Detections
Analytics
ESXI-80-000224 - The ESXi host must verify certificates for SSL syslog endpoints.
Information
When sending syslog data to a remote host, ESXi can be configured to use any combination of TCP, UDP, and SSL transports. When using SSL, the server certificate must be validated to ensure that the host is connecting to a valid syslog server.Solution
To configure SSL syslog endpoint certificate checking, it must be turned on and the trusted certificate chain must be added to ESXi's trusted store.From the vSphere Client go to Hosts and Clusters.
Select the ESXi Host >> Configure >> System >> Advanced System Settings.
Click "Edit". Select the "Syslog.global.certificate.checkSSLCerts" value and configure it to "true".
Copy the PEM formatted trusted CA certificate so that is accessible to the host and append the contents to /etc/vmware/ssl/castore.pem by running the following command:
# <path/to/cacert> >> /etc/vmware/ssl/castore.pem
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
Get-VMHost | Get-AdvancedSetting -Name Syslog.global.certificate.checkSSLCerts | Set-AdvancedSetting -Value "true"
Copy the PEM formatted trusted CA certificate so that is accessible to the host.
$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.certificatestore.add.CreateArgs()
$arguments.filename = <path/to/cacert>
$esxcli.system.security.certificatestore.add.Invoke($arguments)
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y25M04_STIG.zip
Item Details
Audit Name: DISA VMware vSphere 8.0 ESXi STIG v2r3 VMware
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-258779r1003572_rule, STIG-ID|ESXI-80-000224, Vuln-ID|V-258779
Plugin: VMware
Control ID: 899caef5d0bf9c07f31c751b400c9900dd6fe2ef58554ef51f990320ef4b81a1