Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

VMware ESX 3 Policy

  • Version/Release: V1R2
  • Published: 2016-05-03
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The VMware ESX 3 Policy Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected].
b
A third party firewall is configured on ESX Server.
Medium - V-15825 - SV-16764r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX0330
Vuln IDs
  • V-15825
Rule IDs
  • SV-16764r1_rule
Third party software and services should not be installed in the service console. The service console is not intended to support the operation of additional software or services beyond what is included in the default ESX installation. VMware does not support the addition of third party applications that have not been explicitly approved. System AdministratorInformation Assurance Officer[Virtual Server Administrator]
Checks: C-16167r1_chk

Ask the IAO/SA if any third party firewalls are installed on the ESX Server service console. If the answer is yes, inquire as to what is installed. If it is anything other than IPtables, this is a finding.

Fix: F-15777r1_fix

Remove third party firewalls from the ESX Server service console.

b
Hash signatures for the /etc files are not reviewed monthly.
Medium - V-15833 - SV-16772r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX0380
Vuln IDs
  • V-15833
Rule IDs
  • SV-16772r1_rule
Several files within ESX Server should be checked for file system integrity periodically. These files have been deemed critical by VMware in maintaining file system integrity. System administrators must ensure these files have the correct permissions and have not been modified. To ensure integrity, system administrators will use a FIPS 140-2 hash algorithm to create signatures of these files and store them offline. Comparing these hash values periodically will verify the integrity of the files.System AdministratorInformation Assurance Officer[Virtual Server Administrator]
Checks: C-16181r1_chk

Ask the IAO/SA how often the hash signatures are reviewed. If they are not reviewed at least monthly, this is a finding. File Location Permission /etc/fstab 640 /etc/group 644 /etc/host.conf 640 /etc/hosts 640 /etc/hosts.allow 640 /etc/hosts.deny 640 /etc/logrotate.conf 640 /etc/logrotate.d/ 700 /etc/modules.conf 640 /etc/motd 640 /etc/ntp 755 /etc/ntp.conf 644 /etc/pam.d/system-auth 644 /etc/profile 644 /etc/shadow 400 /etc/securetty 600 /etc/ssh/sshd_config 600 /etc/snmp 755 /etc/sudoers 440 /etc/vmware 755

Fix: F-15784r1_fix

Review the hash signatures for the /etc files monthly.

b
ESX Server log files are not reviewed daily.
Medium - V-15841 - SV-16782r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX0420
Vuln IDs
  • V-15841
Rule IDs
  • SV-16782r1_rule
Logs form a recorded history or audit trail of the ESX Server system events, making it easier for system administrators to track down intermittent problems, review past events, and piece together information if an investigation is required. Without this recorded history, potential attacks and suspicious activity will go unnoticed. ESX Server log files that are critical to record include VMkernel, VMkernel warnings, VMkernel summary, ESX Server host agent, virtual machines, VI Client agent,Web Access, service console, and authentication. The VMkernel logs record activities related to the virtual machines and the ESX Server. The VMkernel warning log file records activities with the virtual machines. The VMkernel summary is used to determine uptime and availability statistics for the ESX Server. The ESX Server host agent log contains information on the agent that manages and configures the ESX Server host. This log may assist in diagnosing connection problems. The virtual machine log files contain information when a virtual machine crashes or shutdowns abnormally. The VI Client agent is installed on each managed ESX Server and this log records all the activities of the agent. Web Access records information on web-based access to the ESX Server. This is important to view since web-based access to the ESX Server should be disabled. The service console messages contain all general log messages used to troubleshoot virtual machines or the ESX Server. The authentication log contains records of connections that require authentication. System AdministratorInformation Assurance Officer[Virtual Server Administrator]ECAT-1, ECAT-2
Checks: C-16187r1_chk

Ask the IAO/SA how often they review the ESX Server log files listed below: VMkernel /var/log/vmkernel, VMkernel warnings: /var/log/vmkwarning, VMkernel summary: /var/log/vmksummary.txt, ESX Server host agent log: /var/log/vmware/hostd.log, Individual virtual machine logs: <path to virtual machine on ESX, Server>/vmware.log VI Client agent log: /var/log/vmware/vpx/vpxa.log, Web access: /var/log/vmware/webAccess, Service console: /var/log/messages, Authentication log: /var/log/secure. Caveat: If the log files are being written to a syslog server, work with the system administrator to verify they are being reviewed there. If the IAO/SA does not review them daily, this is a finding.

Fix: F-15795r1_fix

Review ESX Server log files daily.

a
The IAO/SA does not subscribe to vendor security patches and update notifications.
Low - V-15845 - SV-16786r1_rule
RMF Control
Severity
Low
CCI
Version
ESX0460
Vuln IDs
  • V-15845
Rule IDs
  • SV-16786r1_rule
Organizations need to stay current with all applicable ESX Server software updates that are released from VMware. In order to be aware of updates as they are released, virtualization server administrators will subscribe to ESX Server vendor security notices, updates, and patches to ensure that all new vulnerabilities are known. New ESX Server patches and updates should be reviewed in a test environment for the ESX Server before moving them into a production environment.System AdministratorInformation Assurance Officer[Virtual Server Administrator]ECSC-1
Checks: C-16193r1_chk

Ask the IAO/SA to provide actual update notification to verify that they are on the subscription list. The email subscription for VMware is [email protected]. If no emails or documentation can be provided, this is a finding.

Fix: F-15799r1_fix

Subscribe to vendor security and patch notifications.

a
There are no procedures for the backup and recovery of the ESX Server, management servers, and virtual machines.
Low - V-15851 - SV-16792r1_rule
RMF Control
Severity
Low
CCI
Version
ESX0520
Vuln IDs
  • V-15851
Rule IDs
  • SV-16792r1_rule
Backup and recovery procedures are critical to the availability and protection of the virtual infrastructure. Availability of the system will be hindered if the system is compromised, shutdown, or not available. Backup and recovery of the virtual environment includes the ESX Servers, management servers, and virtual machines. The ESX Server has three major components required for backup and recovery. These components are virtual disks, virtual machine configuration files, and the configuration of the ESX Server itself. Due to the array of products and options available to backup the virtualization infrastructure, procedures will need to be developed to provide guidance to system administrators. System AdministratorInformation Assurance Officer[Virtual Server Administrator]DCSD-1
Checks: C-16200r1_chk

Request a copy of the backup and recovery procedures for the ESX Servers, management applications, and virtual machines. If no procedures can be produced or they are incomplete, this is a finding.

Fix: F-15805r1_fix

Develop backup and recovery procedures for the virtual infrastructure.

b
Disaster recovery plan does not include ESX Servers, VirtualCenter servers, virtual machines, and necessary peripherals associated with the system.
Medium - V-15853 - SV-16794r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX0540
Vuln IDs
  • V-15853
Rule IDs
  • SV-16794r1_rule
Disaster and recovery plans should be drafted and exercised in accordance with the MAC level of the system/Enclave as defined by the DoDI 85002. Disaster plans provide for the resumption of mission or business essential functions. A disaster plan must exist that provides for the resumption of mission or business essential functions within the specified period of time depending on MAC level. (Disaster recovery procedures include business recovery plans, system contingency plans, facility disaster recovery plans, and plan acceptance).System AdministratorInformation Assurance Officer[Virtual Server Administrator]CODP-1, CODP-2, CODP-3
Checks: C-16202r1_chk

Request a copy of the disaster recovery plan from the IAO/SA. Review the plan to verify that the ESX Server, management applications, virtual machines, and all necessary system peripherals are included in the plan. If the plan does not include the virtual infrastructure or is incomplete, this is a finding.

Fix: F-15807r1_fix

Add the virtual infrastructure to the disaster recovery plan.

a
Users assigned to VirtualCenter groups are not documented.
Low - V-15875 - SV-16816r1_rule
RMF Control
Severity
Low
CCI
Version
ESX0760
Vuln IDs
  • V-15875
Rule IDs
  • SV-16816r1_rule
Ensuring privileged group membership is controlled requires updates to group documentation, and periodic reviews to determine that unauthorized users are not members. If an unauthorized user is able to gain membership to the Database Administrator group, Virtual Machine Administrator group, or the Resource Administrator group, etc., that user would be able to display, add, or change permissions to objects that could impact the confidentiality, integrity, or availability of an entire virtualization structure.System AdministratorInformation Assurance Officer[Virtual Server Administrator]ECSC-1
Checks: C-16233r1_chk

Request a copy of the VirtualCenter group documentation listing the users in the following groups: Database Administrators, Virtual Machine Administrators, Resource Pool Administrators, ESX Administrators, Virtual Machine Power Users, and All Custom Roles If documentation can not be produced, this is a finding. Compare the documentation to the actual users assigned in the groups. If there are discrepancies, this is a finding.

Fix: F-15835r1_fix

Document all the users assigned to all VirtualCenter groups.

a
Users in the VirtualCenter Server Windows Administrators group are not documented.
Low - V-15876 - SV-16817r1_rule
RMF Control
Severity
Low
CCI
Version
ESX0770
Vuln IDs
  • V-15876
Rule IDs
  • SV-16817r1_rule
Users who are members of the Windows administrators group on the VirtualCenter server are granted the same access rights as any user assigned to the VirtualCenter administrator role. These users need to be documented to ensure only authorized users are members of this group.System AdministratorInformation Assurance Officer[Virtual Server Administrator]ECSC-1
Checks: C-16234r1_chk

Request a copy of the document specifying users assigned to the Windows Administrators group on the VirtualCenter Server. If no documentation exists, this is a finding. Compare the documented users to those listed in the group on the server. If any discrepancies exist, this is a finding.

Fix: F-15836r1_fix

Document all users in the Windows Administrators group.

b
VirtualCenter Server groups are not reviewed monthly
Medium - V-15877 - SV-16818r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX0780
Vuln IDs
  • V-15877
Rule IDs
  • SV-16818r1_rule
Reviewing the VirtualCenter groups will ensure that no unauthorized users have been granted access to objects. System AdministratorInformation Assurance Officer[Virtual Server Administrator]ECAT-1, ECAT-2
Checks: C-16235r1_chk

Ask the IAO/SA how often the following groups are reviewed on the VirtualCenter Server: Windows Administrators group, Database Administrators, Virtual Machine Administrators, Resource Pool Administrators, ESX Administrators, Virtual Machine Power Users, and All Custom Roles. If these groups are not reviewed at least monthly, this is a finding.

Fix: F-15837r1_fix

Review the VirtualCenter groups monthly.

b
No documented configuration management process exists for VirtualCenter changes.
Medium - V-15878 - SV-16819r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX0790
Vuln IDs
  • V-15878
Rule IDs
  • SV-16819r1_rule
VirtualCenter objects might have multiple permissions for users and or groups. Permissions are applied hierarchically downward on these objects. For each permission the administrator must decide if the permission applies only to that immediate object, or downward to all sub objects. Permissions may be overridden by setting different permissions on a lower object. These situations can create confusion and permissions that were thought to be limited might actually be elevated. Furthermore, all changes take affect immediately not requiring users to log off and log back in. Configuration management is critical for all modifications since the new change may override previously configured permissions.System AdministratorInformation Assurance Officer[Virtual Server Administrator]
Checks: C-16236r1_chk

Request a copy of the configuration management process document. If the document is incomplete or does not exist, this is a finding.

Fix: F-15838r1_fix

Document a configuration management process for all VirtualCenter modifications.

b
There is no VirtualCenter baseline configuration document for users, groups, permissions, and roles.
Medium - V-15879 - SV-16820r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX0800
Vuln IDs
  • V-15879
Rule IDs
  • SV-16820r1_rule
When pairing users or groups with permissions to an object, a role is defined for users and groups. There are two default roles defined in VirtualCenter called System roles and Sample roles. System roles are permanent and the permissions associated with these roles cannot be changed. Sample roles are provided for convenience as guidelines and suggestions. These roles may be modified or removed. VirtualCenter situations may arise where a user is a member of multiple groups with different permissions or user permissions are explicitly defined when the user is a member of different groups. These situations can create confusion and permissions that were thought to be limited might actually be elevated. Furthermore, all changes take affect immediately not requiring users to log off and log back in. Therefore, all users, groups, permissions, and roles will be documented and approved to ensure proper permissions are granted only to authorized users. System AdministratorInformation Assurance Officer[Virtual Server Administrator]ECSC-1
Checks: C-16237r1_chk

Request a copy of the baseline configuration document for all VirtualCenter users, groups, permissions, and roles. If the document is incomplete or does not exist, this is a finding.

Fix: F-15839r1_fix

Create a baseline configuration document for all VirtualCenter users, groups, permissions, and roles.

b
VirtualCenter logs are reviewed daily.
Medium - V-15881 - SV-16822r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX0820
Vuln IDs
  • V-15881
Rule IDs
  • SV-16822r1_rule
It is necessary to review VirtualCenter logs for suspicious activity, problems, attacks, or system warnings will go undetected. These logs provide visibility into the activities and events of the VirtualCenter. These logs enable system administrators and auditors the ability to recreate past events, monitor the system, and ensure security policies are being enforced.System AdministratorInformation Assurance Officer[Virtual Server Administrator]
Checks: C-16240r1_chk

Ask the IAO/SA how often they review the VirtualCenter logs. VirtualCenter logs include System Logs and Events. If the logs are not reviewed daily, this is a finding.

Fix: F-15841r1_fix

Review the VirtualCenter logs daily.

b
There is no up-to-date documentation of the virtualization infrastructure.
Medium - V-15882 - SV-16823r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX0860
Vuln IDs
  • V-15882
Rule IDs
  • SV-16823r1_rule
With the creation of virtual machines, the actual virtual network topology becomes increasingly complex. The topology changes when a virtual machine is created, added to a virtual switch or port group, moved to another virtualization server, etc. With the dynamic nature of the virtualization environment, administrators of the virtualization environment will maintain up to date documentation for all virtual machines, virtual switches, IP addresses, MAC addresses, etc.System AdministratorInformation Assurance Officer[Virtual Server Administrator]DCHW-1, DCSW-1
Checks: C-16241r1_chk

Request a copy of all the virtualization infrastructure documentation. Documentation must include all ESX Servers, virtual machines, IP addresses, MAC addresses, virtual switches, operating systems, and any virtual applications. If the documentation does include all of these components, this is a finding.

Fix: F-15842r1_fix

Develop up-to-date documentation for the virtualization infrastructure.

a
The VMware-converter utility is not used for VMDK imports or exports.
Low - V-15889 - SV-16830r1_rule
RMF Control
Severity
Low
CCI
Version
ESX0930
Vuln IDs
  • V-15889
Rule IDs
  • SV-16830r1_rule
There will be situations that require the import or export of VMDK files on the VMFS partition. Importing and exporting disk files can also be done through the Virtual Infrastructure Client or service console by copying the files from VMFS mount and pasting them to a partition running ext3 file system. Utilizing the VMware-converter utility is required since the VMFS file system utilizes such large files. There are third-party converters available that may work with VMware virtual machines, however, none have been thoroughly tested or approved by VMware. System AdministratorInformation Assurance Officer[Virtual Machine Administrator]ECSC-1
Checks: C-16248r1_chk

Ask the IAO/SA how they import and export VMDK files. If they are using the VMware-converter utility, this is not a finding. If they are using a third party converter, ensure that the converter is supported by the vendor. This might require going to the vendor’s website and verifying the version used is supported. If it is not, this is a finding.

Fix: F-15849r1_fix

Use the VMware-converter for all import and export of VMDK files to VMFS partitions.

a
No policy exists to assign virtual machines to personnel.
Low - V-15891 - SV-16832r1_rule
RMF Control
Severity
Low
CCI
Version
ESX0950
Vuln IDs
  • V-15891
Rule IDs
  • SV-16832r1_rule
In traditional computing environments, servers were usually assigned to various personnel for administration. For instance, the data server is administered by the database administrator; the domain controller is maintained by the network administrator, etc. Other methods include assigning the MAC address to specific personnel or identifying machines by Ethernet location or port number. All these approaches are impractical in the virtual machine environment. In the virtual environment, virtual machines may be moved or have MAC addresses that may change. These scenarios make it difficult to establish who owns the virtual machine running on a particular host. Therefore, a policy will need to be implemented to identify and assign virtual machines to the appropriate personnel. System AdministratorInformation Assurance Officer[Virtual Machine Administrator]ECSC-1
Checks: C-16250r1_chk

Request a copy of the policy that is used to assign virtual machines to personnel. If no policy or procedure exists, this is a finding.

Fix: F-15851r1_fix

Develop a policy for assigning virtual machines to the appropriate personnel.

a
VI Console is used to administer virtual machines.
Low - V-15892 - SV-16833r1_rule
RMF Control
Severity
Low
CCI
Version
ESX0960
Vuln IDs
  • V-15892
Rule IDs
  • SV-16833r1_rule
The VI Console allows a user to connect to the console of a virtual machine, similar to seeing what a physical server monitor would show. However, the VI Console also provides power management and removable device connectivity controls, which could potentially allow a malicious user to bring down a virtual machine. In addition, it also has a performance impact on the service console, especially if many VI Console sessions are open simultaneously. To prevent performance issues and potential unauthorized users from accessing the VI Console, users should use remote management services, such as terminal services and ssh, to interact with virtual machines.System AdministratorInformation Assurance Officer[Virtual Machine Administrator]ECSC-1
Checks: C-16251r1_chk

Ask the IAO/SA what tools are used to administer virtual machines remotely. If the response includes the VI console, this is a finding.

Fix: F-15852r1_fix

Use third party tools to administer virtual machines.

a
The IAO/SA does not document and approve virtual machine renames.
Low - V-15898 - SV-16840r1_rule
RMF Control
Severity
Low
CCI
Version
ESX1020
Vuln IDs
  • V-15898
Rule IDs
  • SV-16840r1_rule
It may become necessary to rename a virtual machine at some point during the course of testing to production. To rename a virtual machine, the virtual machine must be powered down before proceeding with the renaming feature. It is also good practice to backup virtual machines before renaming any virtual machine. The configuration files for VMware are typically located on the service console in /root/VMware/ directory, and the virtual disks will be in the /vmfs/ directory. Renaming virtual machines may cause communication issues on the network with other servers, users, etc. To prevent communication disruptions to the network or virtual machine, all virtual machine renames will be documented and approved by the change control board.System AdministratorInformation Assurance Officer[Virtual Machine Administrator]ECSC-1
Checks: C-16258r1_chk

Request a copy of the virtual machine rename approval documentation from the IAO/SA. If no documentation can be produced, this is a finding.

Fix: F-15859r1_fix

Develop approval documentation for all virtual machine renames.

a
No policy exists to restrict copying and sharing virtual machines over networks and removable media.
Low - V-15900 - SV-16842r1_rule
RMF Control
Severity
Low
CCI
Version
ESX1040
Vuln IDs
  • V-15900
Rule IDs
  • SV-16842r1_rule
As virtual machines replace real hardware they can undermine the security architecture of many organizations which often assume predictable and controlled change number of hosts, host configurations, host locations etc. Some useful mechanisms that virtual machines provide are copying or sharing virtual machine hard disks. Copying or sharing virtual machine hard disks can be done over networks and removable media. Typically, test and development virtual machines will be moved and updated more frequently than production virtual machines. There will be a policy in place to restrict the copying and sharing of production virtual machines over networks and removable media to ensure that administrators do not give unauthorized users access to the virtual machine files. System AdministratorInformation Assurance Officer[Virtual Machine Administrator]ECSC-1
Checks: C-16260r1_chk

Request a copy of the policy restricting virtual machine sharing and copying over networks and removable media. If no policy exists, this is a finding. Caveat: This is not applicable to snapshot backups, disaster recovery virtual machines, test and development virtual machines, and clustered virtual machines.

Fix: F-15861r1_fix

Develop a policy that prohibits virtual machine sharing and copying over networks and removable media.

b
Virtual machine moved to removable media are not documented.
Medium - V-15902 - SV-16844r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX1060
Vuln IDs
  • V-15902
Rule IDs
  • SV-16844r1_rule
From a theft perspective, virtual machines are easy to copy and move to a person’s USB drive, portable hard drive, etc. An insider could potentially move the organization’s entire data center on any type of removable media that had sufficient space. System AdministratorInformation Assurance Officer[Virtual Machine Administrator]ECSC-1
Checks: C-16262r1_chk

Ask the IAO/SA if virtual machines have been copied to removable media (DVD, CD-ROM, USB drives). If so, request the documentation for all virtual machine moves to removable media. If no documentation exists, this is a finding.

Fix: F-15863r1_fix

Document all virtual machine moves to removable media.

b
Virtual machines are removed from the site without approval documentation.
Medium - V-15903 - SV-16845r1_rule
RMF Control
Severity
Medium
CCI
Version
ESX1070
Vuln IDs
  • V-15903
Rule IDs
  • SV-16845r1_rule
From a theft perspective, virtual machines are easy to copy and move to a person’s USB drive, portable hard drive, etc. An insider could potentially move the organization’s entire data center on any type of removable media that had sufficient space. System AdministratorInformation Assurance Officer[Virtual Machine Administrator]ECSC-1
Checks: C-16263r1_chk

Request the approval documentation from the IAO/SA that the site uses for all virtual machines taken off site. If no documentation exists, this is a finding.

Fix: F-15864r1_fix

Create documentation to use for virtual machines taken off site.

a
Virtual machine rollbacks are performed when virtual machine is connected to the network.
Low - V-15905 - SV-16847r1_rule
RMF Control
Severity
Low
CCI
Version
ESX1090
Vuln IDs
  • V-15905
Rule IDs
  • SV-16847r1_rule
Virtual machines may be rolled back to a previous state. Rolling back a virtual machine can re-expose patched vulnerabilities, re-enable previously disabled accounts or passwords, remove log files of a machine, use previously retired encryption keys, and change firewalls to expose vulnerabilities. Rolling back virtual machines can also reintroduce malicious code, and protocols reusing TCP sequence numbers that had been previously removed, which could allow TCP hijacking attacks. System AdministratorInformation Assurance Officer[Virtual Machine Administrator]ECSC-1
Checks: C-16265r1_chk

Ask the IAO/SA the process used for virtual machine rollbacks. If no process is used that includes disconnecting the virtual machine from the network before performing a revert to snapshot or rollback, this is a finding.

Fix: F-15866r1_fix

Disconnect from the network or power off the virtual machine before rollbacks.

a
Virtual machine requirements are not documented before creating a virtual machine.
Low - V-15919 - SV-16861r1_rule
RMF Control
Severity
Low
CCI
Version
ESX1160
Vuln IDs
  • V-15919
Rule IDs
  • SV-16861r1_rule
Guest operating systems may require different resources depending on the server function. A database or email server will require more resources than a basic Windows Domain Controller. Therefore, proper planning is required to determine what servers will be built within the virtualization server environment. To properly create virtual machines within the virtualization server environment, a minimal list of requirements will be determined. These requirements are the amount of memory, amount of required disk space, the networking card assignment, required media, and proper disk mode to be used. System AdministratorInformation Assurance Officer[Guest Administrator]ECSC-1
Checks: C-16275r1_chk

Request a copy of the virtual machine requirements documentation. If no documentation exists, this is a finding.

Fix: F-15873r1_fix

Develop virtual machine requirements documentation.

a
ESX administrators have not received proper training to administer the ESX Server.
Low - V-16851 - SV-17851r1_rule
RMF Control
Severity
Low
CCI
Version
ESX0828
Vuln IDs
  • V-16851
Rule IDs
  • SV-17851r1_rule
Different roles require different types of training. A skilled staff is one of the critical components to the security of an organization. The ESX Server is complex and has many components that need to be monitored and configured. If staff is not properly trained in administering the ESX Server, vulnerabilities will likely be open.System AdministratorInformation Assurance Officer[Virtual Server Administrator]
Checks: C-17448r1_chk

Request a copy of the ESX Server training documentation for all staff administering the ESX Servers and peripheral systems. If no training documentation can be produced, this is a finding.

Fix: F-16699r1_fix

Train all the ESX Server administrators.

c
VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by the vendor for security updates must not be installed on a system.
High - V-68721 - SV-83299r1_rule
RMF Control
Severity
High
CCI
Version
ESX0100
Vuln IDs
  • V-68721
Rule IDs
  • SV-83299r1_rule
VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by VMware for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported ESXi operating system, virtual machines, and associated management software to ensure continued support.
Checks: C-69213r3_chk

VMware support for ESX versions 3 and 4 ended 21 May 2016. If ESX version 3 or 4, virtual machines, or associated management software, such as VirtualCenter, is installed on a system, this is a finding.

Fix: F-74843r3_fix

Upgrade ESX version 3 and 4 systems, virtual machines, and associated management software to supported versions.