The ESXi host must enable strict x509 verification for SSL syslog endpoints.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256437	ESXI-70-000085	SV-256437r919026_rule		Medium

Description
When sending syslog data to a remote host via SSL, the ESXi host is presented with the endpoint's SSL server certificate. In addition to trust verification, configured elsewhere, this "x509-strict" option performs additional validity checks on CA root certificates during verification. These checks are generally not performed (CA roots are inherently trusted) and might cause incompatibilities with existing, misconfigured CA roots. The NIAP requirements in the Virtualization Protection Profile and Server Virtualization Extended Package, however, require even CA roots to pass validations.

Description

When sending syslog data to a remote host via SSL, the ESXi host is presented with the endpoint's SSL server certificate. In addition to trust verification, configured elsewhere, this "x509-strict" option performs additional validity checks on CA root certificates during verification. These checks are generally not performed (CA roots are inherently trusted) and might cause incompatibilities with existing, misconfigured CA roots. The NIAP requirements in the Virtualization Protection Profile and Server Virtualization Extended Package, however, require even CA roots to pass validations.

STIG	Date
VMware vSphere 7.0 ESXi Security Technical Implementation Guide	2023-06-21

Details

Check Text ( C-60112r918920_chk )
If SSL is not used for the syslog target, this is not applicable. From an ESXi shell, run the following command: # esxcli system syslog config get\|grep 509 or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.syslog.config.get.invoke()\|Select StrictX509Compliance Expected result: Strict X509Compliance: true If the output does not match the expected result, this is a finding.

Check Text ( C-60112r918920_chk )

If SSL is not used for the syslog target, this is not applicable.

From an ESXi shell, run the following command:

# esxcli system syslog config get|grep 509

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$esxcli.system.syslog.config.get.invoke()|Select StrictX509Compliance

Expected result:

Strict X509Compliance: true

If the output does not match the expected result, this is a finding.

Fix Text (F-60055r886091_fix)
From an ESXi shell, run the following commands: # esxcli system syslog config set --x509-strict="true" # esxcli system syslog reload or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.syslog.config.set.CreateArgs() $arguments.x509strict = $true $esxcli.system.syslog.config.set.Invoke($arguments) $esxcli.system.syslog.reload.Invoke()

Fix Text (F-60055r886091_fix)

From an ESXi shell, run the following commands:

# esxcli system syslog config set --x509-strict="true"
# esxcli system syslog reload

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.syslog.config.set.CreateArgs()
$arguments.x509strict = $true
$esxcli.system.syslog.config.set.Invoke($arguments)
$esxcli.system.syslog.reload.Invoke()