The ESXi host must enable strict x509 verification for SSL syslog endpoints.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-258789	SRG-OS-000480-VMM-002000	ESXI-80-000234	SV-258789r933428_rule	2023-10-11	1

Description
When sending syslog data to a remote host via SSL, the ESXi host is presented with the endpoint's SSL server certificate. In addition to trust verification, configured elsewhere, this "x509-strict" option performs additional validity checks on CA root certificates during verification. These checks are generally not performed (CA roots are inherently trusted) and might cause incompatibilities with existing, misconfigured CA roots. The NIAP requirements in the Virtualization Protection Profile and Server Virtualization Extended Package, however, require even CA roots to pass validations.

Description

When sending syslog data to a remote host via SSL, the ESXi host is presented with the endpoint's SSL server certificate. In addition to trust verification, configured elsewhere, this "x509-strict" option performs additional validity checks on CA root certificates during verification. These checks are generally not performed (CA roots are inherently trusted) and might cause incompatibilities with existing, misconfigured CA roots. The NIAP requirements in the Virtualization Protection Profile and Server Virtualization Extended Package, however, require even CA roots to pass validations.

ℹ️ Check
If SSL is not used for a syslog target, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Syslog.global.certificate.strictX509Compliance" value and verify it is set to "true". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance If the "Syslog.global.certificate.strictX509Compliance" setting is not set to "true", this is a finding.

ℹ️ Check

If SSL is not used for a syslog target, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Syslog.global.certificate.strictX509Compliance" value and verify it is set to "true". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance If the "Syslog.global.certificate.strictX509Compliance" setting is not set to "true", this is a finding.

✔️ Fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Syslog.global.certificate.strictX509Compliance" value and configure it to "true". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance \| Set-AdvancedSetting -Value "true"

✔️ Fix

From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Syslog.global.certificate.strictX509Compliance" value and configure it to "true". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance | Set-AdvancedSetting -Value "true"