Rule ID
SV-279464r1192371_rule
Version
V1R1
CCIs
An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missing and not available during a forensic investigation. To ensure all loggable events are captured, the web server must begin logging once the first web server process is initiated.
Verify Prism Element enables logging upon startup of Envoy proxy services by running the following command: $ ps -ef | grep ikat_proxy.out nutanix 68158 1 0 Oct10 ? 00:00:00 /bin/bash -lc /home/nutanix/bin/service_monitor --run_as_user=apache /home/nutanix/data/logs/ikat_proxy.FATAL -- /usr/local/nutanix/ikat_proxy/bin/envoy -c /home/nutanix/config/ikat_proxy/envoy.yaml --disable-hot-restart --concurrency 4 |& /home/nutanix/bin/logpipe -o /home/nutanix/data/logs/ikat_proxy.out nutanix 68376 68158 0 Oct10 ? 00:00:01 /home/nutanix/bin/logpipe -o /home/nutanix/data/logs/ikat_proxy.out If the output of "ikat_proxy.out" does not list the path as "/home/nutanix/data/logs/ikat_proxy.out", or if there is no output, this is a finding.
Prism Element is configured by default for the Envoy proxy services with logging level of "info". If this control is a finding, then some corruption has occurred and the VM must be rebuilt.