VMware vSphere 6.7 ESXi Security Technical Implementation Guide
- Version/Release: V1R3
- Published: 2023-06-16
-
Expand All:
- Severity:
-
Sort:
Compare
Select any two versions of this STIG to compare the individual requirements
View
Select any old version/release of this STIG to view the previous requirements
- RMF Control
- AC-10
- Severity
- Medium
- CCI
- CCI-000054
- Version
- ESXI-67-000001
- Vuln IDs
-
- V-239258
- Rule IDs
-
- SV-239258r674703_rule
Checks: C-42491r674701_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Scroll down to "Lockdown Mode" and verify it is enabled ("Normal" or "Strict"). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}} If Lockdown Mode is disabled, this is a finding. For environments that do not use vCenter server to manage ESXi, this is Not Applicable.
Fix: F-42450r674702_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Click "Edit" in "Lockdown Mode" and enable ("Normal" or "Strict"). or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $level = "lockdownNormal" OR "lockdownStrict" $vmhost = Get-VMHost -Name <hostname> | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.ChangeLockdownMode($level) Note: In Strict Lockdown Mode, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Client is no longer available, the ESXi host becomes inaccessible.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000002
- Vuln IDs
-
- V-239259
- Rule IDs
-
- SV-239259r674706_rule
Checks: C-42492r674704_chk
For environments that do not use vCenter server to manage ESXi, this is Not Applicable. From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "DCUI.Access" value and verify that only the root user is listed. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. If the DCUI.Access is not restricted to root, this is a finding. Note: This list is only for local user accounts and should only contain the root user.
Fix: F-42451r674705_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "DCUI.Access" value, and configure it to root. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000003
- Vuln IDs
-
- V-239260
- Rule IDs
-
- SV-239260r674709_rule
Checks: C-42493r674707_chk
For environments that do not use vCenter server to manage ESXi, this is Not Applicable. From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under Lockdown Mode, review the Exception Users list. or From a PowerCLI command prompt while connected to the ESXi host, run the following script: $vmhost = Get-VMHost | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.QueryLockdownExceptions() If the Exception Users list contains accounts that do not require special permissions, this is a finding. Note: This list is not intended for system administrator accounts but for special circumstances such as a service account.
Fix: F-42452r674708_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Lockdown Mode", click "Edit" and remove unnecessary users from the exceptions list.
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000067
- Version
- ESXI-67-000004
- Vuln IDs
-
- V-239261
- Rule IDs
-
- SV-239261r854586_rule
Checks: C-42494r674710_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Syslog.global.logHost" value and verify it is set to a site-specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the "Syslog.global.logHost" setting is not set to a site-specific syslog server, this is a finding.
Fix: F-42453r674711_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Syslog.global.logHost" value, and configure it to a site-specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<syslog server hostname>"
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- ESXI-67-000005
- Vuln IDs
-
- V-239262
- Rule IDs
-
- SV-239262r674715_rule
Checks: C-42495r674713_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.AccountLockFailures" value and verify it is set to "3". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures If "Security.AccountLockFailures" is set to a value other than "3", this is a finding.
Fix: F-42454r674714_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Security.AccountLockFailures" value, and configure it to "3". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-002238
- Version
- ESXI-67-000006
- Vuln IDs
-
- V-239263
- Rule IDs
-
- SV-239263r854587_rule
Checks: C-42496r674716_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.AccountUnlockTime" value and verify it is set to "900". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime If the "Security.AccountUnlockTime" is set to a value other than "900", this is a finding.
Fix: F-42455r674717_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit" and select the "Security.AccountUnlockTime" value and configure it to "900". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-000048
- Version
- ESXI-67-000007
- Vuln IDs
-
- V-239264
- Rule IDs
-
- SV-239264r674721_rule
Checks: C-42497r674719_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Annotations.WelcomeMessage" value and verify it contains the DoD logon banner to follow. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage Check for either of the following logon banners based on the character limitations imposed by the system. An exact match of the text is required. If one of these banners is not displayed, this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't. If the DCUI logon screen does not display the DoD logon banner, this is a finding.
Fix: F-42456r674720_fix
From a PowerCLI command prompt while connected to the ESXi host, copy the following contents into a script(.ps1 file) and run to set the DCUI screen to display the DoD logon banner: <script begin> $value = @" {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} "@ Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value $value <script end>
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-000048
- Version
- ESXI-67-000008
- Vuln IDs
-
- V-239265
- Rule IDs
-
- SV-239265r674724_rule
Checks: C-42498r674722_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Config.Etc.issue" value and verify it is set to the DoD logon banner below. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue If the "Config.Etc.issue" setting (/etc/issue file) does not contain the logon banner exactly as shown below, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Fix: F-42457r674723_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Config.Etc.issue" value, and set it to the following: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "<insert logon banner>"
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-000048
- Version
- ESXI-67-000009
- Vuln IDs
-
- V-239266
- Rule IDs
-
- SV-239266r674727_rule
Checks: C-42499r674725_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^Banner" /etc/ssh/sshd_config If there is no output or the output is not exactly "Banner /etc/issue", this is a finding.
Fix: F-42458r674726_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000068
- Version
- ESXI-67-000010
- Vuln IDs
-
- V-239267
- Rule IDs
-
- SV-239267r674730_rule
Checks: C-42500r674728_chk
To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell: # grep -i "^FipsMode" /etc/ssh/sshd_config or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.security.fips140.ssh.get.invoke() If there is no output or the output is not exactly "FipsMode yes" over SSH, or enabled is not "true" over PowerCLI, this is a finding.
Fix: F-42459r674729_fix
Limit the ciphers to FIPS-approved algorithms. From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": FipsMode yes or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs() $arguments.enable = $true $esxcli.system.security.fips140.ssh.set.Invoke($arguments)
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000767
- Version
- ESXI-67-000012
- Vuln IDs
-
- V-239268
- Rule IDs
-
- SV-239268r674733_rule
Checks: C-42501r674731_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^IgnoreRhosts" /etc/ssh/sshd_config If there is no output or the output is not exactly "IgnoreRhosts yes", this is a finding.
Fix: F-42460r674732_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000013
- Vuln IDs
-
- V-239269
- Rule IDs
-
- SV-239269r674736_rule
Checks: C-42502r674734_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^HostbasedAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "HostbasedAuthentication no", this is a finding.
Fix: F-42461r674735_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000014
- Vuln IDs
-
- V-239270
- Rule IDs
-
- SV-239270r674739_rule
Checks: C-42503r674737_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitRootLogin" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitRootLogin no", this is a finding.
Fix: F-42462r674738_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- ESXI-67-000015
- Vuln IDs
-
- V-239271
- Rule IDs
-
- SV-239271r674742_rule
Checks: C-42504r674740_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitEmptyPasswords" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitEmptyPasswords no", this is a finding.
Fix: F-42463r674741_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000016
- Vuln IDs
-
- V-239272
- Rule IDs
-
- SV-239272r674745_rule
Checks: C-42505r674743_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitUserEnvironment" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitUserEnvironment no", this is a finding.
Fix: F-42464r674744_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000018
- Vuln IDs
-
- V-239273
- Rule IDs
-
- SV-239273r674748_rule
Checks: C-42506r674746_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^GSSAPIAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "GSSAPIAuthentication no", this is a finding.
Fix: F-42465r674747_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": GSSAPIAuthentication no
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000019
- Vuln IDs
-
- V-239274
- Rule IDs
-
- SV-239274r674751_rule
Checks: C-42507r674749_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^KerberosAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "KerberosAuthentication no", this is a finding.
Fix: F-42466r674750_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": KerberosAuthentication no
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000020
- Vuln IDs
-
- V-239275
- Rule IDs
-
- SV-239275r674754_rule
Checks: C-42508r674752_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^StrictModes" /etc/ssh/sshd_config If there is no output or the output is not exactly "StrictModes yes", this is a finding.
Fix: F-42467r674753_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": StrictModes yes
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000021
- Vuln IDs
-
- V-239276
- Rule IDs
-
- SV-239276r674757_rule
Checks: C-42509r674755_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^Compression" /etc/ssh/sshd_config If there is no output or the output is not exactly "Compression no", this is a finding.
Fix: F-42468r674756_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Compression no
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000022
- Vuln IDs
-
- V-239277
- Rule IDs
-
- SV-239277r674760_rule
Checks: C-42510r674758_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^GatewayPorts" /etc/ssh/sshd_config If there is no output or the output is not exactly "GatewayPorts no", this is a finding.
Fix: F-42469r674759_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": GatewayPorts no
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000023
- Vuln IDs
-
- V-239278
- Rule IDs
-
- SV-239278r674763_rule
Checks: C-42511r674761_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^X11Forwarding" /etc/ssh/sshd_config If there is no output or the output is not exactly "X11Forwarding no", this is a finding.
Fix: F-42470r674762_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": X11Forwarding no
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000024
- Vuln IDs
-
- V-239279
- Rule IDs
-
- SV-239279r674766_rule
Checks: C-42512r674764_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^AcceptEnv" /etc/ssh/sshd_config If there is no output or the output is not exactly "AcceptEnv", this is a finding.
Fix: F-42471r674765_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": AcceptEnv
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000025
- Vuln IDs
-
- V-239280
- Rule IDs
-
- SV-239280r674769_rule
Checks: C-42513r674767_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitTunnel" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitTunnel no", this is a finding.
Fix: F-42472r674768_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitTunnel no
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000026
- Vuln IDs
-
- V-239281
- Rule IDs
-
- SV-239281r674772_rule
Checks: C-42514r674770_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^ClientAliveCountMax" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveCountMax 3", this is a finding.
Fix: F-42473r674771_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveCountMax 3
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000027
- Vuln IDs
-
- V-239282
- Rule IDs
-
- SV-239282r674775_rule
Checks: C-42515r674773_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^ClientAliveInterval" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveInterval 200", this is a finding.
Fix: F-42474r674774_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveInterval 200
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000028
- Vuln IDs
-
- V-239283
- Rule IDs
-
- SV-239283r674778_rule
Checks: C-42516r674776_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^MaxSessions" /etc/ssh/sshd_config If there is no output or the output is not exactly "MaxSessions 1", this is a finding.
Fix: F-42475r674777_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": MaxSessions 1
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000029
- Vuln IDs
-
- V-239284
- Rule IDs
-
- SV-239284r674781_rule
Checks: C-42517r674779_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # ls -la /etc/ssh/keys-root/authorized_keys or # cat /etc/ssh/keys-root/authorized_keys If the "authorized_keys" file exists and is not empty, this is a finding.
Fix: F-42476r674780_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, zero out or remove the /etc/ssh/keys-root/authorized_keys file: # >/etc/ssh/keys-root/authorized_keys or # rm /etc/ssh/keys-root/authorized_keys
- RMF Control
- AU-3
- Severity
- Low
- CCI
- CCI-000130
- Version
- ESXI-67-000030
- Vuln IDs
-
- V-239285
- Rule IDs
-
- SV-239285r674784_rule
Checks: C-42518r674782_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.log.level" value and verify it is set to "info". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level If the "Config.HostAgent.log.level" setting is not set to "info", this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.
Fix: F-42477r674783_fix
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Config.HostAgent.log.level" value, and configure it to "info". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- ESXI-67-000031
- Vuln IDs
-
- V-239286
- Rule IDs
-
- SV-239286r674787_rule
Checks: C-42519r674785_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.PasswordQualityControl" value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the "Security.PasswordQualityControl" setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
Fix: F-42478r674786_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Security.PasswordQualityControl" value, and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000200
- Version
- ESXI-67-000032
- Vuln IDs
-
- V-239287
- Rule IDs
-
- SV-239287r674790_rule
Checks: C-42520r674788_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.PasswordHistory" value and verify it is set to "5". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistory If the "Security.PasswordHistory" setting is not set to "5", this is a finding.
Fix: F-42479r674789_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.PasswordHistory" value and configure it to "5". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistory | Set-AdvancedSetting -Value 5
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000033
- Vuln IDs
-
- V-239288
- Rule IDs
-
- SV-239288r674793_rule
Checks: C-42521r674791_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient If sha512 is not listed, this is a finding.
Fix: F-42480r674792_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in “/etc/pam.d/passwd”: password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- ESXI-67-000034
- Vuln IDs
-
- V-239289
- Rule IDs
-
- SV-239289r674796_rule
Checks: C-42522r674794_chk
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.plugins.solo.enableMob" value and verify it is set to "false". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob If the "Config.HostAgent.plugins.solo.enableMob" setting is not set to "false", this is a finding.
Fix: F-42481r674795_fix
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit" and select the "Config.HostAgent.plugins.solo.enableMob" value and configure it to "false". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value false
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- ESXI-67-000035
- Vuln IDs
-
- V-239290
- Rule IDs
-
- SV-239290r854588_rule
Checks: C-42523r674797_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "Edit", view the "SSH" service, and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} If the ESXi SSH service is running, this is a finding.
Fix: F-42482r674798_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "SSH" service and click the "Stop" button to stop the service. Use Edit Startup policy to "Start and stop manually" and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- ESXI-67-000036
- Vuln IDs
-
- V-239291
- Rule IDs
-
- SV-239291r674802_rule
Checks: C-42524r674800_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "Edit", view the "ESXi Shell" service, and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} If the ESXi Shell service is running, this is a finding.
Fix: F-42483r674801_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "ESXi Shell" service and click the "Stop" button to stop the service. Use Edit Startup policy to "Start and stop manually" and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService
- RMF Control
- IA-2
- Severity
- Low
- CCI
- CCI-000764
- Version
- ESXI-67-000037
- Vuln IDs
-
- V-239292
- Rule IDs
-
- SV-239292r854589_rule
Checks: C-42525r674803_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.
Fix: F-42484r674804_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services. Click "Join Domain" and enter the AD domain to join. Select the "Using credentials” radio button, enter the credentials of an account with permissions to join machines to AD (use UPN naming – user@domain), and then click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- ESXI-67-000038
- Vuln IDs
-
- V-239293
- Rule IDs
-
- SV-239293r854590_rule
Checks: C-42526r816571_chk
From the vSphere Client, go to Home >> Host Profiles and select a Host Profile to edit. View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify that if "JoinADEnabled" is "True", "JoinDomainMethod" is "FixedCAMConfigOption". If not using Host Profiles to join active directory, this is not a finding.
Fix: F-42485r674807_fix
From the vSphere Client, go to Home >> Host Profiles and select a Host Profile to edit. View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain" and provide the IP address of the vSphere Authentication Proxy server.
- RMF Control
- IA-2
- Severity
- Low
- CCI
- CCI-000764
- Version
- ESXI-67-000039
- Vuln IDs
-
- V-239294
- Rule IDs
-
- SV-239294r854591_rule
Checks: C-42527r674809_chk
From the vSphere Client, select the ESXi host and go to Configuration >> System >> Advanced System Settings. Click "Edit" and select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value and verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory, this is Not Applicable. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" key is set to "ESX Admins", this is a finding.
Fix: F-42486r674810_fix
From the vSphere Client, select the ESXi host and go to Configuration >> System >> Advanced System Settings. Click "Edit" and select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" key and configure its value to an appropriate Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
- RMF Control
- IA-2
- Severity
- Low
- CCI
- CCI-000767
- Version
- ESXI-67-000040
- Vuln IDs
-
- V-239295
- Rule IDs
-
- SV-239295r854592_rule
Checks: C-42528r816573_chk
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Authentication Services and view the Smart Card Authentication status. If "Smart Card Mode" is "Disabled", this is a finding. For environments that do not have PKI or AD available, this is Not Applicable.
Fix: F-42487r674813_fix
The following are prerequisites to configuration of smart card authentication for the ESXi DCUI: - Active Directory domain that supports smart card authentication, smart card readers, and smart cards; - ESXi joined to an Active Directory domain; and - Trusted certificates for root and intermediary certificate authorities. From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services, click "Edit", and check the "Enable Smart Card Authentication" checkbox. At the "Certificates" tab, click the green plus sign to import trusted certificate authority certificates and click "OK".
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- ESXI-67-000041
- Vuln IDs
-
- V-239296
- Rule IDs
-
- SV-239296r878140_rule
Checks: C-42529r674815_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "UserVars.ESXiShellInteractiveTimeOut" value and verify it is set to "120" (2 Minutes). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut If the "UserVars.ESXiShellInteractiveTimeOut" setting is not set to "120", this is a finding.
Fix: F-42488r674816_fix
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "UserVars.ESXiShellInteractiveTimeOut" value, and configure it to "120". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 120
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- ESXI-67-000042
- Vuln IDs
-
- V-239297
- Rule IDs
-
- SV-239297r878140_rule
Checks: C-42530r674818_chk
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the "UserVars.ESXiShellTimeOut" value and verify it is set to "600" (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut If the "UserVars.ESXiShellTimeOut" setting is not set to "600", this is a finding.
Fix: F-42489r674819_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "UserVars.ESXiShellTimeOut" value, and configure it to "600". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- ESXI-67-000043
- Vuln IDs
-
- V-239298
- Rule IDs
-
- SV-239298r878140_rule
Checks: C-42531r674821_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "UserVars.DcuiTimeOut" value and verify it is set to "120" (2 minutes). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut If the "UserVars.DcuiTimeOut" setting is not set to "120", this is a finding.
Fix: F-42490r674822_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "UserVars.DcuiTimeOut" value, and configure it to "120". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 120
- RMF Control
- SC-24
- Severity
- Low
- CCI
- CCI-001665
- Version
- ESXI-67-000044
- Vuln IDs
-
- V-239299
- Rule IDs
-
- SV-239299r816576_rule
Checks: C-42532r816575_chk
From the vSphere Client, select the ESXi host and right-click. If the "Add Diagnostic Partition" option is greyed out, core dumps are configured. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.coredump.partition.get.Invoke() $esxcli.system.coredump.network.get.Invoke() The first command prepares for the other two. The second command shows whether an active core dump partition is configured. The third command shows whether a network core dump collector is configured and enabled via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables. If there is an active core dump partition, via the second command, this is not a finding. If there is a network core dump collector configured and enabled, this is not a finding. If there is no core dump partition and no network core dump collector configured, this is a finding.
Fix: F-42491r674825_fix
From the vSphere Client, select the ESXi host and right-click. Select the "Add Diagnostic Partition" option to configure a core dump diagnostic partition. or From a PowerCLI command prompt while connected to the ESXi host, run at least one of the following sets of commands: To configure a core dump partition: $esxcli = Get-EsxCli -v2 #View available partitions to configure $esxcli.system.coredump.partition.list.Invoke() $arguments = $esxcli.system.coredump.partition.set.CreateArgs() $arguments.partition = "<NAA ID of target partition from output listed previously>" $esxcli.system.coredump.partition.set.Invoke($arguments) #You can't set the partition and enable it at the same time so now we can enable it $arguments = $esxcli.system.coredump.partition.set.CreateArgs() $arguments.enable = $true $esxcli.system.coredump.partition.set.Invoke($arguments) To configure a core dump collector: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.coredump.network.set.CreateArgs() $arguments.interfacename = "<vmkernel port to use>" $arguments.serverip = "<collector IP>" $arguments.serverport = "<collector port>" $arguments = $esxcli.system.coredump.network.set.Invoke($arguments) $arguments = $esxcli.system.coredump.network.set.CreateArgs() $arguments.enable = $true $arguments = $esxcli.system.coredump.network.set.Invoke($arguments)
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001849
- Version
- ESXI-67-000045
- Vuln IDs
-
- V-239300
- Rule IDs
-
- SV-239300r854596_rule
Checks: C-42533r674827_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Syslog.global.logDir" value and verify it is set to a persistent location. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.syslog.config.get.Invoke() | Select LocalLogOutput,LocalLogOutputIsPersistent If the "LocalLogOutputIsPersistent" value is not true, this is a finding.
Fix: F-42492r674828_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit" and select the "Syslog.global.logDir" value and set it to a known persistent location. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value "New Log Location"
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001891
- Version
- ESXI-67-000046
- Vuln IDs
-
- V-239301
- Rule IDs
-
- SV-239301r878143_rule
Checks: C-42534r674830_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Time Configuration. Click "Edit" to verify the configured NTP servers and service startup policy. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostNTPServer Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} If the NTP service is not configured with authoritative DoD time sources or the service does not have a "Policy" of "on" or is stopped, this is a finding.
Fix: F-42493r674831_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Time Configuration. Click "Edit" to configure the NTP service to start and stop with the host and with authoritative DoD time sources. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: $NTPServers = "ntpserver1","ntpserver2" Get-VMHost | Add-VMHostNTPServer $NTPServers Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService
- RMF Control
- CM-5
- Severity
- High
- CCI
- CCI-001749
- Version
- ESXI-67-000047
- Vuln IDs
-
- V-239302
- Rule IDs
-
- SV-239302r878138_rule
Checks: C-42535r674833_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.software.acceptance.get.Invoke() If the acceptance level is "CommunitySupported", this is a finding.
Fix: F-42494r674834_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", click "Edit". Using the pull-down selection, set the acceptance level to be "VMwareCertified", "VMwareAccepted", or "PartnerSupported". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.software.acceptance.set.CreateArgs() $arguments.level = "PartnerSupported" $esxcli.software.acceptance.set.Invoke($arguments) Note: "VMwareCertified" or "VMwareAccepted" may be substituted for "PartnerSupported", depending on local requirements. These are also case sensitive.
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002418
- Version
- ESXI-67-000048
- Vuln IDs
-
- V-239303
- Rule IDs
-
- SV-239303r854599_rule
Checks: C-42536r674836_chk
Verify the vMotion VMKernel port group is in a dedicated VLAN, which can be on a common standard or distributed virtual switch as long as the vMotion VLAN is not shared by any other function and is not routed to anything but ESXi hosts. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. The check for this will be unique per environment. From the vSphere Client, select the ESXi host and go to Configuration >> Networking. Review the VLAN associated with the vMotion VMkernel(s) and verify it is dedicated for that purpose and logically separated from other functions. If long distance or cross-vCenter vMotion is used, the vMotion network can be routable but must be accessible to only the intended ESXi hosts. If the vMotion port group is not on an isolated VLAN and/or is routable to systems other than ESXi hosts, this is a finding.
Fix: F-42495r674837_fix
Configuration of the vMotion VMkernel will be unique to each environment. As an example, to modify the IP address and VLAN information to the correct network on a distributed switch, do the following: From the vSphere Client, go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Edit >> VLAN. Change the "VLAN Type" to "VLAN" and change the "VLAN ID" to a network allocated and dedicated to vMotion traffic exclusively.
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002418
- Version
- ESXI-67-000049
- Vuln IDs
-
- V-239304
- Rule IDs
-
- SV-239304r854600_rule
Checks: C-42537r674839_chk
Verify the Management VMkernel port group is on a dedicated VLAN, which can be on a common standard or distributed virtual switch as long as the Management VLAN is not shared by any other function and is not accessible to anything other than management-related functions such as vCenter. The check for this will be unique per environment. From the vSphere Client, select the ESXi host and go to Configure >> Networking. Review the VLAN associated with the Management VMkernel and verify it is dedicated for that purpose and is logically separated from other functions. If the network segment is accessible, except to networks where other management-related entities such as vCenter are located, this is a finding.
Fix: F-42496r674840_fix
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the Management VMkernel and click "Edit". On the Port properties tab, uncheck everything but "Management.” On the IP Settings tab, enter the appropriate IP address and subnet information and click "OK". Set the appropriate VLAN ID >> Configure >> Networking >> Virtual switches. Select the Management portgroup and click "Edit". On the properties tab, enter the appropriate VLAN ID and click "OK".
- RMF Control
- SC-8
- Severity
- Medium
- CCI
- CCI-002418
- Version
- ESXI-67-000050
- Vuln IDs
-
- V-239305
- Rule IDs
-
- SV-239305r854601_rule
Checks: C-42538r674842_chk
If IP-based storage is not used, this is Not Applicable. Verify that IP-based storage (iSCSI, NFS, vSAN) VMkernel port groups are in a dedicated VLAN, which can be on a standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Client, select the ESXi Host and go to Configure >> Networking >> VMkernel adapters. Review the VLANs associated with any IP-based storage VMkernels and verify it is dedicated for that purpose and logically separated from other functions. If any IP-based storage networks are not isolated from other traffic types, this is a finding.
Fix: F-42497r674843_fix
Configuration of an IP-Based VMkernel will be unique to each environment. However, as an example, to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel, do the following: vSAN Example: From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the dedicated vSAN VMkernel adapter and click Edit settings. On the Port properties tab, uncheck everything but "vSAN.” On the IP Settings tab, enter the appropriate IP address and subnet information and click "OK". Set the appropriate VLAN ID by navigating to Configure >> Networking >> Virtual switches. Select the appropriate portgroup (iSCSI, NFS, vSAN) and click Edit settings. On the properties tab, enter the appropriate VLAN ID and click "OK".
- RMF Control
- SC-8
- Severity
- Low
- CCI
- CCI-002418
- Version
- ESXI-67-000052
- Vuln IDs
-
- V-239306
- Rule IDs
-
- SV-239306r854602_rule
Checks: C-42539r674845_chk
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> TCP/IP configuration. Review the default system TCP/IP stacks and verify they are configured with the appropriate IP address information. If vMotion and Provisioning VMKernels are in use and are not using their own TCP/IP stack, this is a finding.
Fix: F-42498r674846_fix
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> TCP/IP configuration. Select a TCP/IP stack and click "Edit". Enter the appropriate site-specific IP address information for the particular TCP/IP stack and click "OK".
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000053
- Vuln IDs
-
- V-239307
- Rule IDs
-
- SV-239307r674850_rule
Checks: C-42540r674848_chk
From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostSnmp | Select * or From an console or ssh session, run the follow command: esxcli system snmp get If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and read-only communities is set to "public", this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured from the esxcli command.
Fix: F-42499r674849_fix
To disable SNMP, run the following command from a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false or From a console or ssh session, run the follow command: esxcli system snmp set -e no To configure SNMP for v3 targets, use the "esxcli system snmp set" command set.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000054
- Vuln IDs
-
- V-239308
- Rule IDs
-
- SV-239308r674853_rule
Checks: C-42541r674851_chk
From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters. Select the iSCSI adapter >> Properties >> Authentication method, view the CHAP configuration, and verify CHAP is required for target and host authentication. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Select AuthenticationProperties -ExpandProperty AuthenticationProperties If iSCSI is not used, this is not a finding. If iSCSI is used and CHAP is not set to "required" for both the target and host, this is a finding. If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.
Fix: F-42500r674852_fix
From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters. Select the iSCSI adapter >> Properties >> Authentication and click the "Edit" button. Set Authentication method to “Use bidirectional CHAP” and enter a unique secret for each traffic flow direction. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000055
- Vuln IDs
-
- V-239309
- Rule IDs
-
- SV-239309r674856_rule
Checks: C-42542r674854_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Mem.ShareForceSalting" value and verify it is set to "2". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting If the "Mem.ShareForceSalting" setting is not set to "2", this is a finding.
Fix: F-42501r674855_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Mem.ShareForceSalting" value, and configure it to "2". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000056
- Vuln IDs
-
- V-239310
- Rule IDs
-
- SV-239310r674859_rule
Checks: C-42543r674857_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Firewall. Under the "Firewall" section, click "Edit". For each enabled service, click "Firewall" and review the allowed IPs. Check this for incoming and outgoing connections. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}} If for an enabled service "Allow connections from any IP address" is selected, this is a finding.
Fix: F-42502r674858_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Firewall. Under the "Firewall" section, click "Edit". For each enabled service, uncheck the check box to “Allow connections from any IP address” and input the site-specific network(s) required. Configure this for incoming and outgoing connections. The following example formats are acceptable: 192.168.0.0/24 192.168.1.2, 2001::1/64 fd3e:29a6:0a81:e478::/64 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: $esxcli = Get-EsxCli -v2 #This disables the allow all rule for the target service. We are targeting the sshServer service in this example. $arguments = $esxcli.network.firewall.ruleset.set.CreateArgs() $arguments.rulesetid = "sshServer" $arguments.allowedall = $false $esxcli.network.firewall.ruleset.set.Invoke($arguments) #Next add the allowed IPs for the service. Note doing the "vSphere Web Client" service this way may disable access but may be done through vCenter or through the console. $arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $arguments.rulesetid = "sshServer" $arguments.ipaddress = "10.0.0.0/8" $esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments) This must be done for each enabled service.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000057
- Vuln IDs
-
- V-239311
- Rule IDs
-
- SV-239311r674862_rule
Checks: C-42544r674860_chk
From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostFirewallDefaultPolicy If the Incoming or Outgoing policies are "True", this is a finding.
Fix: F-42503r674861_fix
From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostFirewallDefaultPolicy | Set-VMHostFirewallDefaultPolicy -AllowIncoming $false -AllowOutgoing $false
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000058
- Vuln IDs
-
- V-239312
- Rule IDs
-
- SV-239312r674865_rule
Checks: C-42545r674863_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Net.BlockGuestBPDU" value and verify it is set to "1". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU If the "Net.BlockGuestBPDU" setting is not set to "1", this is a finding.
Fix: F-42504r674864_fix
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Net.BlockGuestBPDU" value, and configure it to "1". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000059
- Vuln IDs
-
- V-239313
- Rule IDs
-
- SV-239313r674868_rule
Checks: C-42546r674866_chk
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Forged Transmits" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Forged Transmits" policy is set to accept (or true, via PowerCLI), this is a finding.
Fix: F-42505r674867_fix
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group, click Edit settings (dots) and change "Forged Transmits" to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- ESXI-67-000060
- Vuln IDs
-
- V-239314
- Rule IDs
-
- SV-239314r674871_rule
Checks: C-42547r674869_chk
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "MAC Address Changes" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "MAC Address Changes" policy is set to accept (or true, via PowerCLI), this is a finding.
Fix: F-42506r674870_fix
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group, click Edit settings (dots) and change "MAC Address Changes" to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000061
- Vuln IDs
-
- V-239315
- Rule IDs
-
- SV-239315r674874_rule
Checks: C-42548r674872_chk
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify that "Promiscuous Mode" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Promiscuous Mode" policy is set to accept (or true, via PowerCLI), this is a finding.
Fix: F-42507r674873_fix
From the vSphere Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group, click Edit settings (dots) and change "Promiscuous Mode" to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000062
- Vuln IDs
-
- V-239316
- Rule IDs
-
- SV-239316r674877_rule
Checks: C-42549r674875_chk
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Net.DVFilterBindIpAddress" value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the "Net.DVFilterBindIpAddress" is not blank and security appliances are not in use on the host, this is a finding.
Fix: F-42508r674876_fix
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Net.DVFilterBindIpAddress" value, and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000063
- Vuln IDs
-
- V-239317
- Rule IDs
-
- SV-239317r674880_rule
Checks: C-42550r674878_chk
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with the native VLAN of the attached physical switch, this is a finding.
Fix: F-42509r674879_fix
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. Highlight the port group where VLAN ID is set to native VLAN ID and click Edit settings (dots). Change the VLAN ID to a non-native VLAN and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000064
- Vuln IDs
-
- V-239318
- Rule IDs
-
- SV-239318r674883_rule
Checks: C-42551r674881_chk
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to 4095. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup | Select Name, VLanID If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.
Fix: F-42510r674882_fix
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. Highlight a port group where VLAN ID is set to 4095 and click Edit settings (dots). Change the VLAN ID to an appropriate VLAN and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000065
- Vuln IDs
-
- V-239319
- Rule IDs
-
- SV-239319r674886_rule
Checks: C-42552r674884_chk
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to a reserved VLAN ID. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with a reserved VLAN ID, this is a finding.
Fix: F-42511r674885_fix
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. Highlight a port group where VLAN ID is set to a reserved value and click "Edit" settings (dots). Change the VLAN ID to an appropriate VLAN and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000066
- Vuln IDs
-
- V-239320
- Rule IDs
-
- SV-239320r674889_rule
Checks: C-42553r674887_chk
Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of external switch ports as trunk ports must be documented. VST mode does not support DTP, so the trunk must be static and unconditional. Inspect the documentation and verify that it is correct and updated according to an organization-defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream external switch ports. If DTP is enabled on the physical switch ports connected to the ESXi host, this is a finding.
Fix: F-42512r674888_fix
Note that this check refers to an entity outside the physical scope of the ESXi server system. Document the configuration of external switch ports as trunk ports. Log in to the vendor-specific physical switch and disable DTP on the physical switch ports connected to the ESXi host. Update the documentation according to an organization-defined frequency or whenever modifications are made to either ESXi hosts or the upstream external switch ports.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- ESXI-67-000067
- Vuln IDs
-
- V-239321
- Rule IDs
-
- SV-239321r674892_rule
Checks: C-42554r674890_chk
Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated according to an organization-defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. If the physical switch's spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding.
Fix: F-42513r674891_fix
Note that this check refers to an entity outside the scope of the ESXi server system. Document the upstream physical switch configuration for spanning tree protocol disablement and/or portfast configuration for all physical ports connected to ESXi hosts. Log in to the physical switch(es) and disable spanning tree protocol and/or configure portfast for all physical ports connected to ESXi hosts. Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream physical switches.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000068
- Vuln IDs
-
- V-239322
- Rule IDs
-
- SV-239322r674895_rule
Checks: C-42555r674893_chk
Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that unneeded VLANs are configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated according to an organization-defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that only needed VLANs are configured for all physical ports connected to ESXi hosts. If the physical switch's configuration is trunked VLANs that are not used by ESXi for all physical ports connected to ESXi hosts, this is a finding.
Fix: F-42514r674894_fix
Note that this check refers to an entity outside the scope of the ESXi server system. Remove any VLANs trunked across physical ports connected to ESXi hosts that are not in use.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000070
- Vuln IDs
-
- V-239323
- Rule IDs
-
- SV-239323r674898_rule
Checks: C-42556r674896_chk
From the Host Client, select the ESXi host, right-click and go to "Permissions". Verify the CIM account user role is limited to read only and CIM permissions. If there is no dedicated CIM account and the root is used for CIM monitoring, this is a finding. If write access is not required and the access level is not "read-only", this is a finding.
Fix: F-42515r674897_fix
Create a role for the CIM account: From the Host Client, go to Manage >> Security & Users. Select "Roles" and click "Add Role". Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add". Add a CIM user account: From the Host Client, go to Manage >> Security & Users. Select "Users" and click "Add User". Provide a name, description, and password for the new user and click "Add". Assign the CIM account permissions to the host with the new role. From the Host Client, select the ESXi host, right-click, and go to "Permissions". Click "Add User", select the CIM account from the drop-down list, select the new CIM role from the drop-down list, and click "Add User".
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- ESXI-67-000071
- Vuln IDs
-
- V-239324
- Rule IDs
-
- SV-239324r674901_rule
Checks: C-42557r674899_chk
The downloaded ISO, offline bundle, or patch hash must be verified against the vendor's checksum to ensure the integrity and authenticity of the files. See some typical command line example(s) for both the md5 and sha1 hash check(s) below: # md5sum <filename>.iso # sha1sum <filename>.iso If any of the system's downloaded ISO, offline bundle, or system patch hashes cannot be verified against the vendor's checksum, this is a finding.
Fix: F-42516r674900_fix
If the hash returned from the "md5sum" or "sha1sum" commands do not match the vendor's hash, the downloaded software must be discarded. If the physical media is obtained from VMware and the security seal is broken, the software must be returned to VMware for replacement.
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- ESXI-67-000072
- Vuln IDs
-
- V-239325
- Rule IDs
-
- SV-239325r674904_rule
Checks: C-42558r674902_chk
If vCenter Update Manager is used on the network, it can be used to scan all hosts for missing patches. From the vSphere Client, go to Hosts and Clusters >> Updates. Check under "Attached Baselines" and verify that a compliance check has been run. If vCenter Update Manager is not used, host compliance status must be determined manually by the build number. VMware KB 1014508 can be used to correlate patches with build numbers. If the ESXi host does not have the latest patches, this is a finding. If the ESXi host is not on a supported release, this is a finding. VMware also publishes Advisories on security patches and offers a way to subscribe to email alerts for them. Go to: https://www.vmware.com/support/policies/security_response
Fix: F-42517r674903_fix
If vCenter Update Manager is used on the network, hosts can be remediated from the vSphere Web Client. From the vSphere Client, go to Hosts and Clusters >> Updates. Check under "Attached Baselines". If there are no baselines attached, select the drop-down "Attach >> Attach Baseline or Baseline Group". Select "attach" and select the type of patches. Click on Check Compliance to check Host(s) Compliance. To manually remediate a host, the patch file must be copied locally and the following command run from an SSH session connected to the ESXi host or from the ESXi shell: esxcli software vib update -d <path to offline patch bundle.zip>
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- ESXI-67-000074
- Vuln IDs
-
- V-239326
- Rule IDs
-
- SV-239326r674907_rule
Checks: C-42559r674905_chk
From the vSphere Web Client, select the host and click Configure >> System >> Advanced System Settings. Find the "UserVars.ESXiVPsDisabledProtocols" value and verify that it is set to the following: tlsv1,tlsv1.1,sslv3 If the value is not set as above or it does not exist, this is a finding. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols If the value returned is not "tlsv1,tlsv1.1,sslv3" or the setting does not exist, this is a finding.
Fix: F-42518r674906_fix
From the vSphere Web Client, select the host and click Configure >> System >> Advanced System Settings. Find the "UserVars.ESXiVPsDisabledProtocols" value and set it to the following: tlsv1,tlsv1.1,sslv3 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols | Set-AdvancedSetting -Value "tlsv1,tlsv1.1,sslv3" A host reboot is required for changes to take effect.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000076
- Vuln IDs
-
- V-239327
- Rule IDs
-
- SV-239327r674910_rule
Checks: C-42560r674908_chk
Temporarily enable SSH, connect to the ESXi host, and run the following command: /usr/lib/vmware/secureboot/bin/secureBoot.py -s If the output is not "Enabled", this is a finding.
Fix: F-42519r674909_fix
Temporarily enable SSH, connect to the ESXi host, and run the following command: /usr/lib/vmware/secureboot/bin/secureBoot.py -c If the output indicates that Secure Boot cannot be enabled, correct the discrepancies and try again. If the discrepancies cannot be rectified, this finding is downgraded to a CAT III. Consult vendor documentation and boot the host into BIOS setup mode. Enable UEFI boot mode and Secure Boot. Restart the host. Temporarily enable SSH, connect to the ESXi host, and run the following command to verify that Secure Boot is enabled: /usr/lib/vmware/secureboot/bin/secureBoot.py -s
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000078
- Vuln IDs
-
- V-239328
- Rule IDs
-
- SV-239328r674913_rule
Checks: C-42561r674911_chk
From the vSphere Web Client, select the host and click Configure >> System >> Certificate. If the issuer is not a DoD-approved certificate authority, this is a finding. If the host will never be accessed directly (VM console connections bypass vCenter), this is not a finding.
Fix: F-42520r674912_fix
Obtain a DoD-issued certificate and private key for the host following the requirements below: Key size: 2048 bits or more (PEM encoded) Key format: PEM; VMware supports PKCS8 and PKCS1 (RSA keys) x509 version 3 SubjectAltName must contain DNS Name=<machine_FQDN> CRT (Base-64) format Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Start time of one day before the current time. CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory. Put the host into maintenance mode. Temporarily enable SSH on the host. SCP the new certificate and key to /tmp. SSH to the host. Back up the existing certificate and key: mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak Copy the new certificate and key to /etc/vmware/ssl/ and rename them to rui.crt and rui.key respectively. Restart management agents to implement the new certificate: services.sh restart From the vSphere Web Client, select the vCenter Server and click Configure >> System >> Advanced Settings. Find the "vpxd.certmgmt value" and set it to "custom".
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- ESXI-67-000079
- Vuln IDs
-
- V-239329
- Rule IDs
-
- SV-239329r674916_rule
Checks: C-42562r674914_chk
From the vSphere Web Client, select the host and click Configure >> System >> Advanced System Settings. Find the "UserVars.SuppressShellWarning" value and verify that it is set to the following: 0 If the value is not set as above or does not exist, this is a finding. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning If the value returned is not "0" or the setting does not exist, this is a finding.
Fix: F-42521r674915_fix
From the vSphere Web Client, select the host and click Configure >> System >> Advanced System Settings. Find the "UserVars.SuppressShellWarning" value and set it to the following: 0 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value "0"
- RMF Control
- SC-13
- Severity
- Medium
- CCI
- CCI-002450
- Version
- ESXI-67-100010
- Vuln IDs
-
- V-239331
- Rule IDs
-
- SV-239331r878146_rule
Checks: C-42564r816578_chk
Verify that only FIPS-approved ciphers are used by running the following command: # grep -i "^Ciphers" /etc/ssh/sshd_config If there is no output, or the output is not exactly "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr", this is a finding.
Fix: F-42523r816579_fix
Limit the ciphers to algorithms that are FIPS approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. Add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- ESXI-67-000999
- Vuln IDs
-
- V-257278
- Rule IDs
-
- SV-257278r919196_rule
Checks: C-60962r918872_chk
ESXi 6.7 is no longer supported by the vendor. If the server is running ESXi 6.7, this is a finding.
Fix: F-53958r798705_fix
Upgrade to a supported version.