Nutanix AOS must offload audit records to a syslog server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-254179 | NUTX-OS-000770 | SV-254179r846625_rule | Medium |
| Description |
|---|
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
| STIG | Date |
|---|---|
| Nutanix AOS 5.20.x OS Security Technical Implementation Guide | 2022-08-24 |
Details
| Check Text ( C-57664r846623_chk ) |
|---|
| Confirm Nutanix AOS is configured to offload the audit records to a site-specific syslog server. $ sudo grep @ /etc/rsyslog.d/rsyslog-nutanix.conf local0.*; @remote-log-host:514 If there are no lines in the "/etc/rsyslog.d/rsyslog-nutanix.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are offloaded to a different system or media. If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding. |
| Fix Text (F-57615r846624_fix) |
|---|
| Configure AOS to offload audit records to site specific syslog server by running the following command. ncli rsyslog-config add-server name=[alias_of_central_host] ip-address=[IP_of_central_host] port=[port_of_central_host] network-protocol=tcp|udp|relp relp-enabled=yes|no; ncli rsyslog-config add-module module-name=syslog_module level=info server-name=[alias_of_central_host] |