The ESXi host must enable strict x509 verification for SSL syslog endpoints.

An XCCDF Rule

Description

<VulnDiscussion>When sending syslog data to a remote host via SSL, the ESXi host is presented with the endpoint's SSL server certificate. In addition to trust verification, configured elsewhere, this "x509-strict" option performs additional validity checks on CA root certificates during verification. These checks are generally not performed (CA roots are inherently trusted) and might cause incompatibilities with existing, misconfigured CA roots. The NIAP requirements in the Virtualization Protection Profile and Server Virtualization Extended Package, however, require even CA roots to pass validations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256437r919026_rule
Severity: Medium
References: CCI-000366
Updated: 9 months ago

From an ESXi shell, run the following commands:

# esxcli system syslog config set --x509-strict="true"
# esxcli system syslog reload

or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.syslog.config.set.CreateArgs()
$arguments.x509strict = $true
$esxcli.system.syslog.config.set.Invoke($arguments)
$esxcli.system.syslog.reload.Invoke()

The ESXi host must enable strict x509 verification for SSL syslog endpoints.

Description

Remediation - Manual Procedure