Rule ID
SV-241704r879747_rule
Version
V1R2
CCIs
CCI-001890
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Like all web servers, tc Server logs can be configured to produce a Common Log Format (CLF). The tc Server component known as an “AccessLogValve”, which represents a component that can be inserted into the request processing pipeline to capture user interaction. The “Access Log Valve” creates log files in the same format as those created by standard web servers including GMT offset.
At the command prompt, execute the following command: tail /storage/log/vcops/log/product-ui/localhost_access_log.YYYY-MM-dd.txt If the timestamp does not contain a time zone mapping, this is a finding. Note: Substitute the actual date in the file name. Note: In Common Log Format, a timestamp will look like [06/Feb/2016:23:12:57 +0000]. The “+0000” part is the time zone mapping.
Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/server.xml.
Navigate to the <Valve className="org.apache.catalina.valves.AccessLogValve"> node.
Set the “pattern” setting with "%h %l %u %t "%r" %s %b"
Note: The <Valve> node should be configured per the below:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
pattern="%h %l %u %t "%r" %s %b"
prefix="localhost_access_log."
suffix=".txt"/>