Configuring Audit Logging for STiG hardening of ESXi hosts fails with the error: "invalid file location" or "The audit record storage directory '/vmfs/volumes/<datastore>/<folder>> is invalid.
search cancel

Configuring Audit Logging for STiG hardening of ESXi hosts fails with the error: "invalid file location" or "The audit record storage directory '/vmfs/volumes/<datastore>/<folder>> is invalid.

book

Article ID: 370221

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

When performing STIG hardening on ESXi hosts, a requirement is to store the auditLogs on persistent storage. 
Per STIG ID: ESXI-70-000084

Using the following process is failing:

exscli system auditrecords local set --directory=<dir>
esxcli system auditrecords local enable

Environment

VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 8.0.x

Cause

According the command documentation, "You must not manually create an audit record storage directory."

  • (Syslog.global.auditRecord.storageDirectory)

If the directory used in the set command was created ahead of the set command being run, then using the enable command will fail.  The directory cannot exist ahead of using the set command.

Resolution

Delete the audit record storage directory and start the process over to set and enable.

Further, to use the same datastore path for multiple hosts, you could:

  • Ensure the the datastore is empty or doesn't contain the folder used in the set command

         cd /vmfs/volumes/datastore
         ls -l

  • Create an audit directory, for example

         mkdir audit

  • Ensure the audit directory is empty

         ls -l audit

  • Configure host1 to point to its own record directory inside the audit directory

         esxcli system auditrecord local set --directory /vmfs/volumes/datastore/audit/host1  
      • (/host1 does not currently exist in this path)

  • Enable auditrecords

         esxcli system auditrecords enable
      • (The audit directory now has a host1 sub-directory)

For example:

[root@localhost:/vmfs/volumes/datastore] ls -l
total 0
1

[root@localhost:/vmfs/volumes/datastore] mkdir audit 
[root@localhost:/vmfs/volumes/datastore] ls -l
total 128
druxr-xr-x 1 root root 69632 Jun 18 21:18 audit

[root@localhost:/vmfs/volumes/datastore] ls -l audit
total 0

root@localhost:/vmfs/volumes/datastore] esxcli system auditrecords local set --directory /vmfs/volumes/6671c4ed-a09a03af-9803-00505605bb35/audit/host1
[root@localhost:/vmfs/volumes/datastore] esxcli system auditrecords local enable 
[root@localhost:/vmfs/volumes/datastore] Is -l audit/
total 128
drwxr-xr-x 1 root root 90112 Jun 18 21:19 host1

 

Additional Information

Powered by Wolken Software