VMware ESX 3 Policy

The VMware ESX 3 Policy Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]


Version / Release: V1R2

Published: 2016-05-03

Updated At: 2018-09-23 13:30:16




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-16764r1_rule ESX0330 MEDIUM A third party firewall is configured on ESX Server. Third party software and services should not be installed in the service console. The service console is not intended to support the operation of additional software or services beyond what is included in the default ESX installation. VMware does not supp
    SV-16772r1_rule ESX0380 MEDIUM Hash signatures for the /etc files are not reviewed monthly. Several files within ESX Server should be checked for file system integrity periodically. These files have been deemed critical by VMware in maintaining file system integrity. System administrators must ensure these files have the correct permissions and
    SV-16782r1_rule ESX0420 MEDIUM ESX Server log files are not reviewed daily. Logs form a recorded history or audit trail of the ESX Server system events, making it easier for system administrators to track down intermittent problems, review past events, and piece together information if an investigation is required. Without this
    SV-16786r1_rule ESX0460 LOW The IAO/SA does not subscribe to vendor security patches and update notifications. Organizations need to stay current with all applicable ESX Server software updates that are released from VMware. In order to be aware of updates as they are released, virtualization server administrators will subscribe to ESX Server vendor security notic
    SV-16792r1_rule ESX0520 LOW There are no procedures for the backup and recovery of the ESX Server, management servers, and virtual machines. Backup and recovery procedures are critical to the availability and protection of the virtual infrastructure. Availability of the system will be hindered if the system is compromised, shutdown, or not available. Backup and recovery of the virtual environm
    SV-16794r1_rule ESX0540 MEDIUM Disaster recovery plan does not include ESX Servers, VirtualCenter servers, virtual machines, and necessary peripherals associated with the system. Disaster and recovery plans should be drafted and exercised in accordance with the MAC level of the system/Enclave as defined by the DoDI 85002. Disaster plans provide for the resumption of mission or business essential functions. A disaster plan must exi
    SV-16816r1_rule ESX0760 LOW Users assigned to VirtualCenter groups are not documented. Ensuring privileged group membership is controlled requires updates to group documentation, and periodic reviews to determine that unauthorized users are not members. If an unauthorized user is able to gain membership to the Database Administrator group,
    SV-16817r1_rule ESX0770 LOW Users in the VirtualCenter Server Windows Administrators group are not documented. Users who are members of the Windows administrators group on the VirtualCenter server are granted the same access rights as any user assigned to the VirtualCenter administrator role. These users need to be documented to ensure only authorized users are me
    SV-16818r1_rule ESX0780 MEDIUM VirtualCenter Server groups are not reviewed monthly Reviewing the VirtualCenter groups will ensure that no unauthorized users have been granted access to objects. System AdministratorInformation Assurance Officer[Virtual Server Administrator]ECAT-1, ECAT-2
    SV-16819r1_rule ESX0790 MEDIUM No documented configuration management process exists for VirtualCenter changes. VirtualCenter objects might have multiple permissions for users and or groups. Permissions are applied hierarchically downward on these objects. For each permission the administrator must decide if the permission applies only to that immediate object, or
    SV-16820r1_rule ESX0800 MEDIUM There is no VirtualCenter baseline configuration document for users, groups, permissions, and roles. When pairing users or groups with permissions to an object, a role is defined for users and groups. There are two default roles defined in VirtualCenter called System roles and Sample roles. System roles are permanent and the permissions associated with t
    SV-16822r1_rule ESX0820 MEDIUM VirtualCenter logs are reviewed daily. It is necessary to review VirtualCenter logs for suspicious activity, problems, attacks, or system warnings will go undetected. These logs provide visibility into the activities and events of the VirtualCenter. These logs enable system administrators an
    SV-16823r1_rule ESX0860 MEDIUM There is no up-to-date documentation of the virtualization infrastructure. With the creation of virtual machines, the actual virtual network topology becomes increasingly complex. The topology changes when a virtual machine is created, added to a virtual switch or port group, moved to another virtualization server, etc. With t
    SV-16830r1_rule ESX0930 LOW The VMware-converter utility is not used for VMDK imports or exports. There will be situations that require the import or export of VMDK files on the VMFS partition. Importing and exporting disk files can also be done through the Virtual Infrastructure Client or service console by copying the files from VMFS mount and past
    SV-16832r1_rule ESX0950 LOW No policy exists to assign virtual machines to personnel. In traditional computing environments, servers were usually assigned to various personnel for administration. For instance, the data server is administered by the database administrator; the domain controller is maintained by the network administrator, et
    SV-16833r1_rule ESX0960 LOW VI Console is used to administer virtual machines. The VI Console allows a user to connect to the console of a virtual machine, similar to seeing what a physical server monitor would show. However, the VI Console also provides power management and removable device connectivity controls, which could potent
    SV-16840r1_rule ESX1020 LOW The IAO/SA does not document and approve virtual machine renames. It may become necessary to rename a virtual machine at some point during the course of testing to production. To rename a virtual machine, the virtual machine must be powered down before proceeding with the renaming feature. It is also good practice to ba
    SV-16842r1_rule ESX1040 LOW No policy exists to restrict copying and sharing virtual machines over networks and removable media. As virtual machines replace real hardware they can undermine the security architecture of many organizations which often assume predictable and controlled change number of hosts, host configurations, host locations etc. Some useful mechanisms that virtua
    SV-16844r1_rule ESX1060 MEDIUM Virtual machine moved to removable media are not documented. From a theft perspective, virtual machines are easy to copy and move to a person’s USB drive, portable hard drive, etc. An insider could potentially move the organization’s entire data center on any type of removable media that had sufficient space. S
    SV-16845r1_rule ESX1070 MEDIUM Virtual machines are removed from the site without approval documentation. From a theft perspective, virtual machines are easy to copy and move to a person’s USB drive, portable hard drive, etc. An insider could potentially move the organization’s entire data center on any type of removable media that had sufficient space. S
    SV-16847r1_rule ESX1090 LOW Virtual machine rollbacks are performed when virtual machine is connected to the network. Virtual machines may be rolled back to a previous state. Rolling back a virtual machine can re-expose patched vulnerabilities, re-enable previously disabled accounts or passwords, remove log files of a machine, use previously retired encryption keys, and
    SV-16861r1_rule ESX1160 LOW Virtual machine requirements are not documented before creating a virtual machine. Guest operating systems may require different resources depending on the server function. A database or email server will require more resources than a basic Windows Domain Controller. Therefore, proper planning is required to determine what servers will
    SV-17851r1_rule ESX0828 LOW ESX administrators have not received proper training to administer the ESX Server. Different roles require different types of training. A skilled staff is one of the critical components to the security of an organization. The ESX Server is complex and has many components that need to be monitored and configured. If staff is not proper
    SV-83299r1_rule ESX0100 HIGH VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by the vendor for security updates must not be installed on a system. VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by VMware for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must tran