Detections
Analytics
PHTN-67-000007 - The Photon operating system must have sshd authentication logging enabled.
Information
Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities.Shipping sshd authentication events to syslog allows organizations to use their log aggregators to correlate forensic activities among multiple systems.
Solution
Open /etc/rsyslog.conf with a text editor and locate the following line:$IncludeConfig /etc/vmware-syslog/syslog.conf
Ensure that the following entry is put beneath the stated line and before the '# vmware services' line.
authpriv.* /var/log/audit/sshinfo.log
If the following line is at the end of the file, it must be removed or commented out:
auth.* /var/log/auth.log
At the command line, execute the following command:
# systemctl restart syslog
# service sshd reload
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 6.7 Photon OS v1r6
Category: ACCESS CONTROL
References: 800-53|AC-17(1), CAT|II, CCI|CCI-000067, Rule-ID|SV-239079r675045_rule, STIG-ID|PHTN-67-000007, Vuln-ID|V-239079
Plugin: Unix
Control ID: 6b600fcf8dcbf15ec95e4c010198c2cda3abbb2b885db079c434d885893e6693