← Back to VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide

V-240751

CAT II (Medium)

tc Server VCAC must produce log records containing sufficient information to establish what type of events occurred.

Rule ID

SV-240751r879563_rule

STIG

VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000130

Discussion

After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a suspicious event. Like all servers, tc Server will typically process GET and POST requests clients. These will help investigators understand what happened.

Check Content

At the command prompt, execute the following command:

tail /storage/log/vmware/vcac/access_log.YYYY-MM-dd.txt

Note: Substitute the actual date in the file name.

If HTTP "GET" and/or "POST" events are not being recorded, this is a finding.

Fix Text

Navigate to and open /etc/vcac/server.xml.

Navigate to and locate <Host>.

Configure the <Host> node with the <AccessLogValve> below.

Note: The "AccessLogValve" should be configured as follows:
               <Valve className="org.apache.catalina.valves.AccessLogValve"
                      checkExists="true" 
                      directory="logs"
                      pattern="%h %l %u %t "%r" %s %b"
                      prefix="access_log"
                      requestAttributesEnabled="true"
                      rotatable="false"
                      suffix=".txt"/>