[vSphere][7.0][ESXI-70-000084] Incorrect property referenced in check and InSpec test

[pbarrette]

Describe the bug

Using inspec, the ESXI-70-000084 control is marked as non-compliant on compliant systems.

Reproduction steps

1. Use inspec to execute control ESXI-70-000084 against a compliant system.

Expected behavior

The control should be marked as compliant.

Additional context

In line 98 of the "ESXI-70-000084.rb" file, the control is searching for the "AuditRemoteHostEnabled" property.

This property does not exist on ESXi 7.0 and is instead found on ESXi 6.X.

The corresponding ESXi 7.0 property name is "AuditRecordRemoteTransmissionActive"

[pstearns]

I had a similar issue. I just modified it to the ESXi 7.0 but it would be possible to add an or statement to be more generic. I also added the following, to address the optional check.

    vmhosts.each do |vmhost|
      command = "$vmhost = Get-VMHost -Name #{vmhost}; $esxcli = Get-EsxCli -VMHost $vmhost -V2; $esxcli.system.auditrecords.get.invoke() | Select-Object -ExpandProperty AuditRecordStorageActive"
      describe powercli_command(command) do
        its('stdout.strip') { should cmp 'true' }
      end

      command = "$vmhost = Get-VMHost -Name #{vmhost}; $esxcli = Get-EsxCli -VMHost $vmhost -V2; $esxcli.system.auditrecords.get.invoke() | Select-Object -ExpandProperty AuditRecordStorageCapacity"
      describe powercli_command(command) do
        its('stdout.strip') { should cmp >= '4' }
        its('stdout.strip') { should cmp <= '100' }
      end

      command = "$vmhost = Get-VMHost -Name #{vmhost}; $esxcli = Get-EsxCli -VMHost $vmhost -V2; $esxcli.system.auditrecords.get.invoke() | Select-Object -ExpandProperty AuditRecordStorageDirectory"
      describe powercli_command(command) do
        its('stdout.strip') { should match /.*\/scratch\/auditLog.*/ }
      end

      command = "$vmhost = Get-VMHost -Name #{vmhost}; $esxcli = Get-EsxCli -VMHost $vmhost -V2; $esxcli.system.auditrecords.get.invoke() | Select-Object -ExpandProperty AuditRecordRemoteTransmissionActive"
      describe powercli_command(command) do
        its('stdout.strip') { should cmp 'true' }
      end
    end
  else
    describe 'No hosts found!' do
      skip 'No hosts found...skipping tests'
    end
  end

[pbarrette]

That doesn't account for the remote log enablement.

The specific directory doesn't really matter so long as you're actually storing them on a local directory path.

ESXI-70-000084 checks 3 things: 1 - Is audit record storage active? 2 - Is the local storage at least 4MB in size. 3 - Are the audit logs getting sent to the global syslog server.

The check code you've listed doesn't actually answer any of those 3 questions.

[pstearns]

To be more specific that was in addition to the current checks. Updated my previous code snippet for inclusion.

[pbarrette]

Ah, I see.

Cover both ESXi 6.7 and 7.0

[pbarrette]

Oops.. Hit the wrong button and closed accidentally.

[rlakey]

I'll add this one to a future update since we need to change the control and well and not just fix the test. I didn't go back and check 7 yet but in 8.0 there are advanced settings for these items so we may be able to just utilize those if they exist.

[rlakey]

InSpec test is updated FYI.

[scpfinoue]

In the STIG it reference Storage Capacity to be 100MB. But the main STIG check is to verify if Audit Record Storage is enabled. For us, our Storage Capacity is 4MB and I can't change it. I run the command "esxcli system auditrecords local set --size-100" it will take the setting but after reboots it reverts back to 4MB. pstearns: (comment) his script is looking for size to be between 4 and 100MB pbarrette: (comment) references that is the size at least 4MB. So, am I compliant being at 4MB? Here's my auditlog results. Audit Record Storage Active: true Audit Record Storage Capacity: 4 Audit Record Storage Directory: /scratch/auditLog Audit Remote Host Enabled: true

[pbarrette]

@scpfinoue

The text of the official STIG is a bit flaky at the moment. It suggests that the storage space should be 100MB and suggests that it be stored on persistent storage, but the only official "no-go" is the following text: If audit record storage is not active and configured, this is a finding.

The Inspec code for the check is currently doing 3 things: 1 - Check that AuditRecordStorageActive = true. 2 - Check that AuditRecordStorageCapacity is between 4 and 100 MB. 3 - Check that AuditRecordRemoteTransmissionActive = true.

So, technically, at the moment, if AuditRecordStorageActive is true and the storage location is persistent, then you're compliant. The other 2 are probably also important, but those items are not called out in the STIG text, so they basically don't matter.

Those other items probably will matter after some future revision of the STIG text. I'm assuming that is the reason this issue is still open.

[scpfinoue]

Thanks pbarrette, I totally agree with your statement. But as you also said it may matter in the future. As you know when we get audited/inspected the person doing so is NO SME. They simply make us run the check command and review the results. And if the STIG says "Expected Results" and it doesn't match we get dinked on it.

Do you think if I move it to another larger /vmfs storage location that I can set the Capacity to 100MB? Do you know why it can't be changed from 4MB?

[rlakey]

@scpfinoue What is your boot device where it's reverting to 4mb? SD card?

In this case the check says Example Result instead of Expected Result so that we can accommodate more configurations that still meet the intent.

[scpfinoue]

The ESXI OS is installed on a 240GB M.2 SSD drive. When I do a df -h on the vmfs volume where /scratch/AuditLogs resides [/vmfs/volumes/OSDATA-xxxxx[random UID]] VMFS-L Size: 119.8G Used: 10.6G Available: 109.1G Use%: 9% There's a lot of free space.