Rule ID
SV-240754r879564_rule
Version
V2R3
CCIs
After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a suspicious event. As a Tomcat derivative, tc Server can be configured with an AccessLogValve. A Valve element represents a component that can be inserted into the request processing pipeline. The pattern attribute of the AccessLogValve controls which data gets logged. The %t parameter specifies that the system time should be recorded.
At the command prompt, execute the following command: tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt Note: Substitute the actual date in the file name. If the time and date of events are not being recorded, this is a finding.
Navigate to and open /etc/vcac/server.xml.
Navigate to and locate <Host>.
Configure the <Host> node with the <AccessLogValve> below.
Note: The "AccessLogValve" should be configured as follows:
<Valve className="org.apache.catalina.valves.AccessLogValve"
checkExists="true"
directory="logs"
pattern="%h %l %u %t "%r" %s %b"
prefix="access_log"
requestAttributesEnabled="true"
rotatable="false"
suffix=".txt"/>