View STIG - VMware vSphere ESXi 6.0 Security Technical Implementation Guide V1R5

b

The VMM must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.

AC-10 - Medium - CCI-000054 - V-63147 - SV-77637r1_rule

RMF Control

AC-10

Severity

Medium

CCI

CCI-000054

Version

ESXI-06-000001

Vuln IDs

V-63147

Rule IDs

SV-77637r1_rule

Enabling lockdown mode disables direct access to an ESXi host requiring the host be managed remotely from vCenter Server. This is done to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced.

Checks: C-63899r1_chk

From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> System >> Security Profile. Scroll down to "Lockdown Mode" and verify it is set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}} If Lockdown Mode is disabled, this is a finding. For environments that do not use vCenter server to manage ESXi, this is not applicable.

Fix: F-69065r1_fix

From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> System >> Security Profile. Click edit on "Lockdown Mode" and set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $level = "lockdownNormal" OR "lockdownStrict" $vmhost = Get-VMHost -Name <hostname> | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.ChangeLockdownMode($level) Note: In strict lockdown mode, which is new in vSphere 6.0, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes inaccessible.

a

The system must verify the DCUI.Access list.

CM-6 - Low - CCI-000366 - V-63173 - SV-77663r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000002

Vuln IDs

V-63173

Rule IDs

SV-77663r1_rule

Lockdown mode disables direct host access requiring that admins manage hosts from vCenter Server. However, if a host becomes isolated from vCenter Server, the admin is locked out and can no longer manage the host. If you are using normal lockdown mode, you can avoid becoming locked out of an ESXi host that is running in lockdown mode, by setting DCUI.Access to a list of highly trusted users who can override lockdown mode and access the DCUI. The DCUI is not running in strict lockdown mode.

Checks: C-63907r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the DCUI.Access value and verify only the root user is listed. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. If the DCUI.Access is not restricted to root, this is a finding. Note: This list is only for local user accounts and should only contain the root user.

Fix: F-69091r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the DCUI.Access value and configure it to root. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"

a

The system must verify the exception users list for lockdown mode.

CM-6 - Low - CCI-000366 - V-63175 - SV-77665r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000003

Vuln IDs

V-63175

Rule IDs

SV-77665r1_rule

In vSphere 6.0 and later, you can add users to the Exception Users list from the vSphere Web Client. These users do not lose their permissions when the host enters lockdown mode. Usually you may want to add service accounts such as a backup agent to the Exception Users list. Verify that the list of users who are exempted from losing permissions is legitimate and as needed per your environment. Users who do not require special permissions should not be exempted from lockdown mode.

Checks: C-63909r1_chk

From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> Security Profile. Under lockdown mode review the exception users list. or From a PowerCLI command prompt while connected to the ESXi host run the following script: $vmhost = Get-VMHost | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.QueryLockdownExceptions() If the exception users list contains accounts that do not require special permissions, this is a finding. Note: This list is not intended for system administrator accounts but for special circumstances such as a service account.

Fix: F-69093r1_fix

From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> Security Profile. Under lockdown mode click Edit and remove unnecessary users to the exceptions list.

b

Remote logging for ESXi hosts must be configured.

AC-17 - Medium - CCI-000067 - V-63177 - SV-77667r1_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000067

Version

ESXI-06-000004

Vuln IDs

V-63177

Rule IDs

SV-77667r1_rule

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Checks: C-63911r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.

Fix: F-69095r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"

b

The system must enforce the limit of three consecutive invalid logon attempts by a user.

AC-7 - Medium - CCI-000044 - V-63179 - SV-77669r1_rule

RMF Control

AC-7

Severity

Medium

CCI

CCI-000044

Version

ESXI-06-000005

Vuln IDs

V-63179

Rule IDs

SV-77669r1_rule

By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Checks: C-63913r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountLockFailures value and verify it is set to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures and verify it is set to 3. If the Security.AccountLockFailures is set to a value other than 3, this is a finding.

Fix: F-69097r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountLockFailures value and configure it to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3

b

The system must enforce the unlock timeout of 15 minutes after a user account is locked out.

AC-7 - Medium - CCI-002238 - V-63181 - SV-77671r1_rule

RMF Control

AC-7

Severity

Medium

CCI

CCI-002238

Version

ESXI-06-000006

Vuln IDs

V-63181

Rule IDs

SV-77671r1_rule

By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Checks: C-63915r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountUnlockTime value and verify it is set to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime and verify it is set to 900. If the Security.AccountUnlockTime is set to a value other than 900, this is a finding.

Fix: F-69099r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountUnlockTime value and configure it to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900

b

The system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

AC-8 - Medium - CCI-000048 - V-63183 - SV-77673r1_rule

RMF Control

AC-8

Severity

Medium

CCI

CCI-000048

Version

ESXI-06-000007

Vuln IDs

V-63183

Rule IDs

SV-77673r1_rule

Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources.

Checks: C-63917r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Annotations.WelcomeMessage value and verify it contains the DoD logon banner: From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage Check for either of the following login banners based on the character limitations imposed by the system. An exact match of the text is required. If one of these banners is not displayed, this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't. If the DCUI logon screen does not display the DoD logon banner, this is a finding.

Fix: F-69101r1_fix

From a PowerCLI command prompt while connected to the ESXi <script begin> $value = @" {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} " @Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage <script end> host copy the following contents into a script(.ps1 file) and run to set the DCUI screen to display the DoD logon banner: , {ip}{/color}{/bgcolor}{/align} {esxversion}{/color}{/bgcolor}{/align} RAM{/color}{/bgcolor}{/align} {/color}{/bgcolor}{/align} {/color}{/bgcolor}{/align} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align} {/color}{/bgcolor}{/align} The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align} enforcement (LE), and counterintelligence (CI) investigations. {/color}{/bgcolor}{/align} {/color}{/bgcolor}{/align} At any time, the USG may inspect and seize data stored on this IS. {/color}{/bgcolor}{/align} {/color}{/bgcolor}{/align} Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align} {/color}{/bgcolor}{/align} This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align} for your personal benefit or privacy. {/color}{/bgcolor}{/align} {/color}{/bgcolor}{/align} Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align} product are private and confidential. See User Agreement for details. {/color}{/bgcolor}{/align} {/color}{/bgcolor}{/align} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} {/color}{/bgcolor} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align} {/color}{/bgcolor} | Set-AdvancedSetting -Value $value

b

The SSH daemon must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

AC-8 - Medium - CCI-000048 - V-63185 - SV-77675r1_rule

RMF Control

AC-8

Severity

Medium

CCI

CCI-000048

Version

ESXI-06-000008

Vuln IDs

V-63185

Rule IDs

SV-77675r1_rule

Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources.

Checks: C-63919r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.Etc.issue value and verify it is set to the following: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue If the Config.Etc.issue setting (/etc/issue file) does not contain the logon banner exactly as shown above, this is a finding.

Fix: F-69103r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.Etc.issue value and configure it to one of the following. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "<insert logon banner>"

b

The SSH daemon must be configured with the Department of Defense (DoD) login banner.

AC-8 - Medium - CCI-000048 - V-63187 - SV-77677r1_rule

RMF Control

AC-8

Severity

Medium

CCI

CCI-000048

Version

ESXI-06-000009

Vuln IDs

V-63187

Rule IDs

SV-77677r1_rule

The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.

Checks: C-63921r1_chk

To verify the Banner setting, run the following command: # grep -i "^Banner" /etc/ssh/sshd_config If there is no output or the output is not exactly "Banner /etc/issue", this is a finding.

Fix: F-69105r1_fix

To set the Banner setting, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue

b

The VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions.

AC-17 - Medium - CCI-000068 - V-63189 - SV-77679r3_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000068

Version

ESXI-06-000010

Vuln IDs

V-63189

Rule IDs

SV-77679r3_rule

Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. Note: This does not imply FIPS 140-2 certification.

Checks: C-63923r4_chk

Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i "^Ciphers" /etc/ssh/sshd_config If there is no output or the output is not "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc", or a subset of this list, this is a finding.

Fix: F-69107r2_fix

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. Add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

c

The SSH daemon must be configured to use only the SSHv2 protocol.

AC-17 - High - CCI-000068 - V-63191 - SV-77681r1_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

ESXI-06-000011

Vuln IDs

V-63191

Rule IDs

SV-77681r1_rule

SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.

Checks: C-63925r1_chk

To verify which SSH protocol version is configured, run the following command: # grep -i "^Protocol" /etc/ssh/sshd_config If there is no output or the output is not exactly "Protocol 2", this is a finding.

Fix: F-69109r1_fix

Only SSH protocol version 2 connections should be permitted. Add or correct the following line in "/etc/ssh/sshd_config": Protocol 2

b

The SSH daemon must ignore .rhosts files.

IA-2 - Medium - CCI-000767 - V-63193 - SV-77683r1_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000767

Version

ESXI-06-000012

Vuln IDs

V-63193

Rule IDs

SV-77683r1_rule

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Checks: C-63927r1_chk

To verify how the SSH daemon's "IgnoreRhosts" option is set, run the following command: # grep -i "^IgnoreRhosts" /etc/ssh/sshd_config If there is no output or the output is not exactly "IgnoreRhosts yes", this is a finding.

Fix: F-69111r1_fix

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. Add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes

b

The SSH daemon must not allow host-based authentication.

CM-6 - Medium - CCI-000366 - V-63195 - SV-77685r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000013

Vuln IDs

V-63195

Rule IDs

SV-77685r1_rule

SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

Checks: C-63929r1_chk

To verify how the SSH daemon's "HostbasedAuthentication" option is set, run the following command: # grep -i "^HostbasedAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "HostbasedAuthentication no", this is a finding.

Fix: F-69113r1_fix

SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. Add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no

a

The SSH daemon must not permit root logins.

CM-6 - Low - CCI-000366 - V-63197 - SV-77687r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000014

Vuln IDs

V-63197

Rule IDs

SV-77687r1_rule

Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.

Checks: C-63931r1_chk

To verify how the SSH daemon's "PermitRootLogin" option is set, run the following command: # grep -i "^PermitRootLogin" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitRootLogin no", this is a finding.

Fix: F-69115r1_fix

The root user should never be allowed to log in to a system directly over a network. Add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no

c

The SSH daemon must not allow authentication using an empty password.

CM-6 - High - CCI-000366 - V-63199 - SV-77689r1_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

ESXI-06-000015

Vuln IDs

V-63199

Rule IDs

SV-77689r1_rule

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

Checks: C-63933r1_chk

To verify how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: # grep -i "^PermitEmptyPasswords" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitEmptyPasswords no", this is a finding.

Fix: F-69117r1_fix

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no

b

The SSH daemon must not permit user environment settings.

CM-6 - Medium - CCI-000366 - V-63201 - SV-77691r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000016

Vuln IDs

V-63201

Rule IDs

SV-77691r1_rule

SSH environment options potentially allow users to bypass access restriction in some configurations.

Checks: C-63935r1_chk

To verify users are not able to present environment daemons, run the following command: # grep -i "^PermitUserEnvironment" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitUserEnvironment no", this is a finding.

Fix: F-69119r1_fix

To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no

b

The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

CM-6 - Medium - CCI-000366 - V-63203 - SV-77693r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000017

Vuln IDs

V-63203

Rule IDs

SV-77693r1_rule

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. Note: This does not imply FIPS 140-2 certification.

Checks: C-63937r1_chk

To verify the MACs setting, run the following command: # grep -i "^MACs" /etc/ssh/sshd_config If there is no output or the output is not exactly "MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512", this is a finding.

Fix: F-69121r1_fix

To set the MACs setting, add or correct the following line in "/etc/ssh/sshd_config": MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512

a

The SSH daemon must not permit GSSAPI authentication.

CM-6 - Low - CCI-000366 - V-63205 - SV-77695r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000018

Vuln IDs

V-63205

Rule IDs

SV-77695r1_rule

GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system.

Checks: C-63939r1_chk

To verify the GSSAPIAuthentication setting, run the following command: # grep -i "^GSSAPIAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "GSSAPIAuthentication no", this is a finding.

Fix: F-69123r1_fix

To set the GSSAPIAuthentication setting, add or correct the following line in "/etc/ssh/sshd_config": GSSAPIAuthentication no

a

The SSH daemon must not permit Kerberos authentication.

CM-6 - Low - CCI-000366 - V-63207 - SV-77697r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000019

Vuln IDs

V-63207

Rule IDs

SV-77697r1_rule

Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems.

Checks: C-63941r1_chk

To verify the KerberosAuthentication setting, run the following command: # grep -i "^KerberosAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "KerberosAuthentication no", this is a finding.

Fix: F-69125r1_fix

To set the KerberosAuthentication setting, add or correct the following line in "/etc/ssh/sshd_config": KerberosAuthentication no

b

The SSH daemon must perform strict mode checking of home directory configuration files.

CM-6 - Medium - CCI-000366 - V-63209 - SV-77699r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000020

Vuln IDs

V-63209

Rule IDs

SV-77699r1_rule

If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

Checks: C-63943r1_chk

To verify the StrictModes setting, run the following command: # grep -i "^StrictModes" /etc/ssh/sshd_config If there is no output or the output is not exactly "StrictModes yes", this is a finding.

Fix: F-69127r1_fix

To set the StrictModes setting, add or correct the following line in "/etc/ssh/sshd_config": StrictModes yes

b

The SSH daemon must not allow compression or must only allow compression after successful authentication.

CM-6 - Medium - CCI-000366 - V-63211 - SV-77701r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000021

Vuln IDs

V-63211

Rule IDs

SV-77701r1_rule

If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.

Checks: C-63945r1_chk

To verify the Compression setting, run the following command: # grep -i "^Compression" /etc/ssh/sshd_config If there is no output or the output is not exactly "Compression no", this is a finding.

Fix: F-69129r1_fix

To set the Compression setting, add or correct the following line in "/etc/ssh/sshd_config": Compression no

a

The SSH daemon must be configured to not allow gateway ports.

CM-6 - Low - CCI-000366 - V-63213 - SV-77703r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000022

Vuln IDs

V-63213

Rule IDs

SV-77703r1_rule

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. Gateway ports allow remote forwarded ports to bind to non-loopback addresses on the server.

Checks: C-63947r1_chk

To verify the GatewayPorts setting, run the following command: # grep -i "^GatewayPorts" /etc/ssh/sshd_config If there is no output or the output is not exactly "GatewayPorts no", this is a finding.

Fix: F-69131r1_fix

To set the GatewayPorts setting, add or correct the following line in "/etc/ssh/sshd_config": GatewayPorts no

b

The SSH daemon must be configured to not allow X11 forwarding.

CM-6 - Medium - CCI-000366 - V-63215 - SV-77705r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000023

Vuln IDs

V-63215

Rule IDs

SV-77705r1_rule

X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection.

Checks: C-63949r1_chk

To verify the X11Forwarding setting, run the following command: # grep -i "^X11Forwarding" /etc/ssh/sshd_config If there is no output or the output is not exactly "X11Forwarding no", this is a finding.

Fix: F-69133r1_fix

To set the X11Forwarding setting, add or correct the following line in "/etc/ssh/sshd_config": X11Forwarding no

b

The SSH daemon must not accept environment variables from the client.

CM-6 - Medium - CCI-000366 - V-63217 - SV-77707r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000024

Vuln IDs

V-63217

Rule IDs

SV-77707r1_rule

Environment variables can be used to change the behavior of remote sessions and should be limited. Locate environment variables that specify the language, character set, and other features modifying the operation of software to match the user's preferences.

Checks: C-63951r1_chk

To verify the AcceptEnv setting, run the following command: # grep -i "^AcceptEnv" /etc/ssh/sshd_config If there is no output or the output is not exactly "AcceptEnv", this is a finding.

Fix: F-69135r1_fix

To set the AcceptEnv setting, add or correct the following line in "/etc/ssh/sshd_config": AcceptEnv

b

The SSH daemon must not permit tunnels.

CM-6 - Medium - CCI-000366 - V-63219 - SV-77709r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000025

Vuln IDs

V-63219

Rule IDs

SV-77709r1_rule

OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.

Checks: C-63953r1_chk

To verify the PermitTunnel setting, run the following command: # grep -i "^PermitTunnel" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitTunnel no", this is a finding.

Fix: F-69137r1_fix

To set the PermitTunnel setting, add or correct the following line in "/etc/ssh/sshd_config": PermitTunnel no

a

The SSH daemon must set a timeout count on idle sessions.

CM-6 - Low - CCI-000366 - V-63221 - SV-77711r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000026

Vuln IDs

V-63221

Rule IDs

SV-77711r1_rule

This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.

Checks: C-63955r1_chk

To verify the ClientAliveCountMax setting, run the following command: # grep -i "^ClientAliveCountMax" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveCountMax 3", this is a finding.

Fix: F-69139r1_fix

To set the ClientAliveCountMax setting, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveCountMax 3

a

The SSH daemon must set a timeout interval on idle sessions.

CM-6 - Low - CCI-000366 - V-63223 - SV-77713r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000027

Vuln IDs

V-63223

Rule IDs

SV-77713r1_rule

Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.

Checks: C-63957r1_chk

To verify the ClientAliveInterval setting, run the following command: # grep -i "^ClientAliveInterval" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveInterval 200", this is a finding.

Fix: F-69141r1_fix

To set the ClientAliveInterval setting, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveInterval 200

b

The SSH daemon must limit connections to a single session.

CM-6 - Medium - CCI-000366 - V-63225 - SV-77715r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000028

Vuln IDs

V-63225

Rule IDs

SV-77715r1_rule

The SSH protocol has the ability to provide multiple sessions over a single connection without reauthentication. A compromised client could use this feature to establish additional sessions to a system without consent or knowledge of the user.

Checks: C-63959r1_chk

To verify the MaxSessions setting, run the following command: # grep -i "^MaxSessions" /etc/ssh/sshd_config If there is no output or the output is not exactly "MaxSessions 1", this is a finding.

Fix: F-69143r1_fix

To set the MaxSessions setting, add or correct the following line in "/etc/ssh/sshd_config": MaxSessions 1

b

The system must remove keys from the SSH authorized_keys file.

CM-6 - Medium - CCI-000366 - V-63227 - SV-77717r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000029

Vuln IDs

V-63227

Rule IDs

SV-77717r1_rule

ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication. To enable password free access copy the remote users public key into the "/etc/ssh/keys-root/authorized_keys" file on the ESXi host. The presence of the remote user's public key in the "authorized_keys" file identifies the user as trusted, meaning the user is granted access to the host without providing a password. If using Lockdown Mode and SSH is disabled then login with authorized keys will have the same restrictions as username/password.

Checks: C-63961r1_chk

Log in to the host and verify the /etc/ssh/keys-root/authorized_keys file does not exist or is empty (zero bytes): # ls -la /etc/ssh/keys-root/authorized_keys or #cat /etc/ssh/keys-root/authorized_keys If the authorized_keys file exists and is not empty, this is a finding.

Fix: F-69145r1_fix

As root, log in to the host and zero/remove /etc/ssh/keys-root/authorized_keys file: # >/etc/ssh/keys-root/authorized_keys or # rm /etc/ssh/keys-root/authorized_keys

a

The system must produce audit records containing information to establish what type of events occurred.

AU-3 - Low - CCI-000130 - V-63229 - SV-77719r1_rule

RMF Control

AU-3

Severity

Low

CCI

CCI-000130

Version

ESXI-06-000030

Vuln IDs

V-63229

Rule IDs

SV-77719r1_rule

Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Checks: C-63963r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and verify it is set to the default level of info. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level If the Config.HostAgent.log.level setting is not set to info, this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.

Fix: F-69147r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and configure it to info. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"

b

The VMM must enforce password complexity by requiring that at least one upper-case character be used.

IA-5 - Medium - CCI-000192 - V-63231 - SV-77721r1_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000192

Version

ESXI-06-000031

Vuln IDs

V-63231

Rule IDs

SV-77721r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-63965r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.

Fix: F-69149r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"

b

The system must prohibit the reuse of passwords within five iterations.

IA-5 - Medium - CCI-000200 - V-63233 - SV-77723r1_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000200

Version

ESXI-06-000032

Vuln IDs

V-63233

Rule IDs

SV-77723r1_rule

If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.

Checks: C-63967r1_chk

To verify the remember setting, run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient If the remember setting is not set or is not "remember=5", this is a finding.

Fix: F-69151r1_fix

To set the remember option, add or correct the following line in "/etc/pam.d/passwd": password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5

b

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

CM-6 - Medium - CCI-000366 - V-63235 - SV-77725r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000033

Vuln IDs

V-63235

Rule IDs

SV-77725r1_rule

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

Checks: C-63969r1_chk

To verify the password hash setting, run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient If sha512 is not listed, this is a finding.

Fix: F-69153r1_fix

To set the remember option, add or correct the following line in "/etc/pam.d/passwd": password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5

b

The system must disable the Managed Object Browser (MOB).

CM-7 - Medium - CCI-000381 - V-63237 - SV-77727r1_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

ESXI-06-000034

Vuln IDs

V-63237

Rule IDs

SV-77727r1_rule

The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it could also be used as a method obtain information about a host being targeted for unauthorized access.

Checks: C-63971r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.solo.enableMob value and verify it is set to false. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob If the Config.HostAgent.plugins.solo.enableMob setting is not set to false, this is a finding.

Fix: F-69155r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.solo.enableMob value and configure it to false. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value false

b

The VMM must be configured to disable non-essential capabilities by disabling SSH.

CM-7 - Medium - CCI-000381 - V-63239 - SV-77729r1_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

ESXI-06-000035

Vuln IDs

V-63239

Rule IDs

SV-77729r1_rule

The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the ESXi shell is well suited for checking and modifying configuration details, not always generally accessible, using the vSphere Client. The ESXi shell is accessible remotely using SSH by users with the Administrator role. Under normal operating conditions, SSH access to the host must be disabled as is the default. As with the ESXi shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the host must therefore be limited to the vSphere Client at all other times.

Checks: C-63973r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} If the ESXi SSH service is running, this is a finding.

Fix: F-69157r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit then select the SSH service and click options. Change the service to "Start and stop manually" and stop the service and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService

b

The system must disable ESXi Shell unless needed for diagnostics or troubleshooting.

CM-7 - Medium - CCI-000381 - V-63241 - SV-77731r1_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

ESXI-06-000036

Vuln IDs

V-63241

Rule IDs

SV-77731r1_rule

The ESXi Shell is an interactive command line environment available locally from the DCUI or remotely via SSH. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The ESXi shell should only be turned on when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere client.

Checks: C-63975r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit and view the "ESXi Shell" service and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} If the ESXi Shell service is running, this is a finding.

Fix: F-69159r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit then select the ESXi Shell service and click options. Change the service to "Start and stop manually" and stop the service and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService

a

The system must use Active Directory for local user authentication.

IA-2 - Low - CCI-000764 - V-63243 - SV-77733r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-000764

Version

ESXI-06-000037

Vuln IDs

V-63243

Rule IDs

SV-77733r2_rule

Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access. Note: If the AD group "ESX Admins" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.

Checks: C-63977r4_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.

Fix: F-69161r2_fix

From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"

b

The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.

IA-2 - Medium - CCI-000764 - V-63245 - SV-77735r2_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

ESXI-06-000038

Vuln IDs

V-63245

Rule IDs

SV-77735r2_rule

If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.

Checks: C-63979r3_chk

From the vSphere Client go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify if "JoinADEnabled" is "True" then "JoinDomainMethod" should be "FixedCAMConfigOption". For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding.

Fix: F-69163r2_fix

When using host profiles do the following: From the vSphere Client go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain" and provide the IP address of the vSphere Authentication Proxy server. To join a host to Active Directory manually without host profiles do the following: From the vSphere Client select the ESXi Host and go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain".

a

Active Directory ESX Admin group membership must not be used.

IA-2 - Low - CCI-000764 - V-63247 - SV-77737r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-000764

Version

ESXI-06-000039

Vuln IDs

V-63247

Rule IDs

SV-77737r2_rule

When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group.

Checks: C-63981r3_chk

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.

Fix: F-69165r2_fix

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>

a

The system must use multifactor authentication for local access to privileged accounts.

IA-2 - Low - CCI-000767 - V-63249 - SV-77739r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-000767

Version

ESXI-06-000040

Vuln IDs

V-63249

Rule IDs

SV-77739r2_rule

To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.

Checks: C-63983r3_chk

From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. View the Smart Card Authentication status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authenticate to an Active Directory Domain. For systems that have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. For systems that do not use smart cards with Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding.

Fix: F-69167r2_fix

The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: -Active Directory domain that supports smart card authentication, smart card readers, and smart cards. -ESXi joined to an Active Directory domain. -Trusted certificates for root and intermediary certificate authorities. From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. Edit the Smart Card Authentication configuration to add trusted certificate authority certificates. Select "Enable Smart Card Authentication". Click OK. For more information see the vSphere 6.0 documentation on VMware's website.

b

The system must set a timeout to automatically disable idle sessions after a predetermined period.

SC-10 - Medium - CCI-001133 - V-63251 - SV-77741r1_rule

RMF Control

SC-10

Severity

Medium

CCI

CCI-001133

Version

ESXI-06-000041

Vuln IDs

V-63251

Rule IDs

SV-77741r1_rule

If a user forgets to log out of their SSH session, the idle connection will remains open indefinitely, increasing the potential for someone to gain privileged access to the host. The ESXiShellInteractiveTimeOut allows you to automatically terminate idle shell sessions.

Checks: C-63985r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut If the UserVars.ESXiShellInteractiveTimeOut setting is not set to 600, this is a finding.

Fix: F-69169r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600

b

The system must terminate shell services after a predetermined period.

SC-10 - Medium - CCI-001133 - V-63253 - SV-77743r1_rule

RMF Control

SC-10

Severity

Medium

CCI

CCI-001133

Version

ESXI-06-000042

Vuln IDs

V-63253

Rule IDs

SV-77743r1_rule

When the ESXi Shell or SSH services are enabled on a host they will run indefinitely. To avoid having these services left running set the ESXiShellTimeOut. The ESXiShellTimeOut defines a window of time after which the ESXi Shell and SSH services will automatically be terminated.

Checks: C-63987r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut If the UserVars.ESXiShellTimeOut setting is not set to 600, this is a finding.

Fix: F-69171r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600

b

The system must logout of the console UI after a predetermined period.

SC-10 - Medium - CCI-001133 - V-63255 - SV-77745r1_rule

RMF Control

SC-10

Severity

Medium

CCI

CCI-001133

Version

ESXI-06-000043

Vuln IDs

V-63255

Rule IDs

SV-77745r1_rule

When the Direct console user interface (DCUI) is enabled and logged in it should be automatically logged out if left logged in to avoid unauthorized privilege gains. The DcuiTimeOut defines a window of time after which the DCUI will be logged out.

Checks: C-63989r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.DcuiTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut If the UserVars.DcuiTimeOut setting is not set to 600, this is a finding.

Fix: F-69173r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.DcuiTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600

a

The system must enable kernel core dumps.

SC-24 - Low - CCI-001665 - V-63257 - SV-77747r1_rule

RMF Control

SC-24

Severity

Low

CCI

CCI-001665

Version

ESXI-06-000044

Vuln IDs

V-63257

Rule IDs

SV-77747r1_rule

In the event of a system failure, the system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.

Checks: C-63991r1_chk

From the vSphere Web Client select the ESXi Host and right click. If the "Add Diagnostic Partition" option is greyed out then core dumps are configured. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.system.coredump.partition.get() $esxcli.system.coredump.network.get() The first command prepares for the other two. The second command shows whether there is an active core dump partition configured. The third command shows whether a network core dump collector is configured and enabled, via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables. If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding.

Fix: F-69175r1_fix

From the vSphere Web Client select the ESXi Host and right click. Select the "Add Diagnostic Partition" option configure a core dump diagnostic partition. or From a PowerCLI command prompt while connected to the ESXi host run at least one of the following sets of commands: To configure a core dump partition: $esxcli = Get-EsxCli #View available partitions to configure $esxcli.system.coredump.partition.list() $esxcli.system.coredump.partition.set($null,"PartitionName",$null,$null) To configure a core dump collector: $esxcli = Get-EsxCli $esxcli.system.coredump.network.set($null,"vmkernel port to use",$null,"CollectorIP","CollectorPort") $esxcli.system.coredump.network.set($true)

b

The system must enable a persistent log location for all locally stored logs.

AU-4 - Medium - CCI-001849 - V-63259 - SV-77749r1_rule

RMF Control

AU-4

Severity

Medium

CCI

CCI-001849

Version

ESXI-06-000045

Vuln IDs

V-63259

Rule IDs

SV-77749r1_rule

ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of logs are stored at any time. In addition log files will be reinitialized upon each reboot. This presents a security risk as user activity logged on the host is only stored temporarily and will not persistent across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore. Note: Scratch space is configured automatically during installation or first boot of an ESXi host, and does not usually need to be manually configured. ESXi Installable creates a 4 GB Fat16 partition on the target device during installation if there is sufficient space, and if the device is considered Local. If ESXi is installed on an SD card or USB device a persistent log location may not be configured upon install as normal.

Checks: C-63993r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logDir value and verify it is set to a persistent location. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir or $esxcli = Get-EsxCli $esxcli.system.syslog.config.get() | Select LocalLogOutput,LocalLogOutputIsPersistent If the Syslog.global.logDir or LocalLogOutput value is not on persistent storage, this is a finding. If the LocalLogOutputIsPersistent value is not true, this is a finding.

Fix: F-69177r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logDir value and set it to a known persistent location. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value "New Log Location"

b

The system must configure NTP time synchronization.

AU-8 - Medium - CCI-001891 - V-63261 - SV-77751r1_rule

RMF Control

AU-8

Severity

Medium

CCI

CCI-001891

Version

ESXI-06-000046

Vuln IDs

V-63261

Rule IDs

SV-77751r1_rule

To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.

Checks: C-63995r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Time Configuration. Select Properties >> Options and view the configured NTP servers and service startup policy. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostNTPServer Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding.

Fix: F-69179r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Time Configuration. Select Properties >> Options and configure the NTP service to start and stop with the host and with authoritative DoD time sources. or From a PowerCLI command prompt while connected to the ESXi host run the following command: $NTPServers = "ntpserver1","ntpserver2" Get-VMHost | Add-VMHostNTPServer $NTPServers Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService

c

The Image Profile and VIB Acceptance Levels must be verified.

CM-5 - High - CCI-001749 - V-63263 - SV-77753r1_rule

RMF Control

CM-5

Severity

High

CCI

CCI-001749

Version

ESXI-06-000047

Vuln IDs

V-63263

Rule IDs

SV-77753r1_rule

Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) VMwareCertified - VIBs created, tested and signed by VMware (2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, (3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner (4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner. Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.

Checks: C-63997r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.get() If the acceptance level is CommunitySupported, this is a finding.

Fix: F-69181r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" edit the acceptance level to be either VMwareCertified, VMwareAccepted, or PartnerSupported. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.Set("PartnerSupported") Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.

b

The system must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.

SC-8 - Medium - CCI-002418 - V-63265 - SV-77755r1_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002418

Version

ESXI-06-000048

Vuln IDs

V-63265

Rule IDs

SV-77755r1_rule

The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a MiTM attack in which the contents are modified during migration. vMotion traffic must be sequestered from production traffic on an isolated network. This network must be non-routable to other systems preventing outside access to the network.

Checks: C-63999r1_chk

The vMotion VMkernel port group should in a dedicated VLAN that can be on a common standard or distributed virtual switch as long as the vMotion VLAN is not shared by any other function and it not routed to anything but ESXi hosts. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration >> Networking and review the VLAN associated with the vMotion VMkernel(s) and verify they are dedicated for that purpose and are logically separated from other functions. If long distance or cross vCenter vMotion is used the vMotion network can be routable but must be accessible to only the intended ESXi hosts. If the vMotion port group is not on an isolated VLAN and/or is routable to systems other than ESXi hosts, this is a finding. For environments that do not use vCenter server to manage ESXi, this is not applicable.

Fix: F-69183r1_fix

Configuration of the vMotion VMkernel will be unique to each environment. As an example, to modify the IP address and VLAN information to the correct network on a standard switch do the following: From the vSphere Client select the ESXi host and go to Configuration >> Networking >> On the vSwitch that contains the vMotion VMkernel select Properties. Select the vMotion VMkernel and click Edit >> On the General tab uncheck everything but "vMotion" and set the appropriate VLAN ID >> Go to the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK.

b

The system must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

SC-8 - Medium - CCI-002418 - V-63267 - SV-77757r1_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002418

Version

ESXI-06-000049

Vuln IDs

V-63267

Rule IDs

SV-77757r1_rule

The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.

Checks: C-64001r1_chk

The Management VMkernel port group should in a dedicated VLAN that can be on a common standard or distributed virtual switch as long as the Management VLAN is not shared by any other function and it not routed to anything other than management related functions such as vCenter. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration >> Networking and review the VLAN associated with the Management VMkernel and verify they are dedicated for that purpose and are logically separated from other functions. If the network segment is routed, except to networks where other management-related entities are located such as vCenter, this is a finding. If production virtual machine traffic is routed to this network, this is a finding.

Fix: F-69185r1_fix

Configuration of the Management VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch do the following: From the vSphere Client select the ESXi host and go to Configuration >> Networking >> On the vSwitch that contains the Management VMkernel select Properties. Select the Management VMkernel and click Edit >> On the General tab uncheck everything but "Management Traffic" and set the appropriate VLAN ID >> Go to the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK.

b

The system must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic.

SC-8 - Medium - CCI-002418 - V-63269 - SV-77759r1_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002418

Version

ESXI-06-000050

Vuln IDs

V-63269

Rule IDs

SV-77759r1_rule

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and Virtual Machines will limit unauthorized users from viewing the traffic.

Checks: C-64003r1_chk

IP-Based storage (iSCSI, NFS, VSAN) VMkernel port groups must be in a dedicated VLAN that can be on a common standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration >> Networking and review the VLANs associated with any IP-Based storage VMkernels and verify they are dedicated for that purpose and are logically separated from other functions. If any IP-Based storage networks are not isolated from other traffic types, this is a finding. If IP-based storage is not used, this is not applicable.

Fix: F-69187r1_fix

Configuration of an IP-Based VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel do the following: From the vSphere Client select the ESXi host and go to Configuration >> Networking >> On the vSwitch that contains the iSCSI VMkernel select Properties. Select the iSCSI VMkernel and click Edit >> On the General tab uncheck everything and set the appropriate VLAN ID >> Go to the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK.

a

The system must protect the confidentiality and integrity of transmitted information.

SC-8 - Low - CCI-002418 - V-63271 - SV-77761r1_rule

RMF Control

SC-8

Severity

Low

CCI

CCI-002418

Version

ESXI-06-000051

Vuln IDs

V-63271

Rule IDs

SV-77761r1_rule

There are now six types of management VMkernels that can be created for different types of traffic. In order to protect these types of management traffic admins must logically separate these onto different networks and dedicate VMkernel ports to each.

Checks: C-64005r1_chk

From the vSphere Web Client select the ESXi Host and go to Manage >> Networking >> VMkernel adapters. Review each VMkernel adapter that is defined and ensure it is enabled for only one type of management traffic. If any VMkernel is used for more than one type of management traffic, this is a finding.

Fix: F-69189r1_fix

From the vSphere Web Client select the ESXi Host and go to Manage >> Networking >> VMkernel adapters >> Select a VMkernel Adapter >> Click Edit >> Uncheck any additional services that have been enabled on the VMkernel adapter so that there is only one service left checked.

a

The system must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible.

SC-8 - Low - CCI-002418 - V-63273 - SV-77763r1_rule

RMF Control

SC-8

Severity

Low

CCI

CCI-002418

Version

ESXI-06-000052

Vuln IDs

V-63273

Rule IDs

SV-77763r1_rule

There are three different TCP/IP stacks by default available on ESXi now which are Default, Provisioning, and vMotion. To better protect and isolate sensitive network traffic within ESXi admins must configure each of these stacks. Additional custom TCP/IP stacks can be created if desired.

Checks: C-64007r1_chk

From the vSphere Web Client select the ESXi Host and go to Manage >> Networking >> TCP/IP configuration. Review the default system TCP/IP stacks and verify they are configured with the appropriate IP address information. If any system TCP/IP stack is configured and not in use by a VMkernel adapter, this is a finding.

Fix: F-69191r1_fix

From the vSphere Web Client select the ESXi Host and go to Manage >> Networking >> TCP/IP configuration >> Select a TCP/IP stack >> Click Edit >> Enter the appropriate site specific IP address information for the particular TCP/IP stack and click OK.

b

SNMP must be configured properly.

CM-6 - Medium - CCI-000366 - V-63275 - SV-77765r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000053

Vuln IDs

V-63275

Rule IDs

SV-77765r1_rule

If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack.

Checks: C-64009r1_chk

From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostSnmp | Select * or From a console or ssh session run the follow command: esxcli system snmp get If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and "read only communities" is set to public, this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured from the esxcli command.

Fix: F-69193r1_fix

To disable SNMP run the following command from a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false or From a console or ssh session run the follow command: esxcli system snmp set -e no To configure SNMP for v3 targets use the "esxcli system snmp set" command set.

a

The system must enable bidirectional CHAP authentication for iSCSI traffic.

CM-6 - Low - CCI-000366 - V-63277 - SV-77767r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000054

Vuln IDs

V-63277

Rule IDs

SV-77767r1_rule

When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.

Checks: C-64011r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Storage Adapters >> Select the iSCSI adapter >> Properties >> CHAP. View the CHAP configuration and verify CHAP is required for target and host authentication. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Select AuthenticationProperties -ExpandProperty AuthenticationProperties If iSCSI is not used, this is not a finding. If iSCSI is used and CHAP is not set to required for both the target and host, this is a finding. If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.

Fix: F-69195r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Storage Adapters >> Select the iSCSI adapter >> Properties >> CHAP. Change CHAP and Mutual CHAP to "Use CHAP" and enter a unique secret. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"

a

The system must disable Inter-VM transparent page sharing.

CM-6 - Low - CCI-000366 - V-63279 - SV-77769r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000055

Vuln IDs

V-63279

Rule IDs

SV-77769r1_rule

Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled between the two virtual machines. This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment. Even though VMware believes information being disclosed in real world conditions is unrealistic, out of an abundance of caution upcoming ESXi Update releases will no longer enable TPS between Virtual Machines by default (TPS will still be utilized within individual VMs).

Checks: C-64013r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Mem.ShareForceSalting value and verify it is set to 2. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting If the Mem.ShareForceSalting setting is not set to 2, this is a finding.

Fix: F-69197r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Mem.ShareForceSalting value and configure it to 2. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2

b

The system must configure the firewall to restrict access to services running on the host.

CM-6 - Medium - CCI-000366 - V-63281 - SV-77771r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000056

Vuln IDs

V-63281

Rule IDs

SV-77771r1_rule

Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.

Checks: C-64015r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under the Firewall section select properties and for each enabled service click Firewall and review the allowed IPs. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}} If for an enabled service "Allow connections from any IP address" is selected, this is a finding.

Fix: F-69199r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under the Firewall section select properties and for each enabled service click the "Only allow connections from the following networks" option and input the site specific network(s). or From a PowerCLI command prompt while connected to the ESXi host run the following command: $esxcli = Get-EsxCli #This disables the allow all rule for the target service $esxcli.network.firewall.ruleset.set($false,$true,"sshServer") $esxcli.network.firewall.ruleset.allowedip.add("192.168.0.0/24","sshServer") This must be done for each enabled service.

b

The system must configure the firewall to block network traffic by default.

CM-6 - Medium - CCI-000366 - V-63283 - SV-77773r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000057

Vuln IDs

V-63283

Rule IDs

SV-77773r1_rule

In addition to service specific firewall rules ESXi has a default firewall rule policy to allow or deny incoming and outgoing traffic. Reduce the risk of attack by making sure this is set to deny incoming and outgoing traffic.

Checks: C-64017r1_chk

From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostFirewallDefaultPolicy If the Incoming or Outgoing policies are True, this is a finding.

Fix: F-69201r1_fix

From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostFirewallDefaultPolicy | Set-VMHostFirewallDefaultPolicy -AllowIncoming $false -AllowOutgoing $false

a

The system must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.

CM-6 - Low - CCI-000366 - V-63285 - SV-77775r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000058

Vuln IDs

V-63285

Rule IDs

SV-77775r1_rule

BPDU Guard and Portfast are commonly enabled on the physical switch to which the ESXi host is directly connected to reduce the STP convergence delay. If a BPDU packet is sent from a virtual machine on the ESXi host to the physical switch so configured, a cascading lockout of all the uplink interfaces from the ESXi host can occur. To prevent this type of lockout, BPDU Filter can be enabled on the ESXi host to drop any BPDU packets being sent to the physical switch. The caveat is that certain SSL VPN which uses Windows bridging capability can legitimately generate BPDU packets. The administrator should verify that there are no legitimate BPDU packets generated by virtual machines on the ESXi host prior to enabling BPDU Filter. If BPDU Filter is enabled in this situation, enabling Reject Forged Transmits on the virtual switch port group adds protection against Spanning Tree loops.

Checks: C-64019r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.BlockGuestBPDU value and verify it is set to 1. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU If the Net.BlockGuestBPDU setting is not set to 1, this is a finding.

Fix: F-69203r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.BlockGuestBPDU value and configure it to 1. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1

b

The virtual switch Forged Transmits policy must be set to reject.

CM-6 - Medium - CCI-000366 - V-63287 - SV-77777r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000059

Vuln IDs

V-63287

Rule IDs

SV-77777r1_rule

If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to Reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.

Checks: C-64021r1_chk

From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. View the properties on each virtual switch and port group and verify "Forged Transmits" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Forged Transmits" policy is set to accept, this is a finding.

Fix: F-69205r1_fix

From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. For each virtual switch go to properties and change "Forged Transmits" to reject for the switch and each port group. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true

c

The virtual switch MAC Address Change policy must be set to reject.

CM-6 - High - CCI-000366 - V-63289 - SV-77779r1_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

ESXI-06-000060

Vuln IDs

V-63289

Rule IDs

SV-77779r1_rule

If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. Reject MAC Changes can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.

Checks: C-64023r1_chk

From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. View the properties on each virtual switch and port group and verify "MAC Address Changes" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "MAC Address Changes" policy is set to accept, this is a finding.

Fix: F-69207r1_fix

From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. For each virtual switch go to properties and change "MAC Address Changes" to reject for the switch and each port group. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true

b

The virtual switch Promiscuous Mode policy must be set to reject.

CM-6 - Medium - CCI-000366 - V-63291 - SV-77781r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000061

Vuln IDs

V-63291

Rule IDs

SV-77781r1_rule

When promiscuous mode is enabled for a virtual switch all virtual machines connected to the Portgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that Portgroup. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting. Promiscuous mode can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.

Checks: C-64025r1_chk

From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. View the properties on each virtual switch and port group and verify "Promiscuous Mode" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Promiscuous Mode" policy is set to accept, this is a finding.

Fix: F-69209r1_fix

From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. For each virtual switch go to properties and change "Promiscuous Mode" to reject for the switch and each port group. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true

b

The system must prevent unintended use of the dvFilter network APIs.

CM-6 - Medium - CCI-000366 - V-63293 - SV-77783r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000062

Vuln IDs

V-63293

Rule IDs

SV-77783r1_rule

If you are not using products that make use of the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled an attacker might attempt to connect a VM to it thereby potentially providing access to the network of other VMs on the host. If you are using a product that makes use of this API then verify that the host has been configured correctly. If you are not using such a product make sure the setting is blank.

Checks: C-64027r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.DVFilterBindIpAddress value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the Net.DVFilterBindIpAddress is not blank and security appliances are not in use on the host, this is a finding.

Fix: F-69211r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.DVFilterBindIpAddress setting and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""

b

All port groups must be configured to a value other than that of the native VLAN.

CM-6 - Medium - CCI-000366 - V-63295 - SV-77785r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000063

Vuln IDs

V-63295

Rule IDs

SV-77785r1_rule

ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a "1"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a "1" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.

Checks: C-64029r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Networking. Review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with the native VLAN of the ESXi hosts attached physical switch, this is a finding.

Fix: F-69213r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Networking >> Select properties on the virtual switch >> Select the port group and click Edit. Change the VLAN ID to a non-native VLAN and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"

b

All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.

CM-6 - Medium - CCI-000366 - V-63297 - SV-77787r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000064

Vuln IDs

V-63297

Rule IDs

SV-77787r1_rule

When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself. If VGT is enabled inappropriately, it might cause denial-of-service or allow a guest VM to interact with traffic on an unauthorized VLAN.

Checks: C-64031r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Networking. Review the port group VLAN tags and verify they are not set 4095. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanID If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.

Fix: F-69215r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Networking >> Select properties on the virtual switch >> Select the port group and click Edit. Change the VLAN ID to not be 4095 and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"

b

All port groups must not be configured to VLAN values reserved by upstream physical switches.

CM-6 - Medium - CCI-000366 - V-63299 - SV-77789r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000065

Vuln IDs

V-63299

Rule IDs

SV-77789r1_rule

Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001–1024 and 4094, while Nexus switches typically reserve 3968–4047 and 4094. Check with the documentation for your specific switch. Using a reserved VLAN might result in a denial of service on the network.

Checks: C-64033r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Networking. Review the port group VLAN tags and verify they are not set to a reserved VLAN ID. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with a reserved VLAN ID, this is a finding.

Fix: F-69217r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Networking >> Select properties on the virtual switch >> Select the port group and click Edit. Change the VLAN ID to not be a reserved VLAN ID and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"

b

The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.

CM-6 - Medium - CCI-000366 - V-63301 - SV-77791r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000066

Vuln IDs

V-63301

Rule IDs

SV-77791r1_rule

In order to communicate with virtual switches in VST mode, external switch ports must be configured as trunk ports. VST mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. The auto or desirable physical switch settings do not work with the ESXi Server because the physical switch communicates with the ESXi Server using DTP. The non-negotiate and on options unconditionally enable VLAN trunking on the physical switch and create a VLAN trunk link between the ESXi Server and the physical switch. The difference between non-negotiate and on options is that on mode still sends out DTP frames, whereas the non-negotiate option does not. The non-negotiate option should be used for all VLAN trunks, to minimize unnecessary network traffic for virtual switches in VST mode.

Checks: C-64035r1_chk

Note: This check refers to an entity outside the physical scope of the ESXi server system. The configuration of external switch ports as trunk ports must be documented. Virtual Switch Tagging (VST) mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. Inspect the documentation and verify that the documentation is correct and updated on a regular basis and/or whenever modifications are made to either ESXi hosts or the upstream external switch ports. If DTP is enabled on the physical switch ports connected to the ESXi Host, this is a finding.

Fix: F-69219r1_fix

Note: This check refers to an entity outside the physical scope of the ESXi server system. Document the configuration of external switch ports as trunk ports. Log in to the vendor-specific physical switch and disable DTP on the physical switch ports connected to the ESXi Host. Update the documentation on a regular basis or whenever modifications are made to either ESXi hosts or the upstream external switch ports.

a

All physical switch ports must be configured with spanning tree disabled.

CM-6 - Low - CCI-000366 - V-63303 - SV-77793r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000067

Vuln IDs

V-63303

Rule IDs

SV-77793r1_rule

Since VMware virtual switches do not support STP, the ESXi host-connected physical switch ports must have portfast configured if spanning tree is enabled to avoid loops within the physical switch network. If these are not set, potential performance and connectivity issues might arise.

Checks: C-64037r1_chk

Note: This check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on a regular basis and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. If the physical switch's spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding.

Fix: F-69221r1_fix

Note: This fix refers to an entity outside the scope of the ESXi server system. Document the upstream physical switch configuration for spanning tree protocol disablement and/or portfast configuration for all physical ports connected to ESXi hosts. Log in to the physical switch(es) and disable spanning tree protocol and/or configure portfast for all physical ports connected to ESXi hosts. Update the documentation on a regular basis or whenever modifications are made to either ESXi hosts or the upstream physical switches.

b

Virtual switch VLANs must be fully documented and have only the required VLANs.

CM-6 - Medium - CCI-000366 - V-63305 - SV-77795r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000068

Vuln IDs

V-63305

Rule IDs

SV-77795r1_rule

When defining a physical switch port for trunk mode, only specified VLANs must be configured on the VLAN trunk link. The risk with not fully documenting all VLANs on the vSwitch is that it is possible that a physical trunk port might be configured without needed VLANs, or with unneeded VLANs, potentially enabling an administrator to either accidentally or maliciously connect a VM to an unauthorized VLAN.

Checks: C-64039r1_chk

Note: This check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that unneeded VLANs are configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on a regular basis and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that only needed VLANs are configured for all physical ports connected to ESXi hosts. If the physical switch's configuration is trunked VLANs that are not used by ESXi for all physical ports connected to ESXi hosts, this is a finding.

Fix: F-69223r1_fix

Note: This fix refers to an entity outside the scope of the ESXi server system. Remove any VLANs trunked across physical ports connected to ESXi hosts that are not in use.

b

The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.

CM-6 - Medium - CCI-000366 - V-63309 - SV-77799r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000070

Vuln IDs

V-63309

Rule IDs

SV-77799r1_rule

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges.

Checks: C-64043r1_chk

If the CIM account does not exist, this check is not applicable. If write access is required, this check is not applicable. From the vSphere client, select the ESXi host, and go to "Permissions". Select the CIM account user, then right-click and select properties to verify read-only access. If write access is not required and the access level is not "read-only", this is a finding.

Fix: F-69227r1_fix

From the vSphere client, select the ESXi host; go to "Local Users and Groups". Create a limited-privileged, read-only service account for CIM. Place the CIM account into the "root" group. Select Users and right-click in the user screen. Select "Add", then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the "Host >> Config >> System Management" and "Host >> CIM >> CIMInteraction" privileges.

c

The system must verify the integrity of the installation media before installing ESXi.

CM-6 - High - CCI-000366 - V-63311 - SV-77801r1_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

ESXI-06-000071

Vuln IDs

V-63311

Rule IDs

SV-77801r1_rule

Always check the SHA1 hash after downloading an ISO, offline bundle, or patch to ensure integrity and authenticity of the downloaded files.

Checks: C-64045r1_chk

The downloaded ISO, offline bundle, or patch hash must be verified against the vendor's checksum to ensure the integrity and authenticity of the files. See some typical command line example(s) for both the md5 and sha1 hash check(s) directly below. # md5sum <filename>.iso # sha1sum <filename>.iso If any of the system's downloaded ISO, offline bundle, or system patch hashes cannot be verified against the vendor's checksum, this is a finding.

Fix: F-69229r1_fix

If the hash returned from the md5sum or sha1sum commands do not match the vendor's hash, the downloaded software must be discarded. If the physical media is obtained from VMware and the security seal is broken, the software must be returned to VMware for replacement.

c

The system must have all security patches and updates installed.

CM-6 - High - CCI-000366 - V-63313 - SV-77803r1_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

ESXI-06-000072

Vuln IDs

V-63313

Rule IDs

SV-77803r1_rule

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.

Checks: C-64047r1_chk

If vCenter Update Manager is used on the network it can be used to scan all hosts for missing patches. From the vSphere Client go to Hosts and Clusters >> Update Manager tab and select scan to view all hosts’ compliance status. If vCenter Update Manager is not used, a host’s compliance status must be manually determined by the build number. The following VMware KB 1014508 can be used to correlate patches with build numbers. If the ESXi host does not have the latest patches, this is a finding. If the ESXi host is not on a supported release, this is a finding. VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them. https://www.vmware.com/support/policies/security_response

Fix: F-69231r1_fix

If vCenter Update Manager is used on the network, hosts can be remediated from the vSphere Client. From the vSphere Client go to Hosts and Clusters > Update Manager tab and select a non-compliant host and click the Remediate button. To manually remediate a host the patch file must be copied locally and the following command run: esxcli software vib update -d <path to offline patch bundle.zip>

b

The system must enable lockdown mode to restrict remote access.

CM-5 - Medium - CCI-001813 - V-63465 - SV-77955r2_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-001813

Version

ESXI-06-100001

Vuln IDs

V-63465

Rule IDs

SV-77955r2_rule

Enabling lockdown mode disables direct access to an ESXi host requiring the host be managed remotely from vCenter Server. This is done to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced.

Checks: C-64213r3_chk

From the vSphere Web Client, select the ESXi Host and go to Manage >> Settings >> System >> Security Profile. Scroll down to "Lockdown Mode". Verify it is set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}} If "Lockdown Mode" is disabled, this is a finding. For environments that do not use vCenter server to manage ESXi, this is Not Applicable.

Fix: F-69393r2_fix

From the vSphere Web Client, select the ESXi Host and go to Manage >> Settings >> System >> Security Profile. Click edit on "Lockdown Mode" and set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $level = "lockdownNormal" OR "lockdownStrict" $vmhost = Get-VMHost -Name <hostname> | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.ChangeLockdownMode($level) Note: In strict lockdown mode, which is new in vSphere 6.0, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes inaccessible.

b

The VMM must support the capability to centrally review and analyze audit records from multiple components within the system by configuring remote logging.

AU-6 - Medium - CCI-000154 - V-63477 - SV-77967r1_rule

RMF Control

AU-6

Severity

Medium

CCI

CCI-000154

Version

ESXI-06-100004

Vuln IDs

V-63477

Rule IDs

SV-77967r1_rule

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Checks: C-64227r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.

Fix: F-69407r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"

b

The VMM must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

AC-8 - Medium - CCI-000050 - V-63485 - SV-77975r1_rule

RMF Control

AC-8

Severity

Medium

CCI

CCI-000050

Version

ESXI-06-100007

Vuln IDs

V-63485

Rule IDs

SV-77975r1_rule

Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources.

Checks: C-64233r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Annotations.WelcomeMessage value and verify it contains the DoD logon banner: From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage Check for either of the following login banners based on the character limitations imposed by the system. An exact match of the text is required. If one of these banners is not displayed, this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't. If the DCUI logon screen does not display the DoD logon banner, this is a finding.

Fix: F-69415r1_fix

From a PowerCLI command prompt while connected to the ESXi host copy the following contents into a script(.ps1 file) and run to set the DCUI screen to display the DoD logon banner: <script begin> $value = @" {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations.{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS.{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy.{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details.{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} " @Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value $value <script end>

b

The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.

SC-13 - Medium - CCI-002450 - V-63501 - SV-77991r2_rule

RMF Control

SC-13

Severity

Medium

CCI

CCI-002450

Version

ESXI-06-100010

Vuln IDs

V-63501

Rule IDs

SV-77991r2_rule

Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. Note: That this does not imply FIPS 140-2 certification.

Checks: C-64251r2_chk

Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i "^Ciphers" /etc/ssh/sshd_config If there is no output or the output is not exactly "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc", this is a finding.

Fix: F-69431r2_fix

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. Add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

a

The VMM must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

AU-12 - Low - CCI-000171 - V-63509 - SV-77999r1_rule

RMF Control

AU-12

Severity

Low

CCI

CCI-000171

Version

ESXI-06-100030

Vuln IDs

V-63509

Rule IDs

SV-77999r1_rule

Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Checks: C-64259r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and verify it is set to the default level of info. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level If the Config.HostAgent.log.level setting is not set to info, this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.

Fix: F-69439r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and configure it to info. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"

b

The VMM must enforce password complexity by requiring that at least one lower-case character be used.

IA-5 - Medium - CCI-000193 - V-63531 - SV-78021r1_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000193

Version

ESXI-06-100031

Vuln IDs

V-63531

Rule IDs

SV-78021r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-64281r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.

Fix: F-69461r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"

a

The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication.

IA-2 - Low - CCI-000770 - V-63605 - SV-78095r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-000770

Version

ESXI-06-100037

Vuln IDs

V-63605

Rule IDs

SV-78095r2_rule

Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access. Note: If the AD group "ESX Admins" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.

Checks: C-64355r3_chk

From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Verify the Directory Services Type is set to Active Directory. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.

Fix: F-69535r2_fix

From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click Properties. Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"

b

The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using the vSphere Authentication Proxy.

IA-2 - Medium - CCI-000770 - V-63757 - SV-78247r2_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000770

Version

ESXI-06-100038

Vuln IDs

V-63757

Rule IDs

SV-78247r2_rule

If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.

Checks: C-64507r3_chk

From the vSphere Client go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify if "JoinADEnabled" is "True" then "JoinDomainMethod" should be "FixedCAMConfigOption". For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding.

Fix: F-69685r2_fix

When using host profiles do the following: From the vSphere Client, go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain". Provide the IP address of the vSphere Authentication Proxy server. To join a host to Active Directory manually without host profiles do the following: From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain".

a

The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by restricting use of Active Directory ESX Admin group membership.

IA-2 - Low - CCI-000770 - V-63769 - SV-78259r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-000770

Version

ESXI-06-100039

Vuln IDs

V-63769

Rule IDs

SV-78259r2_rule

When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group.

Checks: C-64515r2_chk

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value. Verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.

Fix: F-69697r2_fix

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value. Configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>

a

The VMM must accept Personal Identity Verification (PIV) credentials.

IA-2 - Low - CCI-001953 - V-63771 - SV-78261r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-001953

Version

ESXI-06-100040

Vuln IDs

V-63771

Rule IDs

SV-78261r2_rule

To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.

Checks: C-64521r2_chk

From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. View the Smart Card Authentication status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authenticate to an Active Directory Domain. For systems that have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. For systems that do not use smart cards with Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding.

Fix: F-69699r2_fix

The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: -Active Directory domain that supports smart card authentication, smart card readers, and smart cards. -ESXi joined to an Active Directory domain. -Trusted certificates for root and intermediary certificate authorities. From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. Edit the "Smart Card Authentication" configuration to add trusted certificate authority certificates. Select "Enable Smart Card Authentication". Click OK. For more information see the vSphere 6.0 documentation on VMware's website.

b

The VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown by setting an idle timeout.

AC-12 - Medium - CCI-002361 - V-63773 - SV-78263r1_rule

RMF Control

AC-12

Severity

Medium

CCI

CCI-002361

Version

ESXI-06-100041

Vuln IDs

V-63773

Rule IDs

SV-78263r1_rule

If a user forgets to log out of their SSH session, the idle connection will remains open indefinitely, increasing the potential for someone to gain privileged access to the host. The ESXiShellInteractiveTimeOut allows you to automatically terminate idle shell sessions.

Checks: C-64523r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut If the UserVars.ESXiShellInteractiveTimeOut setting is not set to 600, this is a finding.

Fix: F-69701r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600

b

The VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown by setting an idle timeout on shell services.

AC-12 - Medium - CCI-002361 - V-63775 - SV-78265r1_rule

RMF Control

AC-12

Severity

Medium

CCI

CCI-002361

Version

ESXI-06-100042

Vuln IDs

V-63775

Rule IDs

SV-78265r1_rule

When the ESXi Shell or SSH services are enabled on a host they will run indefinitely. To avoid having these services left running set the ESXiShellTimeOut. The ESXiShellTimeOut defines a window of time after which the ESXi Shell and SSH services will automatically be terminated.

Checks: C-64525r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut If the UserVars.ESXiShellTimeOut setting is not set to 600, this is a finding.

Fix: F-69703r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600

b

The VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown.

AC-12 - Medium - CCI-002361 - V-63777 - SV-78267r1_rule

RMF Control

AC-12

Severity

Medium

CCI

CCI-002361

Version

ESXI-06-100043

Vuln IDs

V-63777

Rule IDs

SV-78267r1_rule

When the Direct console user interface (DCUI) is enabled and logged in it should be automatically logged out if left logged in to avoid unauthorized privilege gains. The DcuiTimeOut defines a window of time after which the DCUI will be logged out.

Checks: C-64527r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.DcuiTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut If the UserVars.DcuiTimeOut setting is not set to 600, this is a finding.

Fix: F-69705r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.DcuiTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600

b

The VMM must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.

AU-8 - Medium - CCI-002046 - V-63779 - SV-78269r1_rule

RMF Control

AU-8

Severity

Medium

CCI

CCI-002046

Version

ESXI-06-100046

Vuln IDs

V-63779

Rule IDs

SV-78269r1_rule

To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.

Checks: C-64529r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Time Configuration. Select Properties >> Options and view the configured NTP servers and service startup policy. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostNTPServer Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding.

Fix: F-69707r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Time Configuration. Select Properties >> Options and configure the NTP service to start and stop with the host and with authoritative DoD time sources. or From a PowerCLI command prompt while connected to the ESXi host run the following command: $NTPServers = "ntpserver1","ntpserver2" Get-VMHost | Add-VMHostNTPServer $NTPServers Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService

c

The VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs by verifying Image Profile and VIP Acceptance Levels.

CM-7 - High - CCI-001774 - V-63823 - SV-78313r1_rule

RMF Control

CM-7

Severity

High

CCI

CCI-001774

Version

ESXI-06-100047

Vuln IDs

V-63823

Rule IDs

SV-78313r1_rule

Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) VMwareCertified - VIBs created, tested and signed by VMware (2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, (3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner (4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner. Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.

Checks: C-64573r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.get() If the acceptance level is CommunitySupported, this is a finding.

Fix: F-69751r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" edit the acceptance level to be either VMwareCertified, VMwareAccepted, or PartnerSupported. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.Set("PartnerSupported") Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.

b

The VMM must protect audit information from unauthorized modification by configuring remote logging.

AU-9 - Medium - CCI-000163 - V-63833 - SV-78323r1_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000163

Version

ESXI-06-200004

Vuln IDs

V-63833

Rule IDs

SV-78323r1_rule

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Checks: C-64583r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.

Fix: F-69761r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"

b

The VMM must enforce password complexity by requiring that at least one numeric character be used.

IA-5 - Medium - CCI-000194 - V-63867 - SV-78357r1_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000194

Version

ESXI-06-200031

Vuln IDs

V-63867

Rule IDs

SV-78357r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-64617r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.

Fix: F-69795r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"

b

The VMM must provide the capability to immediately disconnect or disable remote access to the information system by disabling SSH.

AC-17 - Medium - CCI-002314 - V-63885 - SV-78375r2_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-002314

Version

ESXI-06-200035

Vuln IDs

V-63885

Rule IDs

SV-78375r2_rule

The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the ESXi shell is well suited for checking and modifying configuration details, not always generally accessible, using the vSphere Client. The ESXi shell is accessible remotely using SSH by users with the Administrator role. Under normal operating conditions, SSH access to the host must be disabled as is the default. As with the ESXi shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the host must therefore be limited to the vSphere Client at all other times.

Checks: C-64635r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} If the ESXi SSH service is running, this is a finding.

Fix: F-69813r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit then select the SSH service and click options. Change the service to "Start and stop manually" and stop the service and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService

a

The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using Active Directory for local user authentication.

IA-2 - Low - CCI-001941 - V-63893 - SV-78383r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-001941

Version

ESXI-06-200037

Vuln IDs

V-63893

Rule IDs

SV-78383r2_rule

Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access. Note: If the AD group "ESX Admins" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.

Checks: C-64643r2_chk

From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.

Fix: F-69821r2_fix

From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"

b

The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using the vSphere Authentication Proxy.

IA-2 - Medium - CCI-001941 - V-63895 - SV-78385r2_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-001941

Version

ESXI-06-200038

Vuln IDs

V-63895

Rule IDs

SV-78385r2_rule

If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.

Checks: C-64645r2_chk

From the vSphere Client go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify if "JoinADEnabled" is "True" then "JoinDomainMethod" should be "FixedCAMConfigOption". For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding.

Fix: F-69823r2_fix

When using host profiles do the following: From the vSphere Client, go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain". Provide the IP address of the vSphere Authentication Proxy server. To join a host to Active Directory manually without host profiles do the following: From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click Properties. Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain".

a

The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by restricting use of Active Directory ESX Admin group membership.

IA-2 - Low - CCI-001941 - V-63897 - SV-78387r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-001941

Version

ESXI-06-200039

Vuln IDs

V-63897

Rule IDs

SV-78387r2_rule

When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group.

Checks: C-64647r2_chk

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.

Fix: F-69825r2_fix

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>

a

The VMM must electronically verify Personal Identity Verification (PIV) credentials.

IA-2 - Low - CCI-001954 - V-63899 - SV-78389r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-001954

Version

ESXI-06-200040

Vuln IDs

V-63899

Rule IDs

SV-78389r2_rule

To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.

Checks: C-64649r2_chk

From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. View the "Smart Card Authentication" status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authenticate to an Active Directory Domain. For systems that have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. For systems that do not use smart cards with Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding.

Fix: F-69827r2_fix

The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: -Active Directory domain that supports smart card authentication, smart card readers, and smart cards. -ESXi joined to an Active Directory domain. -Trusted certificates for root and intermediary certificate authorities. From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. Edit the "Smart Card Authentication" configuration to add trusted certificate authority certificates. Select "Enable Smart Card Authentication". Click OK. For more information see the vSphere 6.0 documentation on VMware's website.

c

The VMM must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all VMM components by verifying Image Profile and VIP Acceptance Levels.

SC-28 - High - CCI-002475 - V-63901 - SV-78391r1_rule

RMF Control

SC-28

Severity

High

CCI

CCI-002475

Version

ESXI-06-200047

Vuln IDs

V-63901

Rule IDs

SV-78391r1_rule

Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) VMwareCertified - VIBs created, tested and signed by VMware (2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, (3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner (4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner. Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.

Checks: C-64651r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.get() If the acceptance level is CommunitySupported, this is a finding.

Fix: F-69829r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" edit the acceptance level to be either VMwareCertified, VMwareAccepted, or PartnerSupported. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.Set("PartnerSupported") Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.

b

The VMM must protect audit information from unauthorized deletion by configuring remote logging.

AU-9 - Medium - CCI-000164 - V-63903 - SV-78393r1_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000164

Version

ESXI-06-300004

Vuln IDs

V-63903

Rule IDs

SV-78393r1_rule

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Checks: C-64653r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.

Fix: F-69831r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"

b

The VMM must require the change of at least 8 of the total number of characters when passwords are changed.

IA-5 - Medium - CCI-000195 - V-63905 - SV-78395r1_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000195

Version

ESXI-06-300031

Vuln IDs

V-63905

Rule IDs

SV-78395r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-64655r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.

Fix: F-69833r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"

a

The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using Active Directory for local user authentication.

IA-2 - Low - CCI-001942 - V-63907 - SV-78397r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-001942

Version

ESXI-06-300037

Vuln IDs

V-63907

Rule IDs

SV-78397r2_rule

Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access. Note: If the AD group "ESX Admins" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.

Checks: C-64657r2_chk

From the vSphere Client, select the ESXi Host. Go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.

Fix: F-69835r2_fix

From the vSphere Client, select the ESXi Host. Go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"

b

The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using the vSphere Authentication Proxy.

IA-2 - Medium - CCI-001942 - V-63909 - SV-78399r2_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-001942

Version

ESXI-06-300038

Vuln IDs

V-63909

Rule IDs

SV-78399r2_rule

If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.

Checks: C-64659r2_chk

From the vSphere Client, go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify if "JoinADEnabled" is "True" then "JoinDomainMethod" should be "FixedCAMConfigOption". For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If "vSphere Authentication Proxy" is not used to join hosts to an Active Directory domain, this is a finding.

Fix: F-69837r2_fix

When using host profiles do the following: From the vSphere Client, go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain". Provide the IP address of the vSphere Authentication Proxy server. To join a host to Active Directory manually without host profiles do the following: From the vSphere Client, select the ESXi Host. Go to Configuration >> Authentication Services. Click Properties. Change the "Directory Service Type" to Active Directory. Enter the domain to join, check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain".

a

The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by restricting use of Active Directory ESX Admin group membership.

IA-2 - Low - CCI-001942 - V-63911 - SV-78401r2_rule

RMF Control

IA-2

Severity

Low

CCI

CCI-001942

Version

ESXI-06-300039

Vuln IDs

V-63911

Rule IDs

SV-78401r2_rule

When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group.

Checks: C-64661r2_chk

From the vSphere Client, select the ESXi Host. Go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.

Fix: F-69839r2_fix

From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>

a

The VMM must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.

SC-23 - Low - CCI-002470 - V-63913 - SV-78403r2_rule

RMF Control

SC-23

Severity

Low

CCI

CCI-002470

Version

ESXI-06-300040

Vuln IDs

V-63913

Rule IDs

SV-78403r2_rule

To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.

Checks: C-64663r2_chk

From the vSphere Web Client, select the ESXi Host. Go to Manage >> Authentication Services. View the "Smart Card Authentication" status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authenticate to an Active Directory Domain. For systems that have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. For systems that do not use smart cards with Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding.

Fix: F-69841r2_fix

The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: -Active Directory domain that supports smart card authentication, smart card readers, and smart cards. -ESXi joined to an Active Directory domain. -Trusted certificates for root and intermediary certificate authorities. From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. Edit the "Smart Card Authentication" configuration to add trusted certificate authority certificates. Select "Enable Smart Card Authentication". Click OK. For more information see the vSphere 6.0 documentation on VMware's website.

b

The VMM must off-load audit records onto a different system or media than the system being audited by configuring remote logging.

AU-4 - Medium - CCI-001851 - V-63915 - SV-78405r1_rule

RMF Control

AU-4

Severity

Medium

CCI

CCI-001851

Version

ESXI-06-400004

Vuln IDs

V-63915

Rule IDs

SV-78405r1_rule

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Checks: C-64665r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.

Fix: F-69843r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"

b

The VMM must enforce a minimum 15-character password length.

IA-5 - Medium - CCI-000205 - V-63919 - SV-78409r1_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000205

Version

ESXI-06-400031

Vuln IDs

V-63919

Rule IDs

SV-78409r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-64669r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.

Fix: F-69847r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"

b

The VMM must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly by configuring remote logging.

AU-4 - Medium - CCI-001851 - V-63921 - SV-78411r1_rule

RMF Control

AU-4

Severity

Medium

CCI

CCI-001851

Version

ESXI-06-500004

Vuln IDs

V-63921

Rule IDs

SV-78411r1_rule

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Checks: C-64671r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.

Fix: F-69849r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"

b

The VMM must enforce password complexity by requiring that at least one special character be used.

IA-5 - Medium - CCI-001619 - V-63923 - SV-78413r1_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-001619

Version

ESXI-06-500031

Vuln IDs

V-63923

Rule IDs

SV-78413r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-64673r1_chk

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.

Fix: F-69851r1_fix

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"

b

The system must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

CM-6 - Medium - CCI-000366 - V-73129 - SV-87781r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI-06-000073

Vuln IDs

V-73129

Rule IDs

SV-87781r1_rule

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes VSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and Virtual Machines will limit unauthorized users from viewing the traffic.

Checks: C-73263r2_chk

If IP-based storage is not used, this is not applicable. IP-Based storage (iSCSI, NFS, VSAN) VMkernel port groups must be in a dedicated VLAN that can be on a common standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration >> Networking and review the VLANs associated with any IP-Based storage VMkernels and verify they are dedicated for that purpose and are logically separated from other functions. If any IP-Based storage networks are not isolated from other traffic types, this is a finding.

Fix: F-79575r2_fix

Configuration of an IP-Based VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel do the following: From the vSphere Client select the ESXi host and go to Configuration > Networking > On the vSwitch that contains the iSCSI VMkernel select Properties. Select the iSCSI VMkernel and click Edit > On the General tab uncheck everything and set the appropriate VLAN ID > Go to the IP Settings tab > Enter the appropriate IP address and subnet information and click OK.

a

The system must enable the VSAN Health Check.

CM-6 - Low - CCI-000366 - V-73131 - SV-87783r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000074

Vuln IDs

V-73131

Rule IDs

SV-87783r1_rule

VSAN Health Check is enabled by default in vSphere 6.0 update 1 and later, it has to be manually installed and enabled on vSphere 6.0.0 prior to usage. The VSAN Health check is used for additional alerting capabilities, performance stress testing prior to production usage, and verifying that the underlying hardware officially is supported by being in compliance with the VSAN Hardware Compatibility Guide

Checks: C-73265r3_chk

If no clusters are enabled for VSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a Cluster >> Manage >> Settings >> Virtual SAN >> Health. Review the "Health Service Status" and verify that it is set to "Enabled". If VSAN is enabled and there is no VSAN health check installed or the VSAN health check is disabled, this is a finding.

Fix: F-79577r2_fix

If VSAN Health Check is not installed (6.0 GA only): Download the VSAN Health Check Plugin and install to the vCenter Server. Then restart the vCenter Server services. DRS must be configured for fully automated on the cluster. Then each ESXi host must have the VSAN Health Check VIB installed on the ESXi hosts. If VSAN Health Check is installed: From the vSphere Web Client go to Host and Clusters >> Select a VSAN enabled "Cluster" >> Manage >> Settings >> Virtual SAN >> Health >> "Health Service Status" and click "Edit Settings". Select the check box for "Turn On Periodical Health Check" and configure the time interval as necessary.

a

The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted by use of an external proxy server.

CM-6 - Low - CCI-000366 - V-73133 - SV-87785r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000075

Vuln IDs

V-73133

Rule IDs

SV-87785r1_rule

The VSAN Health Check is able to download the hardware compatibility list from VMware in order to check compliance against the underlying VSAN Cluster hosts. To ensure the vCenter server is not directly downloading content from the internet this functionality must be disabled or if this feature is necessary an external proxy server must be configured.

Checks: C-73267r2_chk

If no clusters are enabled for VSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a VSAN Enabled Cluster >> Manage >> Settings >> General >> Internet Connectivity >> Edit If the HCL internet download is not required then ensure that "Enable Internet access for this cluster" is disabled. If this "Enable Internet access for this cluster" is enabled this is a finding. If the HCL internet download is required then ensure that "Enable Internet access for this cluster" is enabled and that a proxy host is configured. If "Enable Internet access for this cluster" is disabled or a proxy is not configured this is a finding.

Fix: F-79579r2_fix

If no clusters are enabled for VSAN, this is not applicable. If VSAN Health Check is not installed (6.0 GA only): Download the VSAN Health Check Plugin and install to the vCenter Server. Then restart the vCenter Server services. DRS must be configured for fully automated on the cluster. Then each ESXi host must have the VSAN Health Check VIB installed on the ESXi hosts. If VSAN Health Check is installed: From the vSphere Web Client go to Host and Clusters > Select a VSAN Enabled Cluster > Manage > Settings > General > Internet Connectivity > Edit If the HCL internet download is not required then ensure that "Enable Internet access for this cluster" is disabled. If the HCL internet download is required then ensure that "Enable Internet access for this cluster" is enabled and that a proxy host is appropriately configured.

a

The system must configure the VSAN Datastore name to a unique name.

CM-6 - Low - CCI-000366 - V-73135 - SV-87787r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI-06-000076

Vuln IDs

V-73135

Rule IDs

SV-87787r1_rule

VSAN Datastore name by default is "vsanDatastore". If more than one VSAN cluster is present in vCenter both datastores will have the same name by default potentially leading to confusion and manually misplaced workloads.

Checks: C-73269r2_chk

If no clusters are enabled for VSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a Cluster >> Related Objects >> Datastores. Review the datastores. Identify any datastores with "vsan" as the datastore type. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){ Write-Host "VSAN Enabled Cluster found" Get-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match "vsan"} } else{ Write-Host "VSAN is not enabled, this finding is not applicable" } If VSAN is Enabled and the datastore is named "vsanDatastore" this is a finding.

Fix: F-79581r1_fix

From the vSphere Web Client go to Host and Clusters > Select a Cluster > Related Objects > Datastores. Right click on the datastore named "vsanDatastore" and select "Rename". Rename the datastore based on operational naming standards. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){ Write-Host "VSAN Enabled Cluster found" $Clusters = Get-Cluster | where {$_.VsanEnabled} Foreach ($clus in $clusters){ $clus | Get-Datastore | where {$_.type -match "vsan"} | Set-Datastore -Name $(($clus.name) + "_VSAN_Datastore") } } else{ Write-Host "VSAN is not enabled, this finding is not applicable" }

VMware vSphere ESXi 6.0 Security Technical Implementation Guide

Compare

View

Checks: C-63899r1_chk

Fix: F-69065r1_fix

Checks: C-63907r1_chk

Fix: F-69091r1_fix

Checks: C-63909r1_chk

Fix: F-69093r1_fix

Checks: C-63911r1_chk

Fix: F-69095r1_fix

Checks: C-63913r1_chk

Fix: F-69097r1_fix

Checks: C-63915r1_chk

Fix: F-69099r1_fix

Checks: C-63917r1_chk

Fix: F-69101r1_fix

Checks: C-63919r1_chk

Fix: F-69103r1_fix

Checks: C-63921r1_chk

Fix: F-69105r1_fix

Checks: C-63923r4_chk

Fix: F-69107r2_fix

Checks: C-63925r1_chk

Fix: F-69109r1_fix

Checks: C-63927r1_chk

Fix: F-69111r1_fix

Checks: C-63929r1_chk

Fix: F-69113r1_fix

Checks: C-63931r1_chk

Fix: F-69115r1_fix

Checks: C-63933r1_chk

Fix: F-69117r1_fix

Checks: C-63935r1_chk

Fix: F-69119r1_fix

Checks: C-63937r1_chk

Fix: F-69121r1_fix

Checks: C-63939r1_chk

Fix: F-69123r1_fix

Checks: C-63941r1_chk

Fix: F-69125r1_fix

Checks: C-63943r1_chk

Fix: F-69127r1_fix

Checks: C-63945r1_chk

Fix: F-69129r1_fix

Checks: C-63947r1_chk

Fix: F-69131r1_fix

Checks: C-63949r1_chk

Fix: F-69133r1_fix

Checks: C-63951r1_chk

Fix: F-69135r1_fix

Checks: C-63953r1_chk

Fix: F-69137r1_fix

Checks: C-63955r1_chk

Fix: F-69139r1_fix

Checks: C-63957r1_chk

Fix: F-69141r1_fix

Checks: C-63959r1_chk

Fix: F-69143r1_fix

Checks: C-63961r1_chk

Fix: F-69145r1_fix

Checks: C-63963r1_chk

Fix: F-69147r1_fix

Checks: C-63965r1_chk

Fix: F-69149r1_fix

Checks: C-63967r1_chk

Fix: F-69151r1_fix

Checks: C-63969r1_chk

Fix: F-69153r1_fix

Checks: C-63971r1_chk

Fix: F-69155r1_fix

Checks: C-63973r1_chk

Fix: F-69157r1_fix

Checks: C-63975r1_chk

Fix: F-69159r1_fix

Checks: C-63977r4_chk

Fix: F-69161r2_fix

Checks: C-63979r3_chk

Fix: F-69163r2_fix

Checks: C-63981r3_chk