YYYY-MM-dd.txt

Note: Substitute the actual date in the file name.

If the time and date of events are not being recorded, this is a finding.

Fix Text

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/server.xml.

Navigate to and locate <Host>.

Configure the <Host> node with the <AccessLogValve> below.

Note: The “AccessLogValve” should be configured as follows: 

                <Valve className="org.apache.catalina.valves.AccessLogValve"
                       directory="logs"
                       pattern="%h %l %u %t "%r" %s %b"
                       prefix="localhost_access_log."
                       suffix=".txt"/>