VMware ESXi Server 5.0 V1R8

b

The system must prevent the use of dictionary words for passwords.

CM-6 - Medium - CCI-000366 - V-39246 - SV-51062r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN000790-ESXI5-000085

Vuln IDs

V-39246

Rule IDs

SV-51062r1_rule

An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is generally done by someone with an automated script using repeated logon attempts until the correct account and password pair is guessed. Utilities, such as cracklib, can be used to validate passwords are not dictionary words and meet other criteria during password changes.

Checks: C-46510r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected settings are configured in the /etc/pam.d/passwd file. The entry format is : "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4" The "N2" field controls the behavior enforcing "no dictionary words". This flag should be set to "disabled". # grep "^password" /etc/pam.d/passwd | grep requisite | grep "min=" If the "N2" password complexity field is not set to "disabled", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44225r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and ensure the expected settings of the "min" keyword are configured in the /etc/pam.d/passwd file. # vi /etc/pam.d/passwd Set the "N2" password complexity field to "disabled", i.e., min=disabled,disabled,disabled,disabled,14 Re-enable Lockdown Mode on the host.

b

SNMP communities, users, and passphrases must be changed from the default.

CM-6 - Medium - CCI-000366 - V-39247 - SV-51063r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005300-ESXI5-000099

Vuln IDs

V-39247

Rule IDs

SV-51063r1_rule

Whether active or inactive, default communities, users, and passwords must be changed to maintain security. A service running with default authenticators allows acquisition of data about the system and the network to potentially compromise the integrity of the system or network(s).

Checks: C-46511r1_chk

Disable lock down mode. Enable the ESXi Shell. Login as root and check the snmp configuration file for default(s): # egrep -i "community|communities" /etc/vmware/snmp.xml If any community name or password is set to a default value such as public, private or password, this is a finding. Re-enable lock down mode.

Fix: F-44226r4_fix

From the Power/v CLI, run the (below example) command: > # vicfg-snmp.pl --server <hostname|IP address> --username <username> --password <password> -E -c <community_name> In the above example, -E enables the VMware SNMP agent, and -c sets communities to the provided name.

a

The SSH daemon must be configured to not allow TCP connection forwarding.

CM-6 - Low - CCI-000366 - V-39248 - SV-51064r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN005515-ESXI5-000100

Vuln IDs

V-39248

Rule IDs

SV-51064r1_rule

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.

Checks: C-46512r1_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH daemon configuration for the TCP connection forwarding setting. # grep -i AllowTCPForwarding /etc/ssh/sshd_config | grep -v '^#' If "AllowTCPForwarding" is set to "yes", this is a finding. Re-enable lock down mode.

Fix: F-44227r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH daemon configuration and add/modify the "AllowTCPForwarding" configuration setting it to "no". # vi /etc/ssh/sshd_config Re-enable lock down mode.

a

The SSH client must be configured to not allow TCP forwarding.

CM-6 - Low - CCI-000366 - V-39249 - SV-51065r3_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN005516-ESXI5-703

Vuln IDs

V-39249

Rule IDs

SV-51065r3_rule

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. System Administrator

Checks: C-46513r3_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep Forward /etc/ssh/ssh_config Re-enable lock down mode. If any of the following attributes (ForwardAgent, ForwardX11, or ForwardX11Trusted) exist and are not set to "no", this is a finding. If the /etc/ssh/ssh_config file does not exist, this is not a finding.

Fix: F-44228r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/ssh_config Add/modify the attribute line entry to the following (quotes for emphasis only): "ForwardAgent no" "ForwardX11 no" "ForwardX11Trusted no" Re-enable lock down mode.

a

The SSH daemon must be configured to not allow gateway ports.

CM-6 - Low - CCI-000366 - V-39250 - SV-51066r2_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN005517-ESXI5-000101

Vuln IDs

V-39250

Rule IDs

SV-51066r2_rule

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. Gateway ports allow remote forwarded ports to bind to non-loopback addresses on the server.System Administrator

Checks: C-46514r2_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep -i GatewayPorts /etc/ssh/sshd_config If "GatewayPorts" is not set to "no", this is a finding. Re-enable lock down mode.

Fix: F-44229r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "GatewayPorts no" Re-enable lock down mode.

a

The SSH client must be configured to not allow gateway ports.

CM-6 - Low - CCI-000366 - V-39251 - SV-51067r2_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN005518-ESXI5-704

Vuln IDs

V-39251

Rule IDs

SV-51067r2_rule

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. Gateway ports allow remote forwarded ports to bind to non-loopback addresses on the server.

Checks: C-46515r2_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH client configuration for the gateway ports setting. # grep -i GatewayPorts /etc/ssh/ssh_config | grep -v '^#' If "GatewayPorts" is set to "yes", this is a finding. If the /etc/ssh/ssh_config file does not exist, this is not a finding. Re-enable lock down mode.

Fix: F-44230r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH client configuration and add/modify the "GatewayPorts" configuration, setting it to "no". # vi /etc/ssh/ssh_config Re-enable lock down mode.

c

There must be no .rhosts or hosts.equiv files on the system.

AC-17 - High - CCI-001436 - V-39252 - SV-51068r1_rule

RMF Control

AC-17

Severity

H

CCI

CCI-001436

Version

SRG-OS-000248-ESXI5

Vuln IDs

V-39252

Rule IDs

SV-51068r1_rule

The .rhosts or hosts.equiv files are used to configure host-based authentication for individual users or the system. Host-based authentication is not sufficient for preventing unauthorized access to the system.

Checks: C-46516r4_chk

The files hosts.equiv (/etc) and .rhosts (in the user home directory) contains host/user pairs to be trusted by the local system. Locate the files: # ls -l /etc/hosts.equiv # find / | grep .rhosts or # cd <user's home directory> # ls -l .rhosts If the hosts.equiv file or one or more .rhosts files are found, this is a finding.

Fix: F-44231r2_fix

Remove the file(s): # rm -f /etc/hosts.equiv # rm -f <user's home directory>/.rhosts

b

The SSH daemon must limit connections to a single session.

AC-10 - Medium - CCI-000054 - V-39253 - SV-51069r2_rule

RMF Control

AC-10

Severity

M

CCI

CCI-000054

Version

SRG-OS-000027-ESXI5

Vuln IDs

V-39253

Rule IDs

SV-51069r2_rule

The SSH protocol has the ability to provide multiple sessions over a single connection without reauthentication. A compromised client could use this feature to establish additional sessions to a system without consent or knowledge of the user.System Administrator

Checks: C-46517r2_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep MaxSessions /etc/ssh/sshd_config If the command returns nothing, or if "MaxSessions" is not set to "1", this is a finding. Re-enable lock down mode.

Fix: F-44232r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "MaxSessions 1" Re-enable lock down mode.

b

The system must use time sources local to the enclave.

AU-8 - Medium - CCI-000160 - V-39254 - SV-51070r1_rule

RMF Control

AU-8

Severity

M

CCI

CCI-000160

Version

SRG-OS-000056-ESXI5

Vuln IDs

V-39254

Rule IDs

SV-51070r1_rule

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. The network architecture should provide multiple time servers (at least two) within an enclave providing local service to the enclave and synchronize with time sources outside of the enclave.

Checks: C-46518r1_chk

From the vSphere Client: Select the host and click Configuration >> Time Configuration". Select the properties link and chose 'Options'. Select NTP Settings to view configured NTP servers. If NTP is not configured to use NTP server(s) local to the enclave, this is a finding.

Fix: F-44233r1_fix

From the vSphere Client: Select the host and click Configuration >> Time Configuration". Select the properties link and chose 'Options'. From the General tab start the NTP service and select "Start and stop with host". From the NTP Settings tab click the 'Add' button to add NTP server(s) local to the enclave.

b

The system must require that passwords contain at least one uppercase alphabetic character.

IA-5 - Medium - CCI-000192 - V-39255 - SV-51071r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000192

Version

SRG-OS-000069-ESXI5

Vuln IDs

V-39255

Rule IDs

SV-51071r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-46519r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected settings are configured in the /etc/pam.d/passwd file. The entry format is : "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4" The "N4" field controls the behavior requiring at least one character each of the 4 different character classes (i.e., number, special, UPPER_CASE, and lower_case), with a minimum required length of 14 characters. # grep "^password" /etc/pam.d/passwd | grep requisite | grep "min=" If the "N4" password complexity field is not set to "14" or greater and the "N0" thru "N3" fields are not set to "disabled", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44234r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and ensure the expected settings of the "min" keyword are configured in the /etc/pam.d/passwd file. # vi /etc/pam.d/passwd Set the "N4" password complexity field to "14" or greater and set the "N0" thru "N3" fields to "disabled", i.e., min=disabled,disabled,disabled,disabled,14 Re-enable Lockdown Mode on the host.

b

The system must require passwords contain at least one lowercase alphabetic character.

IA-5 - Medium - CCI-000193 - V-39256 - SV-51072r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000193

Version

SRG-OS-000070-ESXI5

Vuln IDs

V-39256

Rule IDs

SV-51072r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-46520r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host, and using the vi editor, verify the expected settings are configured in the /etc/pam.d/passwd file. The entry format is: "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4" The "N4" field controls the behavior requiring at least one character each of the 4 different character classes (i.e., number, special, UPPER_CASE, and lower_case), with a minimum required length of 14 characters. # grep "^password" /etc/pam.d/passwd | grep requisite | grep "min=" If the "N4" password complexity field is not set to "14" or greater and the "N0" thru "N3" fields are not set to "disabled", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44235r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and ensure the expected settings of the "min" keyword are configured in the /etc/pam.d/passwd file. # vi /etc/pam.d/passwd Set the "min" keyword's "N4" flag password complexity field to "14" or greater and set the "N0" thru "N3" flag fields to "disabled", i.e., min=disabled,disabled,disabled,disabled,14 Re-enable Lockdown Mode on the host.

b

The system must require passwords contain at least one lowercase alphabetic character.

IA-5 - Medium - CCI-000193 - V-39257 - SV-51073r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000193

Version

SRG-OS-000070-ESXI5

Vuln IDs

V-39257

Rule IDs

SV-51073r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-46521r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host, and using the vi editor, verify the expected settings are configured in the /etc/pam.d/passwd file. The entry format is: "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4" The "N4" field controls the behavior requiring at least one character each of the 4 different character classes (i.e., number, special, UPPER_CASE, and lower_case), with a minimum required length of 14 characters. # grep "^password" /etc/pam.d/passwd | grep requisite | grep "min=" If the "N4" password complexity field is not set to "14" or greater and the "N0" thru "N3" fields are not set to "disabled", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44236r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and ensure the expected settings of the "min" keyword are configured in the /etc/pam.d/passwd file. # vi /etc/pam.d/passwd Set the "min" keyword's "N4" flag password complexity field to "14" or greater and set the "N0" thru "N3" flag fields to "disabled", i.e., min=disabled,disabled,disabled,disabled,14 Re-enable Lockdown Mode on the host.

b

The system must require that passwords contain at least one numeric character.

IA-5 - Medium - CCI-000194 - V-39258 - SV-51074r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000194

Version

SRG-OS-000071-ESXI5

Vuln IDs

V-39258

Rule IDs

SV-51074r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-46522r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected settings are configured in the /etc/pam.d/passwd file. The entry format is : "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4" The "N4" field controls the behavior requiring at least one character each of the 4 different character classes (i.e., number, special, UPPER_CASE, and lower_case), with a minimum required length of 14 characters. # grep "^password" /etc/pam.d/passwd | grep requisite | grep "min=" If the "N4" password complexity field is not set to "14" or greater and the "N0" thru "N3" fields are not set to "disabled", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44237r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and ensure the expected settings of the "min" keyword are configured in the /etc/pam.d/passwd file. # vi /etc/pam.d/passwd Set the "N4" password complexity field to "14" or greater and set the "N0" thru "N3" fields to "disabled", i.e., min=disabled,disabled,disabled,disabled,14 Re-enable Lockdown Mode on the host.

b

The system must require at least four characters be changed between the old and new passwords during a password change.

IA-5 - Medium - CCI-000195 - V-39259 - SV-51075r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000195

Version

SRG-OS-000072-ESXI5

Vuln IDs

V-39259

Rule IDs

SV-51075r1_rule

To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed based on the value of a previously compromised password.

Checks: C-46523r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected settings are configured in the /etc/pam.d/passwd file. An example line format is: "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4" # grep "^password" /etc/pam.d/passwd | grep requisite | grep "similar=deny" If "similar" is not set to "deny", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44238r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and ensure the expected settings of the "min" keyword are configured in the /etc/pam.d/passwd file. # vi /etc/pam.d/passwd Set the "similar" keyword complexity field to "deny", i.e., similar=deny Re-enable Lockdown Mode on the host.

b

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

IA-7 - Medium - CCI-000803 - V-39260 - SV-51076r1_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

SRG-OS-000120-ESXI5

Vuln IDs

V-39260

Rule IDs

SV-51076r1_rule

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

Checks: C-46524r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected setting is configured in the /etc/pam.d/passwd file. The entry format will look similar to "password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow". Search for the existing hash key (sha512). # grep "^password sufficient " /etc/pam.d/passwd | grep sha512 If sha512 is missing from the configuration, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44239r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected setting is configured in the /etc/pam.d/passwd file. The entry format will look similar to "password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow". Edit the file and replace the existing hash key ( md5, des, or sha256) with sha512 or append sha512, if there is no existing key. For example: "password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512". Re-enable Lockdown Mode on the host.

b

The system must prohibit the reuse of passwords within five iterations.

IA-5 - Medium - CCI-000200 - V-39261 - SV-51077r2_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

SRG-OS-000077-ESXI5

Vuln IDs

V-39261

Rule IDs

SV-51077r2_rule

If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.System Administrator

Checks: C-46525r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. The entry format will look similar to: "password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5" As root, log in to the host and execute the following: # grep "^password" /etc/pam.d/passwd | grep sufficient | grep "remember=" If "remember" is set to less than 5, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44240r2_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. "remember" is an option to pam_unix.so. As root, log in to the host and modify the "remember" keyword value, example: "remember=5". # vi /etc/pam.d/passwd Re-enable Lockdown Mode on the host.

b

The system must require that passwords contain a minimum of 14 characters.

IA-5 - Medium - CCI-000205 - V-39262 - SV-51078r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000205

Version

SRG-OS-000078-ESXI5

Vuln IDs

V-39262

Rule IDs

SV-51078r1_rule

The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space.

Checks: C-46526r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected settings are configured in the /etc/pam.d/passwd file. The entry format is : "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4" In addition to other password characteristics, the "N4" field controls the minimum required length of 14 characters. # grep "^password" /etc/pam.d/passwd | grep requisite | grep "min=" If the "N4" password complexity field is not set to "14" or greater and the "N0" thru "N3" fields are not set to "disabled", this is a finding.

Fix: F-44241r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and ensure the expected settings of the "min" keyword are configured in the /etc/pam.d/passwd file. # vi /etc/pam.d/passwd Set the "N4" password complexity field to "14" or greater and set the "N0" thru "N3" fields to "disabled", i.e., min=disabled,disabled,disabled,disabled,14 Re-enable Lockdown Mode on the host.

b

The system must enforce the entire password during authentication.

CM-6 - Medium - CCI-000366 - V-39263 - SV-51079r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN000585-ESXI5-000080

Vuln IDs

V-39263

Rule IDs

SV-51079r1_rule

Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password.

Checks: C-46527r1_chk

Disable lock down mode. Enable the ESXi Shell and attempt to log into the root account using only the first 8 of 14 required characters. If the login succeeds, this is a finding. Re-enable lock down mode.

Fix: F-44242r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected settings are configured in the /etc/pam.d/passwd file. The entry format is "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4". The "N4" field controls the behavior requiring at least one character each of the 4 different character classes, with a minimum required length of 14 characters. # vi /etc/pam.d/passwd Set the "N4" password complexity field to "14" and set the "N0" thru "N3" fields to "disabled". Re-enable Lockdown Mode on the host.

b

System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.

AC-3 - Medium - CCI-000213 - V-39264 - SV-51080r1_rule

RMF Control

AC-3

Severity

M

CCI

CCI-000213

Version

SRG-OS-000080-ESXI5

Vuln IDs

V-39264

Rule IDs

SV-51080r1_rule

A system's BIOS or system controller handles the initial startup of a system and its configuration must be protected from unauthorized modification. When the BIOS or system controller supports the creation of user accounts or passwords, such protections must be used and accounts/passwords only assigned to system administrators. Failure to protect BIOS or system controller settings could result in Denial-of-Service or compromise of the system resulting from unauthorized configuration changes.

Checks: C-46528r1_chk

On systems with a BIOS or system controller, ask the SA if a supervisor or administrator password is set. If a password is not set, this is a finding.

Fix: F-44243r1_fix

On systems with a BIOS or system controller, set the supervisor or administrator password.

b

The SSH daemon must be configured to not allow X11 forwarding.

CM-6 - Medium - CCI-000366 - V-39265 - SV-51081r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005519-ESXI5-000102

Vuln IDs

V-39265

Rule IDs

SV-51081r1_rule

X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed.

Checks: C-46529r1_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH daemon configuration for the X11 forwarding setting. # grep -i "^X11Forwarding" /etc/ssh/sshd_config If "X11Forwarding" is set to "yes", this is a finding. Re-enable lock down mode.

Fix: F-44244r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH daemon configuration and add/modify the "X11Forwarding" configuration, setting it to "no". # vi /etc/ssh/sshd_config Re-enable lock down mode.

b

The SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale.

CM-6 - Medium - CCI-000366 - V-39266 - SV-51082r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005528-ESXI5-000106

Vuln IDs

V-39266

Rule IDs

SV-51082r2_rule

Environment variables can be used to change the behavior of remote sessions and should be limited. Locale environment variables that specify the language, character set, and other features modifying the operation of software to match the user's preferences.System Administrator

Checks: C-46530r2_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep AcceptEnv /etc/ssh/sshd_config If the "AcceptEnv" attribute is not set to "LOCALE" or unassigned (the "AcceptEnv" attribute minus any parameter assignment), this is a finding. Re-enable lock down mode.

Fix: F-44245r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "AcceptEnv LOCALE" or "AcceptEnv" Re-enable lock down mode.

b

The SSH daemon must not permit user environment settings.

CM-6 - Medium - CCI-000366 - V-39267 - SV-51083r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005530-ESXI5-000107

Vuln IDs

V-39267

Rule IDs

SV-51083r2_rule

SSH may be used to provide limited functions other than an interactive shell session, such as file transfer. If local, user-defined environment settings (such as, those configured in ~/.ssh/authorized_keys and ~/.ssh/environment) are configured by the user and permitted by the SSH daemon, they could be used to alter the behavior of the limited functions, potentially granting unauthorized access to the system.System Administrator

Checks: C-46531r2_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep PermitUserEnvironment /etc/ssh/sshd_config If the command returns nothing, or the returned "PermitUserEnvironment" attribute is not set to "no", this is a finding. Re-enable lock down mode.

Fix: F-44246r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "PermitUserEnvironment no" Re-enable lock down mode.

b

The SSH daemon must not permit tunnels.

CM-6 - Medium - CCI-000366 - V-39268 - SV-51084r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005531-ESXI5-000108

Vuln IDs

V-39268

Rule IDs

SV-51084r2_rule

OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.System Administrator

Checks: C-46532r2_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep PermitTunnel /etc/ssh/sshd_config If the command returns nothing, or the returned "PermitTunnel" attribute is not set to "no", this is a finding.

Fix: F-44247r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "PermitTunnel no" Re-enable lock down mode.

b

The SSH client must not send environment variables to the server or must only send those pertaining to locale.

CM-6 - Medium - CCI-000366 - V-39269 - SV-51085r3_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005529-ESXI5-708

Vuln IDs

V-39269

Rule IDs

SV-51085r3_rule

Environment variables can be used to change the behavior of remote sessions and should be limited. Locale environment variables specify the language, character set, and other features modifying the operation of software to match the user's preferences.System Administrator

Checks: C-46533r6_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep SendEnv /etc/ssh/ssh_config If the "SendEnv" attribute is not set to "LOCALE", this is a finding. If the /etc/ssh/ssh_config file does not exist or the SendEnv option is not set, this is not a finding. Re-enable lock down mode.

Fix: F-44248r6_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/ssh_config Add/modify the attribute line entry to one of the following (quotes for emphasis only): "SendEnv LOCALE " or "SendEnv" Re-enable lock down mode.

b

The SSH client must not permit tunnels.

CM-6 - Medium - CCI-000366 - V-39270 - SV-51086r3_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005532-ESXI5-709

Vuln IDs

V-39270

Rule IDs

SV-51086r3_rule

OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.System Administrator

Checks: C-46534r8_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep Tunnel /etc/ssh/ssh_config If the "Tunnel" attribute is not set to "no", this is a finding. If the /etc/ssh/ssh_config file does not exist or the Tunnel option is not set, this is not a finding. Re-enable lock down mode.

Fix: F-44249r7_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/ssh_config Add/modify the attribute line entry to the following (quotes for emphasis only): "Tunnel no" Re-enable lock down mode.

b

The SSH client must be configured to not allow X11 forwarding.

CM-6 - Medium - CCI-000366 - V-39271 - SV-51087r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005520-ESXI5-705

Vuln IDs

V-39271

Rule IDs

SV-51087r2_rule

X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed.

Checks: C-46535r2_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH client configuration for the X11 forwarding setting. # grep -i "^ForwardX11" /etc/ssh/ssh_config If "ForwardX11" is set to "yes", this is a finding. If the /etc/ssh/ssh_config file does not exist or the ForwardX11 option is not set, this is not a finding. Re-enable lock down mode.

Fix: F-44250r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH client configuration and add/modify the "ForwardX11" configuration to "no". # vi /etc/ssh/ssh_config Re-enable lock down mode.

b

The root accounts executable search path must be the vendor default and must contain only absolute paths.

CM-6 - Medium - CCI-000366 - V-39273 - SV-51089r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN000940-ESXI5-000042

Vuln IDs

V-39273

Rule IDs

SV-51089r1_rule

The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.

Checks: C-46537r5_chk

Disable lock down mode. Enable the ESXi Shell. <file> = /etc/profile <required_keyword> = PATH <required_keyword_setpoint> = /bin:/sbin Execute the following command(s): # grep PATH /etc/profile If the "PATH" is not set to "/bin:/sbin", this is a finding. Re-enable lock down mode.

Fix: F-44252r5_fix

Disable lock down mode. Enable the ESXi Shell. <file> = /etc/profile <required_keyword> = PATH <required_keyword_setpoint> = /bin:/sbin Execute the following command(s): # vi /etc/profile Set the "PATH" to "/bin:/sbin". Re-enable lock down mode.

a

The GID assigned to a user must exist.

CM-6 - Low - CCI-000366 - V-39274 - SV-51090r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN000380-ESXI5-000043

Vuln IDs

V-39274

Rule IDs

SV-51090r1_rule

If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the user may have unintended rights to that group.

Checks: C-46538r1_chk

From the vSphere Client/vCenter, click on the "Local Users and Groups" tab, then select to view Groups. Select to view Users. Highlight the user, right click and select Edit. Click Cancel. If any user's primary GID is not found in the Group list, this is a finding.

Fix: F-44253r1_fix

From the vSphere Client/vCenter, click on the "Local Users and Groups" tab, then select Groups. Highlight the user, right click the user and select Edit. Select/highlight/assign the user's correct primary GID. Click OK.

b

The /etc/shells (or equivalent) file must exist.

CM-6 - Medium - CCI-000366 - V-39275 - SV-51091r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN002120-ESXI5-000045

Vuln IDs

V-39275

Rule IDs

SV-51091r1_rule

The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not be secure.

Checks: C-46539r4_chk

Disable lock down mode. Enable the ESXi Shell. <file> = /etc/shells Execute the following command(s): # ls -l /etc/shells If /etc/shells does not exist, this is a finding. Re-enable lock down mode.

Fix: F-44254r4_fix

Disable lock down mode. Enable the ESXi Shell. <file> = /etc/shells Execute the following command(s): # > /etc/shells Re-enable lock down mode.

b

All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.

CM-6 - Medium - CCI-000366 - V-39276 - SV-51092r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN002140-ESXI5-000046

Vuln IDs

V-39276

Rule IDs

SV-51092r1_rule

The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not be secure. By default, the shells file contains the only shell files in the ESXi file system, /bin/ash and /bin/sh. Users not granted shell access are assigned the shell /sbin/nologin.

Checks: C-46540r4_chk

Disable lock down mode. Enable the ESXi Shell. <file> = /etc/shells Available shells for ESXi are "/bin/sh" and "/bin/ash". Execute the following command(s): # ls -lL `cat /etc/shells` If /etc/shells does not exist, this is a finding. If /etc/shells exists and is empty, this is a finding. If /etc/shells exists and includes both the /bin/sh and /bin/ash shells, this is not a finding. Re-enable lock down mode.

Fix: F-44255r5_fix

Disable lock down mode. Enable the ESXi Shell. <file> = /etc/shells Available shells for ESXi are "/bin/sh" and "/bin/ash". Ensure both the above interactive shell(s) are listed in the /etc/shells file. If necessary, add them: # vi /etc/shells Re-enable lock down mode.

c

The system must not use removable media as the boot loader.

CM-6 - High - CCI-000366 - V-39277 - SV-51093r1_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

GEN008640-ESXI5-000055

Vuln IDs

V-39277

Rule IDs

SV-51093r1_rule

Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader.

Checks: C-46541r1_chk

Note: Checking a system's BIOS is vendor and hardware dependent. To verify media boot options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for boot order. If any media other than the ESXi boot disk is listed as a boot option, this is a finding.

Fix: F-44256r1_fix

Note: Checking a system's BIOS is vendor and hardware dependent. To ensure media boot options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for boot order. Remove all boot media options except for ESXi. Save the change and exit to verify the boot cycle.

b

The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.

CM-6 - Medium - CCI-000366 - V-39278 - SV-51094r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005460-ESXI5-000060

Vuln IDs

V-39278

Rule IDs

SV-51094r1_rule

If a remote log host is in use and it has not been justified and documented with the IAO, sensitive information could be obtained by unauthorized users without the SA's knowledge. A remote log host is any host to which the system is sending syslog messages over a network.

Checks: C-46542r1_chk

Verify that the vSphere Syslog Collector syslog host has been justified and documented with the IAO. From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Verify that the 'Syslog.global.logHost' is set to the (site-specific) syslog server hostname. If the 'Syslog.global.logHost' is not justified and documented with the IAO, this is a finding.

Fix: F-44257r1_fix

Step 1: Verify that the vSphere Syslog Collector syslog host has been configured. If not, install/enable the vSphere Syslog Collector. Step 2: From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Step 3: Set 'Syslog.global.logHost' to the syslog server hostname justified and documented with the IAO.

b

The system must not be used as a syslog server (log host) for systems external to the enclave.

CM-6 - Medium - CCI-000366 - V-39279 - SV-51095r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005440-ESXI5-000078

Vuln IDs

V-39279

Rule IDs

SV-51095r1_rule

Syslog messages are typically unencrypted and may contain sensitive information and are, therefore, restricted to the enclave.

Checks: C-46543r1_chk

Verify that the vSphere Syslog Collector syslog host has been justified and documented with the IAO. From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Verify that the 'Syslog.global.logHost' is set to the (site-specific) syslog server hostname. If the 'Syslog.global.logHost' is not restricted to the enclave, this is a finding.

Fix: F-44258r1_fix

Step 1: Verify that the vSphere Syslog Collector syslog host has been configured. If not, install/enable the vSphere Syslog Collector. Step 2: From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Step 3: Set 'Syslog.global.logHost' to the syslog server hostname restricted to the enclave.

b

The SSH daemon must not allow compression or must only allow compression after successful authentication.

CM-6 - Medium - CCI-000366 - V-39285 - SV-51101r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005539-ESXI5-000113

Vuln IDs

V-39285

Rule IDs

SV-51101r2_rule

If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.System Administrator

Checks: C-46549r2_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep Compression /etc/ssh/sshd_config If the command returns nothing, or if the "Compression" attribute is set to "yes", this is a finding. Re-enable lock down mode.

Fix: F-44264r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "Compression no" or "Compression delayed" Re-enable lock down mode.

b

The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.

CM-6 - Medium - CCI-000366 - V-39286 - SV-51102r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005570-ESXI5-000115

Vuln IDs

V-39286

Rule IDs

SV-51102r1_rule

If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial-of-Service attacks. NOTE that IPv6 is not enabled by default.

Checks: C-46550r1_chk

If the system does not use IPv6, this check is not applicable. From the vSphere Client/vCenter; click on the "Configuration" tab, click on "Networking"; click on "Standard Switch/Properties"; click on "Management NetworkProperties/Edit/IP Settings" and click "Cancel". If the "VMkernel Default Gateway" field is not initialized (valid IP address is required), this is a finding.

Fix: F-44265r1_fix

The following fix text applies only if the system uses IPv6. From the vSphere Client/vCenter; click on the "Configuration" tab; click on "Networking"; click on "Standard Switch/Properties"; click on "Management NetworkProperties/Edit/IP Settings". Select "Use the following IP settings"; fill in the field(s) (at a minimum, the default gateway IP Address is required) per the local site requirements and click "OK".

b

The DHCP client must be disabled if not used.

CM-6 - Medium - CCI-000366 - V-39287 - SV-51103r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN007840-ESXI5-000119

Vuln IDs

V-39287

Rule IDs

SV-51103r1_rule

DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server.

Checks: C-46551r1_chk

If DHCP is used, this is not applicable. From the vSphere Client/vCenter, click on the "Configuration" tab; click on "Networking"; click on "Standard Switch/Properties"; click on "Management NetworkProperties/Edit/IP Settings"; verify "Obtain IP settings automatically" is not selected, and click "Cancel". If "Obtain IP settings automatically" is selected, this is a finding.

Fix: F-44266r1_fix

From the vSphere Client/vCenter, click on the "Configuration" tab; click on "Networking"; click on "Standard Switch/Properties"; click on "Management NetworkProperties/Edit/IP Settings"; select "Use the following IP settings"; fill in the IPAddress fields per local site requirements and click "OK".

a

The system must have USB disabled unless needed.

CM-6 - Low - CCI-000366 - V-39288 - SV-51104r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN008460-ESXI5-000121

Vuln IDs

V-39288

Rule IDs

SV-51104r1_rule

USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.

Checks: C-46552r1_chk

If the system uses USB, this is not applicable. To verify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for USB device connectivity. If the system does not require USB and USB is enabled, this is a finding.

Fix: F-44267r1_fix

To modify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for USB device connectivity. Disable USB.

a

The system must have USB Mass Storage disabled unless needed.

CM-6 - Low - CCI-000366 - V-39289 - SV-51105r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN008480-ESXI5-000122

Vuln IDs

V-39289

Rule IDs

SV-51105r1_rule

USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.

Checks: C-46553r1_chk

If the system uses USB mass storage, this is not applicable. To verify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for USB mass storage connectivity. If the system does not require USB mass storage and USB mass storage connectivity is enabled, this is a finding.

Fix: F-44268r1_fix

To modify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for USB mass storage connectivity. Disable USB mass storage connectivity.

a

The system must have IEEE 1394 (Firewire) disabled unless needed.

CM-6 - Low - CCI-000366 - V-39291 - SV-51107r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN008500-ESXI5-000123

Vuln IDs

V-39291

Rule IDs

SV-51107r1_rule

Firewire is a common computer peripheral interface. Firewire devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.

Checks: C-46555r1_chk

If the system uses IEEE 1394, this is not applicable. To verify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for IEEE 1394 device connectivity. If the system does not use IEEE 1394 and IEEE 1394 is enabled, this is a finding.

Fix: F-44270r1_fix

To modify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for IEEE 1394 device connectivity. Disable IEEE 1394.

b

NTP time synchronization must be configured.

CM-6 - Medium - CCI-000366 - V-39292 - SV-51108r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000131

Vuln IDs

V-39292

Rule IDs

SV-51108r1_rule

By ensuring that all systems use the same relative time source (including the relevant localization offset), and that the relative time source can be correlated to an agreed-upon time standard (such as Coordinated Universal Time-UTC), it can make it simpler to track and correlate an intruder's actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate.

Checks: C-46556r1_chk

From the vSphere Client: Select the host and click "Configuration >> Time Configuration". Select the properties link and chose 'Options'. Select NTP Settings to view configured NTP servers. If NTP is not configured, this is a finding.

Fix: F-44271r1_fix

From the vSphere Client: Select the host and click "Configuration >> Time Configuration". Select the properties link and chose 'Options'. From the General tab start the NTP service and select "Start and stop with host". From the NTP Settings tab click the 'Add' button to add the organization defined NTP servers.

b

Persistent logging for all ESXi hosts must be configured.

CM-6 - Medium - CCI-000366 - V-39293 - SV-51109r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000132

Vuln IDs

V-39293

Rule IDs

SV-51109r2_rule

ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of logs are stored at any time, in addition, log files will be reinitialized upon each reboot. This presents a security risk as user activity logged on the host is only stored temporarily and will not persistent across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore. Note: ESXi automatically creates a persistent 4 GB Fat16 scratch partition on the local target device during installation. If space is not available, ESXi will store temporary data on a space constrained ramdisk. As ramdisk data does not persist across reboots, log and core files will be lost. Syslog.global.logDir points to a location on a local or remote datastore (and path) where log files can be saved to. The format [DatastoreName] DirectoryName/Filename maps to /vmfs/volumes/DatastoreName/DirectoryName/Filename. The [DatastoreName] is case sensitive and if the specified DirectoryName does not exist, it will be created. If the datastore path field is blank, logs are stored in their default location.System Administrator

Checks: C-46557r3_chk

In vSphere Client, select the host in the inventory panel. Click the Configuration tab, then click Advanced Settings under Software. Check that the Syslog.global.logDir points to a persistent location. The directory should be specified as [datastorename] path_to_file where the path is relative to the datastore. For example, [datastore1] /systemlogs. If the Syslog.global.logDir field is empty or explicitly points to a scratch partition, make sure that the field ScratchConfig.CurrentScratchLocation shows a location on persistent storage. If the Syslog.global.logDir field entry is not located on persistent storage, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44272r2_fix

From the vSphere Client, select the ESXi hosts and click "Configuration >> Advanced Settings >> Syslog >> global" and specify a known, persistent datastore for 'Syslog.global.logDir'.

b

The system must disable DCUI to prevent local administrative control.

CM-6 - Medium - CCI-000366 - V-39294 - SV-51110r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000135

Vuln IDs

V-39294

Rule IDs

SV-51110r1_rule

The DCUI allows for low-level host configuration, such as configuring IP address, hostname, and root password, as well as diagnostic capabilities, such as enabling the ESXi shell, viewing log files, restarting agents, and resetting configurations. Actions performed from the DCUI are not tracked by vCenter Server. Even if Lockdown Mode is enabled, someone with the root password can perform administrative tasks in the DCUI bypassing RBAC and auditing controls provided through vCenter. DCUI access can be disabled. Disabling it prevents all local activity and thus forces actions to be performed in vCenter Server where they can be centrally audited and monitored.

Checks: C-46558r3_chk

From the vSphere Client, select the host and select "Configuration >> Security Profile". In the services section select "Properties". Select "Direct Console UI" and click "Options". From the pop-up verify the DCUI service startup policy is set to "start and stop manually". If the DCUI service startup policy is not set to "Start and stop manually", this is a finding.

Fix: F-44273r2_fix

From the vSphere Client, select the host and select "Configuration >> Security Profile". In the services section select "Properties". Select "Direct Console UI" and click "Options". From the pop-up stop the DCUI service and set the startup policy to "start and stop manually".

b

The system must disable ESXi Shell unless needed for diagnostics or troubleshooting.

CM-6 - Medium - CCI-000366 - V-39295 - SV-51111r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000136

Vuln IDs

V-39295

Rule IDs

SV-51111r1_rule

The ESXi Shell is an interactive command line environment available locally from the DCUI or remotely via SSH. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The ESXi shell should only be turned on when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere client.

Checks: C-46559r3_chk

From the vSphere Client, select the host then select "Configuration >> Security Profiles". In the Services section select "Properties". Select the "ESXi Shell" and click Options. Verify the ESXi Shell is set to "Start and stop manually". If the ESXi Shell service startup policy is not set to "Start and stop manually", this is a finding.

Fix: F-44274r1_fix

From the vSphere Client, select the host then select "Configuration >> Security Profiles". In the Services section select "Properties". Select the "ESXi Shell" and click Options. Stop the ESXi Shell and select the option to "Start and stop manually".

b

The system must disable the Managed Object Browser (MOB).

CM-6 - Medium - CCI-000366 - V-39296 - SV-51112r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000137

Vuln IDs

V-39296

Rule IDs

SV-51112r1_rule

The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it could also be used as a method obtain information about a host being targeted for unauthorized access.

Checks: C-46560r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and determine if the MOB is enabled. # vim-cmd proxysvc/service_list | grep proxy-mob If the command return lists "proxy-mob", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44275r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and disable the MOB. # vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect". Re-enable Lockdown Mode on the host.

b

The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications.

CM-6 - Medium - CCI-000366 - V-39297 - SV-51113r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000139

Vuln IDs

V-39297

Rule IDs

SV-51113r2_rule

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Place the CIM account into the "root" group. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges. CIM accounts should be limited to the "Host >> Config >> System Management" and "Host >> CIM >> CIMInteraction" privileges. System Administrator

Checks: C-46561r2_chk

If the CIM account does not exist, this check is not applicable. If write access is required, this check is not applicable. From the vSphere client, select the ESXi host, and go to "Permissions". Select the CIM account user, then right-click and select properties to verify read-only access. If write access is not required and the access level is not "read-only", this is a finding.

Fix: F-44276r1_fix

From the vSphere client, select the ESXi host; go to "Local Users and Groups". Create a limited-privileged, read-only service account for CIM. Place the CIM account into the "root" group. Select Users and right-click in the user screen. Select "Add", then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the "Host > Config > System Management" and "Host > CIM > CIMInteraction" privileges.

a

The system must enable bidirectional CHAP authentication for iSCSI traffic.

CM-6 - Low - CCI-000366 - V-39298 - SV-51114r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000141

Vuln IDs

V-39298

Rule IDs

SV-51114r1_rule

When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.

Checks: C-46562r1_chk

This check applies to the use of iSCSI storage. If iSCSI storage is not used, this check is not applicable. In the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if "Use Chap" is selected with a "Name" and a "Secret" configured. If iSCSI storage is used and "Use CHAP" is not selected and configured with a "Name" and a "Secret", this is a finding.

Fix: F-44277r1_fix

In the vSphere Client, select the host, and then choose: Configuration >> Storage Adaptors >> iSCSI Initiator Properties >> CHAP >> CHAP (Target Authenticates Host). Select "Use Chap", and configure the "Name" and "Secret" options.

a

The system must enable SSL for NFC.

CM-6 - Low - CCI-000366 - V-39299 - SV-51115r2_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000143

Vuln IDs

V-39299

Rule IDs

SV-51115r2_rule

NFC (Network File Copy) is used to migrate or clone a VM between two ESXi hosts over the network. By default, SSL is used only for the authentication of the transfer, but SSL must also be enabled on the data transfer. Without this setting VM contents could potentially be sniffed if the management network is not adequately isolated and secured.System Administrator

Checks: C-46563r2_chk

NOTE: SSL for NFC is used for copying or migrating VMs between ESXi hosts via vCenter. If the host is a standalone unit (i.e., not managed by a vCenter Server), this check is not applicable. From the vSphere client select "Administration >> vCenter Server Settings >> Advanced Settings". Verify "config.nfc.useSSL" is set to true. If "config.nfc.useSSL" is set to false, this is a finding.

Fix: F-44278r1_fix

From the vSphere client select "Administration >> vCenter Server Settings >> Advanced Settings". Set "config.nfc.useSSL = true".

b

The system must ensure the vpxuser auto-password change meets policy.

CM-6 - Medium - CCI-000366 - V-39300 - SV-51116r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000145

Vuln IDs

V-39300

Rule IDs

SV-51116r1_rule

By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies. NOTE: It is very important the password aging policy not be shorter than the default interval that is set to automatically change the vpxuser password, to preclude the possibility that vCenter might get locked out of an ESXi host.

Checks: C-46564r1_chk

From the vSphere client select "Administration >> vCenter Server Settings >> Advanced Settings". Verify that the "VirtualCenter.VimPasswordExpirationInDays" keyword is set to 60 or less. The default keyword value is 30 days and it is strongly recommended that this value not be changed from "30". If the "VirtualCenter.VimPasswordExpirationInDays" keyword setting is greater than 60, this is a finding.

Fix: F-44279r1_fix

From the vSphere client select "Administration >> vCenter Server Settings >> Advanced Settings". Set the "VirtualCenter.VimPasswordExpirationInDays" to 60 or less. Note that it is strongly recommended that this value not be changed from "30".

b

The system must ensure the vpxuser auto-password change meets policy.

CM-6 - Medium - CCI-000366 - V-39301 - SV-51117r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000145

Vuln IDs

V-39301

Rule IDs

SV-51117r1_rule

By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies. NOTE: It is very important the password aging policy not be shorter than the default interval that is set to automatically change the vpxuser password, to preclude the possibility that vCenter might get locked out of an ESXi host.

Checks: C-46565r1_chk

From the vSphere client select "Administration >> vCenter Server Settings >> Advanced Settings". Verify that the "VirtualCenter.VimPasswordExpirationInDays" keyword is set to 60 or less. The default keyword value is 30 days and it is strongly recommended that this value not be changed from "30". If the "VirtualCenter.VimPasswordExpirationInDays" keyword setting is greater than 60, this is a finding.

Fix: F-44280r1_fix

From the vSphere client select "Administration >> vCenter Server Settings >> Advanced Settings". Set the "VirtualCenter.VimPasswordExpirationInDays" to 60 or less. Note that it is strongly recommended that this value not be changed from "30".

b

The system must ensure the vpxuser password meets length policy.

CM-6 - Medium - CCI-000366 - V-39302 - SV-51118r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000146

Vuln IDs

V-39302

Rule IDs

SV-51118r1_rule

The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password attacks more difficult. The vpxuser password is added by vCenter, meaning no manual intervention is normally required. The vpxuser password length must never be modified to less than the default length of 32 characters.

Checks: C-46566r1_chk

The default minimum length for passwords is 14. The vpxuser password default length is 32 characters. The vpxuser password length must never be modified to less than the default length of 32 characters. From the vSphere client select "Administration >> vCenter Server Settings >> Advanced Settings". Verify the "config.vpxd.hostPasswordLength" is set to 32 or greater. Default is 32 characters. If the "config.vpxd.hostPasswordLength" setting is less than 32, this is a finding.

Fix: F-44281r1_fix

From the vSphere client select "Administration >> vCenter Server Settings >> Advanced Settings". Set the "config.vpxd.hostPasswordLength" to comply with site requirements. Default is 32 characters. Note that the vpxuser password is added by vCenter, meaning no manual intervention is required. The vpxuser password length must never be modified to less than the default length of 32 characters.

a

The system must ensure uniqueness of CHAP authentication secrets.

CM-6 - Low - CCI-000366 - V-39303 - SV-51119r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000147

Vuln IDs

V-39303

Rule IDs

SV-51119r1_rule

The mutual authentication secret for each host must be different and the secret for each client authenticating to the server must be different as well. This ensures if a single host is compromised, an attacker cannot create another arbitrary host and authenticate to the storage device. With a single shared secret, compromise of one host can allow an attacker to authenticate to the storage device.

Checks: C-46567r3_chk

From the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if a different authentication secret is configured for each ESXi host. If a different authentication secret is not configured for each ESXi host, this is a finding. If iSCSI is not used, this is not a finding.

Fix: F-44282r3_fix

From the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - configure the authentication secret.

a

SAN resources must be masked and zoned appropriately.

CM-6 - Low - CCI-000366 - V-39304 - SV-51120r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000150

Vuln IDs

V-39304

Rule IDs

SV-51120r1_rule

SAN activity must be segregated via zoning and LUN masking. The potential for any SAN client to mount and access any SAN drive will result in disk resource contention and data corruption. Zoning and LUN masking must be used to isolate and protect SAN storage devices. Use of zoning must also take into account any host groups on the SAN device(s).

Checks: C-46568r1_chk

Zoning and masking capabilities for each SAN switch and disk array are vendor specific. Ask the SA if a SAN device is used to support hosts. If a SAN device is deployed and zoning/masking is not used, this is a finding. If SAN devices are not used, this is not a finding.

Fix: F-44283r1_fix

If SAN devices are used, a vendor-specific procedure must be developed and documented to mask/zone host LUNs.

a

The system must prevent unintended use of dvfilter network APIs.

CM-6 - Low - CCI-000366 - V-39346 - SV-51204r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000151

Vuln IDs

V-39346

Rule IDs

SV-51204r1_rule

If products that use the dvfilter network API are not used, the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, thereby potentially providing access to the network of other VMs on the host. If a product uses this API, the host must be verified as being correctly configured.

Checks: C-46620r3_chk

From the vSphere client select the host and click "Configuration >> Advanced Settings >> Net" and verify the value of Net.DVFilterBindIpAddress. For a host without a dvfilter-based network security appliance, the following kernel parameter value must be blank/empty: /Net/DVFilterBindIpAddress. For a host with a dvfilter-based network security appliance is being used, the value of this parameter must be set to match the appliance. If a dvfilter-based network security appliance is not used and the kernel parameter /Net/DVFilterBindIpAddress is populated, this is a finding. If a dvfilter-based network security appliance is used and the kernel parameter /Net/DVFilterBindIpAddress does not match the appliance, this is a finding.

Fix: F-44360r5_fix

From the vSphere client select the host and click "Configuration >> Advanced Settings >> Net" Set the value of Net.DVFilterBindIpAddress to blank if a dvfilter-based network security appliance is not used or (where used) set the value of Net.DVFilterBindIpAddress to match the dvfilter-based network security appliance.

b

Keys from SSH authorized_keys file must be removed.

CM-6 - Medium - CCI-000366 - V-39347 - SV-51205r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000152

Vuln IDs

V-39347

Rule IDs

SV-51205r1_rule

ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication. To enable password free access copy the remote users public key into the "/etc/ssh/keys-root/authorized_keys" file on the ESXi host. The presence of the remote user's public key in the "authorized_keys" file identifies the user as trusted, meaning the user is granted access to the host without providing a password. Note: Lockdown mode does not apply to root users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode.

Checks: C-46621r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the /etc/ssh/keys-root/authorized_keys file does not exist or is empty (zero bytes): # ls -l /etc/ssh/keys-root/authorized_keys If the authorized_keys file exists and is not empty, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44361r3_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and zero/remove /etc/ssh/keys-root/authorized_keys file: # >/etc/ssh/keys-root/authorized_keys or # rm /etc/ssh/keys-root/authorized_keys Re-enable Lockdown Mode on the host.

a

The system must use Active Directory for local user authentication for accounts other than root and the vpxuser.

CM-6 - Low - CCI-000366 - V-39348 - SV-51206r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000154

Vuln IDs

V-39348

Rule IDs

SV-51206r1_rule

Creating local user accounts on each host presents challenges with having to synchronize account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain local user accounts. Using Active Directory for user authentication simplifies the ESXi host configuration and reduces the risk for configuration issues that could lead to unauthorized access. Note that when adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host.

Checks: C-46622r1_chk

For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this check is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this check is a finding. From the vSphere client, select the host, then "Configuration >> Authentication Services" and verify the Directory Services Type is set to Active Directory. If the Directory Services Type is not set to "Active Directory", this is a finding.

Fix: F-44362r1_fix

Perform the following steps to configure the ESXi host to use Active Directory: (1) Log into the ESXi host using the vSphere Client and authenticating with the root account (or an equivalent account). (2) Select the ESXi host from the inventory and click the Configuration tab. (3) From the Software section, select Authentication Services. (4) Click Properties in the upper-right corner. (5) From the Directory Services Configuration dialog box, select Active Directory from the Select Directory Service Type drop-down list. (6) Supply the DNS domain name of the Active Directory domain this ESXi host will use for authentication. (7) Click the Join Domain button. (8) Specify a username and password that has permission to allow the host to join the domain. Once the ESXi host is joined to Active Directory, users will be able to authenticate to an ESXi host using their Active Directory credentials. Using the vSphere Client or the vCLI, users can use either the domain\username or username@domain syntax.

a

Active Directory ESX Admin group membership must be verified unused.

CM-6 - Low - CCI-000366 - V-39349 - SV-51207r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000155

Vuln IDs

V-39349

Rule IDs

SV-51207r1_rule

When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group.

Checks: C-46623r1_chk

For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this check is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this check is a finding. From the vSphere Client/vCenter, select the host, then Configuration >> Software/Advanced Settings >> HostAgent. Verify "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" is not set to "ESX Admins". If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.

Fix: F-44363r1_fix

From the vSphere Client/vCenter, select the host, then Configuration >> Software/Advanced Settings >> HostAgent. Change the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" to a pre-defined group other than the default "ESX Admins". Note: The new administrator group must have been previously defined on the Active Directory server.

b

The contents of exposed configuration files must be verified.

CM-6 - Medium - CCI-000366 - V-39350 - SV-51208r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000156

Vuln IDs

V-39350

Rule IDs

SV-51208r2_rule

Although most configurations on ESXi are controlled via an API, there are a limited set of configuration files that are used directly to govern host behavior. These specific files are exposed via the vSphere HTTPS-based file transfer API. Any changes to these files should be correlated with an approved administrative action, such as an authorized configuration change. Tampering with these files has the potential to enable unauthorized access to the host configuration and virtual machines. WARNING: do not attempt to monitor files that are NOT exposed via this file-transfer API, since this can result in a destabilized system.

Checks: C-46624r5_chk

ESXi Configuration files can be found by browsing to https://<hostname>/mob. A cryptographically hashed file integrity baseline is the best means to ensure these configuration files are preserved. Ask the SA if a cryptographically hashed file integrity baseline has been created and maintained for the system. If no file integrity baseline exists for the system, this is a finding. If the configuration files can be viewed with the MOB, this is a finding.

Fix: F-44364r4_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and run the following command(s): Determine if the MOB is enabled. # vim-cmd proxysvc/service_list If enabled, disable the MOB with the following command. # vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect" NOTE: Some third-party tools use MOB to gather information. Testing should be done after disabling the MOB to verify third-party applications are still functioning as expected. To re-enable the MOB: # vim-cmd proxysvc/add_np_service "/mob" httpsWithRedirect". Re-enable Lockdown Mode on the host.

b

Unauthorized kernel modules must not be loaded on the host.

CM-6 - Medium - CCI-000366 - V-39351 - SV-51209r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000158

Vuln IDs

V-39351

Rule IDs

SV-51209r2_rule

VMware provides digital signatures for kernel modules. By default the ESXi host does not permit loading of kernel modules that lack a valid digital signature. However, this behavior can be overridden allowing unauthorized kernel modules to be loaded. Untested or malicious kernel modules loaded onto an ESXi host can put the host at risk for instability and/or exploitation. The ESXi host must be monitored for unsigned kernel modules.System Administrator

Checks: C-46625r5_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to and inspect the host for unsigned kernel modules. To list all the loaded kernel modules run: # esxcli system module list For each host module verify the signature by running: # esxcli system module get -m <module>" Note that the integrity of unsigned third party kernel modules and modules with inadvertently omitted digital signatures (by VMware) can still be verified using the digital signature of the vSphere Installation Bundle (VIB) originally used to install the software. If the host's module list contains any unsigned modules, check the acceptance level for all installed VIBs via the following ESXCLI command: # esxcli software vib list If the host's installed kernel module/VIB digital signatures cannot be determined, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44365r5_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to and secure the host by individually disabling unsigned modules and removing the offending VIBs from the host. Note that in order to disable kernel modules, from the vSphere Client, VMs must first be evacuated and the host must then be placed into maintenance mode. # esxcli system modules set -e false -m <module> Re-enable Lockdown Mode on the host.

b

The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.

CM-6 - Medium - CCI-000366 - V-39352 - SV-51210r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000160

Vuln IDs

V-39352

Rule IDs

SV-51210r2_rule

ESXi hosts configured to join an Active Directory domain using host profiles do not protect the passwords used for host authentication. To avoid transmitting clear text passwords, the vSphere Authentication Proxy must be used to configure hosts in an Active Directory. System Administrator

Checks: C-46626r3_chk

For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this check is not applicable. NOTE: vSphere Authentication Proxy is available via the vSphere vCenter Server ISO. Although mainly used with Auto Deploy, which is available only with the vSphere Enterprise Plus Edition, vSphere Authentication Proxy does not require a specific vSphere Edition (i.e., Standard vs Enterprise) to be installed. From the vSphere client, select "Host Profiles". Right click the Host Profile and select Edit. Choose "Authentication configuration >> Active Directory Configuration >> Join Domain Method". Verify the Join Domain Method is set to "Use vSphere Authentication Proxy to add the host to domain". If the vSphere Authentication Proxy is installed and the Join Domain Method is not set to "Use vSphere Authentication Proxy to add the host to domain", this is a finding.

Fix: F-44366r2_fix

From the vSphere client, select "Host Profiles". Right click the Host Profile and select Edit. Choose "Authentication configuration >> Active Directory Configuration >> Join Domain Method". Set the Join Domain Method to "Use vSphere Authentication Proxy to add the host to domain".

b

The system must zero out VMDK files prior to deletion.

CM-6 - Medium - CCI-000366 - V-39353 - SV-51211r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000161

Vuln IDs

V-39353

Rule IDs

SV-51211r1_rule

The virtual disk must be zeroed prior to deletion in order to prevent sensitive data in VMDK files from being recovered.

Checks: C-46627r4_chk

Ask the SA if a documented procedure is used to overwrite sensitive data in vmdk flat files prior to deletion. The procedure must include a command to zero data and the file must then be deleted. See some examples directly below. vmkfstools --writezeroes <path+vmdk_flat_file> or dd if=/dev/zero of=<path+vmdk_flat_file> If a documented procedure to overwrite sensitive data in vmdk flat files prior to deletion does not exist, this is a finding.

Fix: F-44367r4_fix

Create and document a procedure to zero sensitive data prior to removal of the vmdk file. Command line interface commands such as vmkfstools, dd and rm must be used. Alternatively, from the vSphere Client, select the ESX host>> Configuration tab - Storage >> Add storage >> Select the LUN ID to be destroyed.

b

Kernel core dumps must be disabled unless needed.

CM-6 - Medium - CCI-000366 - V-39355 - SV-51213r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN003510-ESXI5-006660

Vuln IDs

V-39355

Rule IDs

SV-51213r2_rule

Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial-of-Service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.System Administrator

Checks: C-46629r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. Open a root console session to the ESXi host. Retrieve the currently active diagnostic partition using the esxcli command line utility. The output (when configured) looks similar to : Active: mpx.vmhba2:C0:T0:L0:7 and Configured: mpx.vmhba2:C0:T0:L0:7. # esxcli system coredump partition get Use the device information from the above command to determine partition size (100MB required, 200MB recommended): # esxcli storage core device partition list For ESXi 5.0 servers (standalone or managed by vCenter Server) that have kernel core dumps configured locally: If the ESXi 5.0 server's local dump partition size is at least 100 MB, this is not a finding. For ESXi 5.0 servers managed by vCenter Server using the ESXi Network Dump Collector, dump partition size is a function of the number of systems configured to use the remote collection system. The configuration (size) of the dump partition is not applicable for this check. If the ESXi 5.0 server's dump partition is hosted on a remote device using the ESXi Network Dump Collector, this is not a finding.

Fix: F-44369r2_fix

For ESXi 5.0 servers (standalone or managed by vCenter Server) that have kernel core dumps configured locally: To create a diagnostic coredump partition on disk, select a storage device with at least 100MB of free space (200MB recommended) that is accessible by the ESXi host. Ensure the storage device you intend to use does not contain any useful data as it will be overwritten. Use the partedUtil command line utility (refer to the vendor's documentation) to create a new partition. Then use the esxcli command line utility to list all accessible diagnostic partitions. # esxcli system coredump partition list The output appears similar to: Name Path Active Configured ---------------------------------- ------ --------- ---------------- mpx.vmhba2:C0:T0:L0:7 /vmfs/devices/... false false Configure and activate one of the accessible diagnostic partitions using the esxcli command line utility. # esxcli system coredump partition set --partition="Partition_Name" # esxcli system coredump partition set --enable true Validate that the diagnostic partition is now active using the command: # esxcli system coredump partition list The output should now appear similar to: Name Path Active Configured ---------------------------------- ------ --------- ---------------- mpx.vmhba2:C0:T0:L0:7 /vmfs/devices/... true true For ESXi 5.0 servers managed by vCenter Server using a network core dump server: View the current network configuration. # esxcli system coredump network get Specify the VMkernel network interface to use for outbound traffic and the IP address/UDP port number of the remote network coredump server. # esxcli system coredump network set --interface-name <VMkernelInterface> --server-ipv4 <IPAddress> --server-port PortNumber Enable the above selected network coredump configuration. # esxcli system coredump network set --enable true Confirm the configuration. # esxcli system coredump network get

a

All dvPortgroup VLAN IDs must be fully documented.

CM-6 - Low - CCI-000366 - V-39356 - SV-51214r2_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000001

Vuln IDs

V-39356

Rule IDs

SV-51214r2_rule

If using VLAN tagging on a dvPortgroup, tags must correspond to the IDs on external VLAN-aware upstream switches if any. If VLAN IDs are not tracked completely, mistaken re-use of IDs could allow for traffic to be allowed between inappropriate physical and virtual machines. Similarly, wrong or missing VLAN IDs may lead to traffic not passing between appropriate physical and virtual machines.

Checks: C-46630r6_chk

If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable. From the vSphere Client log into vCS. Home >> Inventory >> Networking. Select dvSwitch and dvPortgroup and Edit Settings >> Policies >> VLAN >> VLAN ID. The dvPortGroup VLAN tags must be documented to match the IDs on external VLAN-aware upstream switches. Verify that VLAN IDs are documented and matched in an (organization-specific) tracking system. If the VLAN tagging on a dvPortgroup does not correspond to the IDs on external VLAN-aware upstream switches, this is a finding.

Fix: F-44370r5_fix

From the vSphere Client log into vCS. Home >> Inventory >> Networking. Select dvSwitch and dvPortgroup and Edit Settings >> Policies >> VLAN >> VLAN ID. Record all VLAN IDs in an organization defined tracking system.

a

All dvSwitch Private VLAN IDs must be fully documented.

CM-6 - Low - CCI-000366 - V-39357 - SV-51215r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000002

Vuln IDs

V-39357

Rule IDs

SV-51215r1_rule

dvSwitch Private VLANs (PVLANs) require primary and secondary VLAN IDs. The IDs must correspond to the IDs on external PVLAN-aware upstream switches, if any. If VLAN IDs are not tracked completely, mistaken re-use of IDs could allow for traffic to be allowed between inappropriate physical and virtual machines. Similarly, wrong or missing PVLAN IDs may lead to traffic not passing between appropriate physical and virtual machines.

Checks: C-46631r4_chk

Verify by using the vSphere Client to connect to the vCenter Server and as administrator go to "Home>> Inventory>> Hosts and Clusters". Select each ESXi host with virtual switches connected to active VMs requiring securing. Go to "Configuration>> Network>> vSwitch(?)>> Properties>> Ports>> [Portgroup Name]>> VLAN ID". The dvSwitch Private VLAN tags must be documented to match the IDs on external PVLAN-aware upstream switches. Verify that Private VLAN IDs are documented and matched in an (organization-specific) tracking system. If any PVLAN IDs do not correspond to the IDs on external PVLAN-aware upstream switches, this is a finding.

Fix: F-44371r4_fix

From the vSphere Client connect to the vCenter Server and as administrator go to "Home>> Inventory>> Hosts and Clusters". Select each ESXi host with virtual switches connected to active VMs requiring securing. Go to "Configuration>> Network>> vSwitch(?)>> Properties>> Ports>> [Portgroup Name]>> VLAN ID". Record all configured VLAN IDs in an organization defined tracking system.

a

All virtual switches must have a clear network label.

CM-6 - Low - CCI-000366 - V-39358 - SV-51216r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000003

Vuln IDs

V-39358

Rule IDs

SV-51216r1_rule

Network labels must identify each port group with a name. These names are important because they serve as a functional descriptor for the port group. Without these descriptions, identifying port groups and their functions becomes difficult as the network becomes more complex.

Checks: C-46632r4_chk

From the vSphere Client/vCenter, navigate to Home>> Inventory>> Networking. Port groups must be clearly labeled or must be renamed with a meaningful name. If all port groups are not clearly labeled with functionally meaningful names, this is a finding.

Fix: F-44372r3_fix

From the vSphere Client/vCenter, navigate to Home>> Inventory>> Networking. Clearly label/rename all port groups with a meaningful name.

a

Virtual switch VLANs must be fully documented and have only the required VLANs.

CM-6 - Low - CCI-000366 - V-39359 - SV-51217r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000004

Vuln IDs

V-39359

Rule IDs

SV-51217r1_rule

When defining a physical switch port for trunk mode, only specified VLANs must be configured on the VLAN trunk link. The risk with not fully documenting all VLANs on the vSwitch is that it is possible that a physical trunk port might be configured without needed VLANs, or with unneeded VLANs, potentially enabling an administrator to either accidentally or maliciously connect a VM to an unauthorized VLAN.

Checks: C-46633r4_chk

Both standard and distributed vSwitch configurations can be viewed in the vSphere Client. For vSwitch: Home>> Inventory>> Hosts and Clusters, then select an ESXi host in Inventory panel on left. In the Configuration tab, Hardware window, under Networking, select each vSwitch, and for each port group on the vSwitch, verify and record the VLAN IDs used. For dvSwitches, go to Home>> Inventory>> Networking and for each dvSwitch in the inventory, and for each dvPortGroup in each dvSwitch, select Edit Settings>> Policies>> VLAN and verify the recorded VLAN IDs. If the system VLAN IDs do not match the VLAN IDs on record, this is a finding.

Fix: F-44373r4_fix

Both standard and distributed vSwitch configurations can be viewed in the vSphere Client. For vSwitch: Home>> Inventory>> Hosts and Clusters, then select an ESXi host in Inventory panel on left. In the Configuration tab, Hardware window, under Networking, select each vSwitch, and for each port group on the vSwitch, verify and record the VLAN IDs used. For dvSwitches, go to Home>> Inventory>> Networking and for each dvSwitch in the inventory, and for each dvPortGroup in each dvSwitch, select Edit Settings>> Policies>> VLAN and record all VLAN IDs.

a

All vSwitch and VLAN IDs must be fully documented.

CM-6 - Low - CCI-000366 - V-39360 - SV-51218r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000005

Vuln IDs

V-39360

Rule IDs

SV-51218r1_rule

VLAN tagging used on a vSwitch must correspond to the IDs on external VLAN-aware upstream switches, if any. If VLAN IDs are not tracked completely, mistaken re-use of IDs could allow for traffic to be allowed between inappropriate physical and virtual machines. Similarly, wrong or missing VLAN IDs may lead to traffic not passing between appropriate physical and virtual machines.

Checks: C-46634r2_chk

From the vSphere Client/vCenter: Go to "Home>> Inventory>> Hosts and Clusters". Select each ESXi host with virtual switches connected to active VMs. Go to "Configuration>> Network>> vSwitch(?)>> Properties>> Ports>> [Portgroup Name]>> VLAN ID". Verify the recorded VLAN IDs in the (site-specific) tracking system. If the system VLAN IDs do not match the external VLAN IDs on record, this is a finding.

Fix: F-44374r2_fix

From the vSphere Client/vCenter: Go to "Home>> Inventory>> Hosts and Clusters". Select each ESXi host with virtual switches connected to active VMs. Go to "Configuration>> Network>> vSwitch(?)>> Properties>> Ports>> [Portgroup Name]>> VLAN ID". Record all VLAN IDs in a (site-specific) tracking system.

a

All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor.

CM-6 - Low - CCI-000366 - V-39361 - SV-51219r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000006

Vuln IDs

V-39361

Rule IDs

SV-51219r1_rule

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network will limit unauthorized users from viewing the traffic.

Checks: C-46635r1_chk

If IP-based storage is not used, this check is not applicable. To view the VMkernel Networking configuration, from the vSphere Client/vCenter as administrator: Select the host in the inventory pane. On the host Configuration tab, click Networking. In the vSphere Standard Switch view, select Properties and ensure at least one physical network adaptor is dedicated to a management-only network. If at least one physical network adaptor is not dedicated to a management-only network, this is a finding.

Fix: F-44375r1_fix

Restrict physical network access to management-only entities. To modify VMkernel Networking configuration, from the vSphere Client/vCenter as administrator: Select the host in the inventory pane. On the host Configuration tab, click Networking. In the vSphere Standard Switch view, select Properties and modify the properties to enforce the dedication of at least one physical network adaptor to management-only.

a

All IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch.

CM-6 - Low - CCI-000366 - V-39362 - SV-51220r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000036

Vuln IDs

V-39362

Rule IDs

SV-51220r1_rule

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network will limit unauthorized users from viewing the traffic.

Checks: C-46636r1_chk

If IP-based storage is not used, this check is not applicable. To view the VMkernel Networking configuration, from the vSphere Client/vCenter as administrator: Select the host in the inventory pane. On the host Configuration tab, click Networking. In the vSphere Standard Switch view, select Properties and ensure the storage port group is on a management-only vSwitch. If the storage port group is not on a management-only vSwitch, this is a finding.

Fix: F-44376r1_fix

To restrict physical network access to management-only entities, modify the VMkernel Networking configuration. From the vSphere Client/vCenter as administrator: Select the host in the inventory pane. On the host Configuration tab, click Networking. In the vSphere Standard Switch view, select Properties. Modify the storage port group property to ensure the storage port group is located on a management-only vSwitch.

a

All IP-based storage traffic must be isolated using a vSwitch containing management-only port groups.

CM-6 - Low - CCI-000366 - V-39363 - SV-51221r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000046

Vuln IDs

V-39363

Rule IDs

SV-51221r1_rule

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network will limit unauthorized users from viewing the traffic.

Checks: C-46637r1_chk

If IP-based storage is not used, this check is not applicable. To view the VMkernel Networking configuration, from the vSphere Client/vCenter as administrator: Select the host in the inventory pane. On the host Configuration tab, click Networking. In the vSphere Standard Switch view, select Properties and ensure the storage port group vSwitch exclusively contains non-management port groups. If the storage port group vSwitch does not exclusively contain management-only port groups, this is a finding.

Fix: F-44377r1_fix

To restrict physical network access to management-only entities, modify the VMkernel Networking configuration. From the vSphere Client/vCenter as administrator: Select the host in the inventory pane. On the host Configuration tab, click Networking. In the vSphere Standard Switch view, and select Properties. Modify the storage port group vSwitch property to ensure the storage port group vSwitch exclusively contains management-only port groups.

a

Only authorized administrators must have access to virtual networking components.

CM-6 - Low - CCI-000366 - V-39364 - SV-51222r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000007

Vuln IDs

V-39364

Rule IDs

SV-51222r1_rule

This control mitigates the risk of misconfiguration, whether accidental or malicious, and enforces key security concepts of separation of duties and least privilege. It is important to leverage the role-based access controls within vSphere to ensure that only authorized administrators have access to the different virtual networking components. For example, VM administrators should have access only to port groups in which their VMs reside. Network administrators should have permissions to all virtual networking components but not have access to VMs. These controls will depend very much on the organization's policy on separation of duties, least privilege, and the responsibilities of the administrators within the organization.

Checks: C-46638r2_chk

vSphere permissions to specific port groups must be granted only to individuals who need it. From the vSphere Client/vCenter as a user with full Administrator Role rights to the Inventory object to be checked: Select "[Inventory Object]>> Permissions". Verify that users assigned to the selected Inventory object have the appropriate role. If any user assigned to the selected Inventory object have an inappropriate role, this is a finding.

Fix: F-44378r2_fix

vSphere permissions to specific port groups must be granted only to individuals who need it. From the vSphere Client/vCenter as a user with full Administrator Role rights to the Inventory object to be checked: (1) Select "[Inventory Object]>> Permissions". Assign users with the appropriate Role to the all Inventory object(s).

a

All physical switch ports must be configured with spanning tree disabled.

CM-6 - Low - CCI-000366 - V-39365 - SV-51223r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000008

Vuln IDs

V-39365

Rule IDs

SV-51223r1_rule

Due to the integration of the ESXi Server into the physical network, the physical network (switch) adaptors must have spanning tree disabled or portfast configured for external switches, because VMware virtual switches do not support STP. Virtual switch uplinks do not create loops within the physical switch network. If these are not set, potential performance and connectivity issues might arise.

Checks: C-46639r1_chk

Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on an organization defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. If the physical switch's spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding.

Fix: F-44379r1_fix

Note that this check refers to an entity outside the scope of the ESXi server system. Document the upstream physical switch configuration for spanning tree protocol disablement and/or portfast configuration for all physical ports connected to ESXi hosts. Log in to the physical switch(es) and disable spanning tree protocol and/or configure portfast for all physical ports connected to ESXi hosts. Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream physical switches.

a

All port groups must be configured with a clear network label.

CM-6 - Low - CCI-000366 - V-39366 - SV-51224r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000009

Vuln IDs

V-39366

Rule IDs

SV-51224r1_rule

Each port group must be identified with a network label/name. Names serve as a functional descriptor for the port group. Without these descriptions, identifying port groups and functions becomes difficult as the network becomes more complex.

Checks: C-46640r2_chk

From the vSphere Client/vCenter, navigate to Home>> Inventory>> Networking. Individual port groups must be clearly labeled with a meaningful name. If individual port groups are not clearly labeled with a meaningful name, this is a finding.

Fix: F-44380r2_fix

From the vSphere Client/vCenter, navigate to Home>> Inventory>> Networking. Clearly label all individual port groups with a meaningful name.

b

All port groups must be configured to a value other than that of the native VLAN.

CM-6 - Medium - CCI-000366 - V-39367 - SV-51225r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000010

Vuln IDs

V-39367

Rule IDs

SV-51225r1_rule

ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a "1"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a "1" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.

Checks: C-46641r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and run the following command. # esxcli network vswitch standard portgroup list If the default value (1) for the native VLAN is being used, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44381r2_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and run the command to set the value to something other than the default value. esxcli network vswitch standard portgroup set --portgroup-name=<name> --vlan-id=<non-default_id_number> Re-enable Lockdown Mode on the host.

b

All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT).

CM-6 - Medium - CCI-000366 - V-39368 - SV-51226r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000011

Vuln IDs

V-39368

Rule IDs

SV-51226r1_rule

When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself. If VGT is enabled inappropriately, it might cause denial-of-service or allow a guest VM to interact with traffic on an unauthorized VLAN.

Checks: C-46642r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and run the following command. # esxcli network vswitch standard portgroup list If the VGT value (4095) is set and the guest is not configured to handle VLAN tags, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44382r2_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and run the command to set the value to something other than the VGT 4095 value. esxcli network vswitch standard portgroup set --portgroup-name=<name> --vlan-id=<non-default_id_number> Re-enable Lockdown Mode on the host.

b

All port groups must not be configured to VLAN values reserved by upstream physical switches.

CM-6 - Medium - CCI-000366 - V-39369 - SV-51227r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000012

Vuln IDs

V-39369

Rule IDs

SV-51227r1_rule

Physical vendor-specific switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. Use of reserved VLAN IDs can result in a network denial-of-service.

Checks: C-46643r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. Determine the site-specific switch reserved VLAN, configuration requirements via vendor documentation. For example, Cisco Catalyst switches typically reserve VLANs 1001-1024 and 4094 and Nexus switches typically reserve 3968-4047 and 4094. As root, log in to the ESXi Shell and run the command: # esxcli network vswitch standard portgroup list If the VLAN ID is set to a vendor-reserved value, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44383r2_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and run the command to set the value to something other than the vendor-specific reserved value. esxcli network vswitch standard portgroup set --portgroup-name=<name> --vlan-id=<non-default_id_number>; Re-enable Lockdown Mode on the host.

b

The system must ensure that the virtual switch Forged Transmits policy is set to reject.

CM-6 - Medium - CCI-000366 - V-39370 - SV-51228r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000013

Vuln IDs

V-39370

Rule IDs

SV-51228r1_rule

If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Forged transmissions should be set to accept by default. This means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject.

Checks: C-46644r1_chk

The "Forged Transmits" parameter must be set to "Reject" on all vSwitches. From the vSphere Client/vCenter as administrator, verify by using the vSphere Client to connect to the vCenter Server and as administrator: 1. Go to "Home > Inventory > Hosts and clusters". 2. Select each ESXi host with active virtual switches connected to active VM's requiring securing. 3. Go to tab "Configuration > Network > vSwitch(?) > Properties > Ports > vSwitch > Default Policies > Security" 4. "Forged Transmits" = "Reject" If the "Forged Transmits" parameter is not set to "Reject" on all vSwitches, this is a finding.

Fix: F-44384r1_fix

The "Forged Transmits" parameter must be set to "Reject" on all vSwitches. From the vSphere Client/vCenter as administrator, using the vSphere Client to connect to the vCenter Server and as administrator: 1. Go to "Home > Inventory > Hosts and clusters". 2. Select each ESXi host with active virtual switches connected to active VM's requiring securing. 3. Go to tab "Configuration > Network > vSwitch(?) > Properties > Ports > vSwitch > Default Policies > Security" 4. Set "Forged Transmits" = "Reject".

b

The system must ensure that the dvPortgroup Forged Transmits policy is set to reject.

CM-6 - Medium - CCI-000366 - V-39371 - SV-51229r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000014

Vuln IDs

V-39371

Rule IDs

SV-51229r2_rule

If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Forged transmissions should be set to accept by default. This means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject.

Checks: C-46645r4_chk

If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable. The "Forged Transmits" parameter must be set to "Reject" on all dvPortgroups. From the vSphere Client/vCenter as administrator: Go to Home >> Inventory >> Networking. Select each dvPortgroup connected to VMs. Go to tab Summary >> Edit Settings >> Policies >> Security. Verify "Forged Transmits" = "Reject". If the "Forged Transmits" parameter is not set to "Reject" on all dvPortgroups, this is a finding.

Fix: F-44385r3_fix

The "Forged Transmits" parameter must be set to "Reject" on all dvPortgroups. From the vSphere Client/vCenter as administrator: Go to Home >> Inventory >> Networking. Select each dvPortgroup connected to VMs. Go to tab Summary >> Edit Settings >> Policies >> Security. Set "Forged Transmits" = "Reject".

c

The system must ensure the dvPortGroup MAC Address Change policy is set to reject.

CM-6 - High - CCI-000366 - V-39372 - SV-51230r2_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

ESXI5-VMNET-000015

Vuln IDs

V-39372

Rule IDs

SV-51230r2_rule

If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. VMs, guest OSs, and/or applications that require specific MAC settings must be placed in a separate, specially-configured dvPortgroup on the vDistributed Switch (vDS).

Checks: C-46646r4_chk

If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable. Check the setting by using the vSphere Client to connect to the vCenter Server and as administrator: Go to Home >> Inventory >> Networking. Select each dvPortgroup connected to active VMs requiring securing. Go to tab Summary >> Edit Settings >> Policies >> Security. Check the "Mac Address Changes" = "Reject". If the VM/guest OS/application requires a specific MAC Address parameter setting for normal operation and is placed in a separate, specially-configured dvPortgroup ( with "Mac Address Changes" = "Accept") on the vDistributed Switch (vDS), this is not a finding. If the VM/guest OS/application does not require a specific MAC Address parameter setting for normal operation and the "Mac Address Changes" parameter is not set to "Reject", this is a finding.

Fix: F-44386r3_fix

Verify by using the vSphere Client to connect to the vCenter Server and as administrator: Go to Home >> Inventory >> Networking. Select each dvPortgroup connected to active VMs requiring securing. Go to tab Summary >> Edit Settings >> Policies >> Security. Change the "Mac Address Changes" = "Reject".

c

The system must ensure the virtual switch MAC Address Change policy is set to reject.

CM-6 - High - CCI-000366 - V-39373 - SV-51231r1_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

ESXI5-VMNET-000016

Vuln IDs

V-39373

Rule IDs

SV-51231r1_rule

If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. VMs, guest OSs, and/or applications that require specific MAC settings must be placed in a separate, specially-configured Portgroup on the vSwitch.

Checks: C-46647r2_chk

From the vSphere Client, connect to the vCenter Server and as administrator: Go to "Home>> Inventory>> Hosts and clusters". Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab "Configuration>> Network>> vSwitch(?)>> Properties>> Ports>> vSwitch>> Default Policies>> Security". Verify the "Mac Address Changes" = "Reject". If the VM/guest OS/application requires a specific MAC Address parameter setting for normal operation and is placed in a separate, specially-configured Portgroup ( with "Mac Address Changes" = "Accept") on the vSwitch, this is not a finding. If the VM/guest OS/application does not require a specific MAC Address parameter setting for normal operation and the "Mac Address Changes" parameter is not set to "Reject", this is a finding.

Fix: F-44387r2_fix

From the vSphere Client, connect to the vCenter Server and as administrator: Go to "Home>> Inventory>> Hosts and clusters". Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab "Configuration>> Network>> vSwitch(?)>> Properties>> Ports>> vSwitch>> Default Policies>> Security". Change the "Mac Address Changes" = "Reject".

b

The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.

CM-6 - Medium - CCI-000366 - V-39374 - SV-51232r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000017

Vuln IDs

V-39374

Rule IDs

SV-51232r1_rule

In order to communicate with virtual switches in VST mode, external switch ports must be configured as trunk ports. VST mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. The auto or desirable physical switch settings do not work with the ESXi Server because the physical switch communicates with the ESXi Server using DTP. The non-negotiate and on options unconditionally enable VLAN trunking on the physical switch and create a VLAN trunk link between the ESXi Server and the physical switch. The difference between non-negotiate and on options is that on mode still sends out DTP frames, whereas the non-negotiate option does not. The non-negotiate option should be used for all VLAN trunks, to minimize unnecessary network traffic for virtual switches in VST mode.

Checks: C-46648r1_chk

Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of external switch ports as trunk ports must be documented. Virtual Switch Tagging (VST) mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. Inspect the documentation and verify that the documentation is correct and updated on an organization defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream external switch ports. If DTP is enabled on the physical switch ports connected to the ESXi Host, this is a finding.

Fix: F-44388r1_fix

Note that this check refers to an entity outside the physical scope of the ESXi server system. Document the configuration of external switch ports as trunk ports. Log in to the vendor-specific physical switch and disable DTP on the physical switch ports connected to the ESXi Host. Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream external switch ports.

b

The system must ensure the virtual switch Promiscuous Mode policy is set to reject.

CM-6 - Medium - CCI-000366 - V-39375 - SV-51233r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000018

Vuln IDs

V-39375

Rule IDs

SV-51233r1_rule

When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXi Server.

Checks: C-46649r3_chk

Use the vSphere Client to connect to the vCenter Server and as administrator: Go to "Home > Inventory > Hosts and clusters". Select each ESXi host with active virtual switches connected to active VM's requiring securing. Go to the tab "Configuration >> Network >> vSwitch(?) >> Properties >> Ports >> vSwitch >> Default Policies >> Security". Check that the "Promiscuous Mode" is set to "Reject". If the "Promiscuous Mode" is not set to "Reject", this is a finding.

Fix: F-44389r2_fix

From the vSphere Client/vCenter Server as administrator: Go to "Home>> Inventory>> Hosts and clusters". Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab "Configuration>> Network>> vSwitch(?)>> Properties>> Ports>> vSwitch>> Default Policies>> Security". Set "Promiscuous Mode" = "Reject".

b

The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject.

CM-6 - Medium - CCI-000366 - V-39376 - SV-51234r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000019

Vuln IDs

V-39376

Rule IDs

SV-51234r2_rule

When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting. However, there might be a legitimate reason to enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to, in order to allow for full-time visibility to the traffic on that dvPortgroup.

Checks: C-46650r4_chk

If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable. If the dvPortgroup contains only security devices that continuously monitor all dvPortgroup traffic switch packets, this check is not a finding. From the vSphere Client/vCenter Server as administrator: Go to Home >> Inventory >> Hosts and clusters. Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab Home >> Inventory >> Networking. Individually select each dvPortgroup, then go to tab Summary >>Edit Settings >>Policies >> Security. Verify "Promiscuous Mode" = "Reject". If the "Promiscuous Mode" parameter is not set to "Reject", this is a finding.

Fix: F-44390r3_fix

From the vSphere Client/vCenter Server as administrator: Go to Home >> Inventory >> Hosts and clusters. Select each ESXi host with active virtual switches connected to active VMs requiring securing. Go to tab Home >> Inventory >> Networking. Individually select each dvPortgroup, then go to tab Summary >> Edit Settings >> Policies >> Security. Set the "Promiscuous Mode" keyword to "Reject".

a

The system must ensure there are no unused ports on a distributed virtual port group.

CM-6 - Low - CCI-000366 - V-39377 - SV-51235r3_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000020

Vuln IDs

V-39377

Rule IDs

SV-51235r3_rule

The number of ports available on a dvSwitch distributed port group must be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the number of ports to just what is needed also limits the accidental or malicious potential to move a virtual machine to an unauthorized network. This is especially relevant if the management network is on a dvPortgroup, because it could help prevent putting a rogue virtual machine on this network. System Administrator

Checks: C-46651r5_chk

If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable. As administrator, find all dvSwitches from the vSphere Client/vCenter, Home >> Inventory >> Networking view. For any dvSwitches with dvPortgroups, verify the settings for that dvPortgroup. Compare the number of ports in that port group to the number of vNICs connecting to that port group. The number of ports must match, or approximate to the nearest number of menu selectable ports, the number of vNICs residing in that port group. If the number of ports in the port group do not match (or approximate to the nearest number of menu selectable ports) the number of VM NICs connecting to that port group, this is a finding.

Fix: F-44391r4_fix

As administrator, find all dvSwitches from the vSphere Client/vCenter: Home >> Inventory >> Networking view. For dvSwitches with dvPortgroups, edit the settings for that dvPortgroup. Limit (match or approximate) the number of ports in that port group to the number of vNICs residing in that port group.

a

vMotion traffic must be isolated.

CM-6 - Low - CCI-000366 - V-39378 - SV-51236r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000021

Vuln IDs

V-39378

Rule IDs

SV-51236r1_rule

The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a MiTM attack in which the contents are modified during migration. vMotion traffic must be sequestered from production traffic on an isolated network. This network must be non-routable (no layer-3 router spanning this and other networks), preventing outside access to the network.

Checks: C-46652r1_chk

If vMotion is not used, this check is not applicable. The vMotion port group must be on a management-only vSwitch to avoid dependency on VLANs for isolation. Verify the vMotion port group vSwitch does not contain any non-management port groups. At least one physical network adaptor must be dedicated to management. To ensure a vMotion vSwitch is on a VMkernel management-only switch, from the vSphere Client/vCenter, select the ESXi host, and select the configuration tab. In the hardware panel, select Networking; locate the vSwitch containing the vMotion port group and visually verify that the vSwitch does not contain any VM Networking or VM references, i.e., the vSwitch must contain management-only, non-production network traffic/functions. If the vMotion port group is not on a management-only vSwitch, this is a finding.

Fix: F-44392r1_fix

To create a vMotion vSwitch from the vSphere Client/vCenter, select the ESXi host, and select the configuration tab. In the hardware panel, select Networking; click the Add Network link; choose VMKernel and click next; select the desired NIC(s). In the port groups dialog box type a name, (example: "vMotion"). Next, select the "use this port group for vMotion" and set the IP address and subnet mask and gateway where/as required.

a

Spanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic.

CM-6 - Low - CCI-000366 - V-39379 - SV-51237r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000025

Vuln IDs

V-39379

Rule IDs

SV-51237r1_rule

If an ESXi host guest VM is configured to perform a bridging function, the VM will generate BPDU frames to send out to the VDS. The VDS forwards the BPDU frames through the network adapter to the physical switch port. When the switch port configured with "BPDU guard" receives the BPDU frame, the switch will disable the port and the VM will lose connectivity. To avoid this network failure scenario while running a software-bridging function on an ESXi host, the "portfast" and "BPDU guard" configuration must be disabled on the port and spanning tree protocol must be enabled.

Checks: C-46653r1_chk

Organization and vendor specific check. Ask the SA if any ESXi host guest VM is configured to perform a bridging function. If any host VM is configured to perform a bridging function, ask the SA to confirm that port spanning tree protocol is enabled. Note that this check refers to an entity outside the scope of the ESXi server system. If a guest VM is configured to perform a bridging function and spanning tree protocol is not enabled, this is a finding.

Fix: F-44393r1_fix

Organization and vendor specific fix. If a guest VM is configured to perform a bridging function, enable spanning tree protocol for the VMs switch port. Note that this check refers to an entity outside the scope of the ESXi server system.

a

The system must disable the autoexpand option for VDS dvPortgroups.

CM-6 - Low - CCI-000366 - V-39380 - SV-51238r3_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

ESXI5-VMNET-000026

Vuln IDs

V-39380

Rule IDs

SV-51238r3_rule

If the "no-unused-dvports" guideline is followed, there should be only the amount of ports on a VDS that are actually needed. The Autoexpand feature on VDS dvPortgroups can override that limit. The feature allows dvPortgroups to automatically add 10 virtual distributed switch ports to a dvPortgroup that has run out of available ports. The risk is that maliciously or inadvertently, a virtual machine that is not supposed to be part of that portgroup is able to affect confidentiality, integrity, or authenticity of data of other virtual machines on that portgroup. To reduce the risk of inappropriate dvPortgroup access, the autoexpand option on VDS should be disabled. By default the option is disabled, but regular monitoring must be implemented to verify this has not been changed.

Checks: C-46654r2_chk

If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. 1. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. 2. If connecting to vCenter Server, click on the desired host. 3. Click the Configuration tab. 4. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. 5. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and determine if the managed object browser (MOB) is enabled: # vim-cmd proxysvc/service_list | grep proxy-mob If the command return lists "proxy-mob", the mob is enabled. If not, re-enable the MOB: # vim-cmd proxysvc/add_np_service "/mob" httpsWithRedirect /var/run/vmware/proxy-mob The autoexpand property is disabled by default, but it can be enabled using the MOB: 1. In a browser, enter the address http://vc-ip-address/mob/. 2. When prompted, enter the vCenter Server appropriate username and password. 3. Click the Content link. 4. In the left pane, search for the row with the word rootFolder. 5. Open the link in the right pane of the row. The link should be similar to group-d1 (Datacenters). 6. In the left pane, search for the row with the word childEntity. In the right pane, you see a list of datacenter links. 7. Click the datacenter link in which the vDS is defined. 8. In the left pane, search for the row with the word networkFolder and open the link in the right pane. The link should be similar to group-n123 (network). 9. In the left pane, search for the row with the word childEntity. You see a list of vDS and distributed port group links in the right pane. 10.Click the distributed port group for which you want to change this property. 11.In the left pane, search for the row with the word config and click the link in the right pane. 12.In the left pane, search for the row with the word autoExpand. It is usually the first row. 13.Note the corresponding value displayed in the right pane. The value should be false by default. If the setting is true, the autoexpand feature is enabled and this is a finding. Disable the MOB. # vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect" Re-enable Lockdown Mode on the host.

Fix: F-44759r2_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. 1. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. 2. If connecting to vCenter Server, click on the desired host. 3. Click the Configuration tab. 4. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. 5. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and determine if the managed object browser (MOB) is enabled: # vim-cmd proxysvc/service_list | grep proxy-mob If the command return lists "proxy-mob", the mob is enabled. If not, re-enable the MOB: # vim-cmd proxysvc/add_np_service "/mob" httpsWithRedirect /var/run/vmware/proxy-mob The autoexpand property is disabled by default, but it can be enabled using the MOB: 1. In a browser, enter the address http://vc-ip-address/mob/. 2. When prompted, enter the vCenter Server appropriate username and password. 3. Click the Content link. 4. In the left pane, search for the row with the word rootFolder. 5. Open the link in the right pane of the row. The link should be similar to group-d1 (Datacenters). 6. In the left pane, search for the row with the word childEntity. In the right pane, you see a list of datacenter links. 7. Click the datacenter link in which the vDS is defined. 8. In the left pane, search for the row with the word networkFolder and open the link in the right pane. The link should be similar to group-n123 (network). 9. In the left pane, search for the row with the word childEntity. You see a list of vDS and distributed port group links in the right pane. 10.Click the distributed port group for which you want to change this property. 11.In the left pane, search for the row with the word config and click the link in the right pane. 12.In the left pane, search for the row with the word autoExpand. It is usually the first row. 13.Note the corresponding value displayed in the right pane. The value should be false by default. 14. In the left pane, search for the row with the word configVersion. The value should be 1 only if it has not been previously modified. 15. Note the corresponding value displayed in the right pane as it is needed in step 18. 16. Go back to the distributed port group page. 17. Click the link that reads ReconfigureDvs_Task. A new window appears. 18. In the Spec text field, enter this text: <spec><autoExpand>false</autoExpand><configversion>configVersion</configversion></spec> where configVersion is what was recorded directly above in step 15. 19. Click the Invoke Method link. 20. Close the window. 21. Repeat Steps 10 through 14 to verify the new value for autoExpand. Disable the MOB. # vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect" Re-enable Lockdown Mode on the host.

b

Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option.

CM-6 - Medium - CCI-000366 - V-39381 - SV-51239r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN002430-ESXI5

Vuln IDs

V-39381

Rule IDs

SV-51239r1_rule

The "nodev" (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system that does not contain approved device files. Device files can provide direct access to system hardware and can compromise security if not protected.

Checks: C-46655r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host. Check the system for NFS mounts that do not use the nodev option. Execute the following: # cat /etc/fstab | grep -i nfs | grep -v "nodev" If the mounted NFS file systems do not use the nodev option, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44394r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host. Edit /etc/fstab and add the nodev option for all NFS file systems. Re-enable Lockdown Mode on the host.

b

The root accounts library search path must be the system default and must contain only absolute paths.

CM-6 - Medium - CCI-000366 - V-39382 - SV-51240r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN000945-ESXI5-000333

Vuln IDs

V-39382

Rule IDs

SV-51240r1_rule

The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other relative paths, libraries in these directories may be loaded instead of system libraries. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.

Checks: C-46656r4_chk

Disable lock down mode. Enable the ESXi Shell. <file> = /etc/vmware/config <required_keyword> = libdir <required_keyword_setpoint> = /usr/lib/vmware Execute the following command(s): # grep libdir /etc/vmware/config If the "libdir" path is not set to "/usr/lib/vmware", this is a finding. Re-enable lock down mode.

Fix: F-44395r4_fix

Disable lock down mode. Enable the ESXi Shell. <file> = /etc/vmware/config <required_keyword> = libdir <required_keyword_setpoint> = /usr/lib/vmware Execute the following command(s): # vi /etc/vmware/config Set the "libdir" path to "/usr/lib/vmware". Re-enable lock down mode.

b

The root accounts list of preloaded libraries must be empty.

CM-6 - Medium - CCI-000366 - V-39383 - SV-51241r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN000950-ESXI5-444

Vuln IDs

V-39383

Rule IDs

SV-51241r2_rule

The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to libraries relative to the current working directory, unintended libraries may be preloaded. This variable is formatted as a space-separated list of libraries. Paths starting with (/) are absolute paths.System Administrator

Checks: C-46657r3_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep LD_PRELOAD /etc/vmware/config If the LD_PRELOAD attribute is present and set to anything other than an empty string, this is a finding. Re-enable lock down mode.

Fix: F-44396r3_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/vmware/config Set the LD_PRELOAD to "". Re-enable lock down mode.

c

The system must be configured to only boot from the system boot device.

CM-6 - High - CCI-000366 - V-39384 - SV-51242r1_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

GEN008600-ESXI5-000050

Vuln IDs

V-39384

Rule IDs

SV-51242r1_rule

The ability to boot from removable media is the same as being able to boot into single user or maintenance mode without a password. This ability could allow a malicious user to boot the system and perform changes possibly compromising or damaging the system. It could also allow the system to be used for malicious purposes by a malicious anonymous user.

Checks: C-46658r1_chk

Note: Checking a system's BIOS is vendor and hardware dependent. To verify media boot options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for boot order. If any media other than the ESXi boot disk is listed as a boot option, this is a finding.

Fix: F-44397r1_fix

Note: Checking a system's BIOS is vendor and hardware dependent. To ensure media boot options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for boot order. Remove all boot media options except for ESXi. Save the change and exit to verify the boot cycle.

b

The system must enable lockdown mode to restrict remote access.

CM-6 - Medium - CCI-000371 - V-39385 - SV-51243r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000371

Version

SRG-OS-000092-ESXI5

Vuln IDs

V-39385

Rule IDs

SV-51243r2_rule

Enabling lockdown prevents all API-based access by the accounts to the ESXi host. Enabling lockdown mode disables all remote access to ESXi machines. There are some operations, such as backup and troubleshooting that require direct access to the host. In these cases Lockdown Mode can be disabled on a temporary basis for specific hosts as needed, and then re-enabled when the task is completed. Lockdown restricts access to the ESXi console to the root user only, requiring non-root users access the host through vSphere Client/vCenter where RBAC and logging can be used to restrict and log activity. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note: Lockdown mode does not apply to root users who log in using authorized keys. When an authorized key file is used for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Use of an authorized key file for root must therefore be disallowed.System Administrator

Checks: C-46659r2_chk

For ESXi hosts that are not managed by a vCenter Server, this check is not applicable. From the vSphere client, select the host then select "Configuration >> Security Profile". Verify Lockdown Mode is enabled. Alternatively, issue the following command via the CLI: # vim-cmd vimsvc/auth/lockdown_is_enabled If Lockdown Mode is not enabled (true), this is a finding.

Fix: F-44398r2_fix

To enable Lockdown mode on an ESXi host managed by a vCenter Server, log in directly the ESXi host as root. Open the DCUI on the host. Press F2 for Initial Setup. Toggle the Configure Lockdown Mode setting and configure Lockdown Mode.

c

Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled.

CM-7 - High - CCI-000381 - V-39386 - SV-51244r2_rule

RMF Control

CM-7

Severity

H

CCI

CCI-000381

Version

SRG-OS-000095-ESXI5

Vuln IDs

V-39386

Rule IDs

SV-51244r2_rule

Unnecessary services should be disabled to decrease the attack surface of the system.System Administrator

Checks: C-46660r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and execute the following: # egrep -v "^sshd|authd" /var/run/inetd.conf> The above command filters for services other than sshd and/or authd. If any other services are found, ask the SA if the services are required (i.e., required by 3rd party software). If services other than sshd and/or authd are found and cannot be accounted for, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44399r2_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and edit the /var/run/inetd.conf file. Comment (do not remove) any service line entries that cannot be accounted for. Re-enable Lockdown Mode on the host.

c

The system must verify the integrity of the installation media before installing ESXi.

CM-5 - High - CCI-000352 - V-39387 - SV-51245r1_rule

RMF Control

CM-5

Severity

H

CCI

CCI-000352

Version

SRG-OS-000090-ESXI5

Vuln IDs

V-39387

Rule IDs

SV-51245r1_rule

Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, software defined by the organization as critical software must be signed with a certificate that is recognized and approved by the organization.

Checks: C-46661r2_chk

The downloaded ISO, offline bundle, or patch hash must be verified against the vendor's checksum to ensure the integrity and authenticity of the files. See some typical command line example(s) for both the md5 and sha1 hash check(s) directly below. # md5sum <filename>.iso # sha1sum <filename>.iso If any of the system's downloaded ISO, offline bundle, or system patch hashes cannot be verified against the vendor's checksum, this is a finding.

Fix: F-44400r1_fix

If the hash returned from the md5sum or sha1sum commands do not match the vendor's hash, the downloaded software must be discarded. If the physical media is obtained from VMware and the security seal is broken, the software must be returned to VMware for replacement.

b

All accounts on the system must have unique user or account names.

IA-8 - Medium - CCI-000804 - V-39388 - SV-51246r1_rule

RMF Control

IA-8

Severity

M

CCI

CCI-000804

Version

SRG-OS-000121-ESXI5

Vuln IDs

V-39388

Rule IDs

SV-51246r1_rule

A unique user name is the first part of the identification and authentication process. If user names are not unique, there can be no accountability on the system for auditing purposes. Multiple accounts sharing the same name could result in the Denial-of-Service to one or both of the accounts or unauthorized access to files or privileges.

Checks: C-46662r1_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # cat /etc/passwd If any non-unique user name is found (example: multiple root user name entries), this is a finding. Re-enable lock down mode.

Fix: F-44401r1_fix

Change user account names, or delete accounts, so each account has a unique name. From the vSphere Client/vCenter: Click on the "Users and Groups" tab. Click on the "Users" button. Right click and select "Add". Specify the desired User Name, Password, etc and Click "OK".

b

All accounts must be assigned unique User Identification Numbers (UIDs).

IA-2 - Medium - CCI-000764 - V-39389 - SV-51247r1_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000764

Version

SRG-OS-000104-ESXI5

Vuln IDs

V-39389

Rule IDs

SV-51247r1_rule

Accounts sharing a UID have full access to each others' files. This has the same effect as sharing a login. There is no way to assure identification, authentication, and accountability because the system sees them as the same user. If the duplicate UID is 0, this gives potential intruders another privileged account to attack.

Checks: C-46663r1_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # cat /etc/passwd | cut -f 3 -d ":" | sort If any duplicate UIDs are found, this is a finding. Re-enable lock down mode.

Fix: F-44402r1_fix

Modify user accounts to provide unique UIDs for each account. From the vSphere Client/vCenter: Click on the "Users and Groups" tab. Click on the "Users" button Right click and select "Add". Specify the desired User Name, Password, etc and Click "OK".

b

The system must disable SSH.

CM-6 - Medium - CCI-000366 - V-39390 - SV-51248r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000138

Vuln IDs

V-39390

Rule IDs

SV-51248r1_rule

The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the ESXi shell is well suited for checking and modifying configuration details, not always generally accessible, using the vSphere Client. The ESXi shell is accessible remotely using SSH. Under normal operating conditions, SSH access to the host must be disabled. As with the ESXi shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the host must therefore be limited to the vSphere Client at all other times.

Checks: C-46664r1_chk

From the vSphere client, select the ESXi host, go to "Configuration >> Security Profile". In the "Services" section select "Properties". Verify 'SSH' is stopped. If the SSH service is running, this is a finding.

Fix: F-44403r1_fix

From the vSphere client, select the ESXi host, go to "Configuration >> Security Profile". In the "Services" section select "Properties". Select "SSH", "Options..." and configure the 'SSH' option to "Start and stop manually".

b

The system must not permit root logins using remote access programs, such as SSH.

IA-2 - Medium - CCI-000770 - V-39391 - SV-51249r2_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000770

Version

SRG-OS-000109-ESXI5

Vuln IDs

V-39391

Rule IDs

SV-51249r2_rule

Even though communications are encrypted, an additional layer of security may be gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account preserves the audit trail.System Administrator

Checks: C-46665r4_chk

For ESXi hosts that are not managed by a vCenter Server, this check is not applicable. Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep PermitRootLogin /etc/ssh/sshd_config If "PermitRootLogin" is set to "yes", this is a finding. Re-enable lock down mode.

Fix: F-44404r3_fix

This step assumes that root access to the system is available via the vSphere Client/vCenter Server, local availability via the DCUI, or that remote systems are accessible at the remote site via touch labor by an authorized (root) user. Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "PermitRootLogin no" Re-enable lock down mode.

b

The system must set a timeout for the ESXi Shell to automatically disable itself after a predetermined period.

MA-4 - Medium - CCI-000879 - V-39392 - SV-51250r2_rule

RMF Control

MA-4

Severity

M

CCI

CCI-000879

Version

SRG-OS-000126-ESXI5

Vuln IDs

V-39392

Rule IDs

SV-51250r2_rule

The ESXiShellTimeout setting is the number of seconds that can elapse before a logon occurs after the ESXi Shell is enabled. After the timeout period, if a logon has not occurred, the shell is disabled. Leaving the shell enabled unnecessarily increases the potential for someone to gain privileged access to the host

Checks: C-46666r2_chk

From the vSphere client select the host and click "Configuration >> Advanced Settings". Select "UserVars.ESXiShellTimeOut" parameter and verify it is set to a value not to exceed 900 seconds (15 minutes). A value of 0 disables the ESXi Shell timeout. If the "UserVars.ESXiShellTimeOut" parameter is set to a value less than 1 or greater than 900, this is a finding.

Fix: F-44405r2_fix

From the vSphere client select the host and click "Configuration >> Advanced Settings". Select UserVars.ESXiShellTimeOut parameter and configure it to a value not to exceed 900 seconds (15 minutes). A value of 0 disables the ESXi Shell timeout.

b

vSphere management traffic must be on a restricted network.

SC-2 - Medium - CCI-001082 - V-39393 - SV-51251r1_rule

RMF Control

SC-2

Severity

M

CCI

CCI-001082

Version

SRG-OS-000132-ESXI5

Vuln IDs

V-39393

Rule IDs

SV-51251r1_rule

The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.

Checks: C-46667r1_chk

The ESXi server's vSphere management port group should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the vSphere management port group's VLAN is not used by production virtual machines. Check that the network segment is not routed, except possibly to networks where other management-related entities are found. Production virtual machine traffic must not be routed to this network. As root (or using a different administrator Active Directory account), from the vSphere Client/vCenter, select the host; select the Configuration tab; then select Hardware/Networking. Select switch Properties for the Management Network NIC, and in the Ports tab, verify that the Management Port Group list does not include any production virtual machine traffic. If the network segment is routed, except to networks where other management-related entities are located, this is a finding. If production virtual machine traffic is routed to this network, this is a finding. Note that this check refers to an entity outside the scope of the ESXi server system.

Fix: F-44406r1_fix

The vSphere management port group should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the vSphere management port group's VLAN is not used by production virtual machines. As root (or using a different administrator Active Directory account), from the vSphere Client/vCenter, select the host; select the Configuration tab; then select Hardware/Networking. Select switch Properties for the Management Network NIC, and select the Ports tab. If any virtual machine traffic is found in the port list, create another vSwitch and migrate either the Management Port group or virtual machine traffic to a different vSwitch. Under the Configuration tab, select the Add Networking wizard, select either the Virtual Machine or VMkernel radio button, click Next and follow the directions for selecting the remaining switch type and connection settings based on the local system's hardware.

b

The SSH daemon must be configured with the Department of Defense (DoD) logon banner.

AC-8 - Medium - CCI-000048 - V-39394 - SV-51252r2_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

SRG-OS-000023-ESXI5

Vuln IDs

V-39394

Rule IDs

SV-51252r2_rule

Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources.System Administrator

Checks: C-46668r3_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command to inspect the /etc/issue (or otherwise configured) SSHD banner file: # cat /etc/issue Access the system console and make a logon attempt. Check for either of the following login banners based on the character limitations imposed by the system. An exact match is required. If one of these banners is not displayed, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. " OR "I've read & consent to terms in IS user agreem't." If the /etc/issue (or otherwise configured) SSHD banner file does not contain one of the two login banners exactly as shown above, this is a finding. Re-enable lock down mode.

Fix: F-44407r3_fix

Configure the /etc/issue (or otherwise configured) SSHD banner file in order to display one of the DoD login banners (based on the character limitations imposed by the system) prior to any local login attempt. DoD Login Banners: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't.

b

The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.

SC-7 - Medium - CCI-001098 - V-39395 - SV-51253r1_rule

RMF Control

SC-7

Severity

M

CCI

CCI-001098

Version

SRG-OS-000145-ESXI5

Vuln IDs

V-39395

Rule IDs

SV-51253r1_rule

If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial-of-Service attacks.

Checks: C-46669r1_chk

From the vSphere Client/vCenter: Click on the Configuration tab, Click on the DNS and Routing tabs, and verify that the default gateway information is entered and Click "Cancel". If the default gateway field has not been initialized (IP address is required), this is a finding.

Fix: F-44408r1_fix

From the vSphere Client/vCenter, click on the Configuration tab; click on DNS and Routing; click on Properties/DNS and Routing, Configuration/Routing. Add a default gateway (IP address is required). Click "OK"

b

The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices.

SC-7 - Medium - CCI-001118 - V-39396 - SV-51254r1_rule

RMF Control

SC-7

Severity

M

CCI

CCI-001118

Version

SRG-OS-000152-ESXI5

Vuln IDs

V-39396

Rule IDs

SV-51254r1_rule

Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from authorized networks only.

Checks: C-46670r2_chk

From the vSphere client, select the host, then select "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", and verify "Only allow connections from the following networks" is selected and a range of authorized IP addresses is listed. If any enabled service's firewall entry is not configured for "Only allow connections from the following networks" with a range of authorized IP addresses listed, this is a finding.

Fix: F-44409r1_fix

For each host, from the vSphere client, select the host and go to "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks", and provide a range of authorized IP addresses.

b

The operating system must monitor and control communications at the external boundary of the information system and at key internal boundaries within the system.

SC-7 - Medium - CCI-001097 - V-39397 - SV-51255r1_rule

RMF Control

SC-7

Severity

M

CCI

CCI-001097

Version

SRG-OS-000144-ESXI5

Vuln IDs

V-39397

Rule IDs

SV-51255r1_rule

Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from authorized networks only.

Checks: C-46671r3_chk

From the vSphere client, select the host, then select "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", and verify "Only allow connections from the following networks" is selected and a range of authorized IP addresses is listed. If any enabled service's firewall entry is not configured for "Only allow connections from the following networks" with a range of authorized IP addresses listed, this is a finding.

Fix: F-44410r1_fix

For each host, from the vSphere client, select the host and go to "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks", and provide a range of authorized IP addresses.

b

The operating system, at managed interfaces, must deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

SC-7 - Medium - CCI-001109 - V-39398 - SV-51256r1_rule

RMF Control

SC-7

Severity

M

CCI

CCI-001109

Version

SRG-OS-000147-ESXI5

Vuln IDs

V-39398

Rule IDs

SV-51256r1_rule

Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from authorized networks only.

Checks: C-46672r1_chk

From the vSphere client, select the host, then select "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", and verify "Only allow connections from the following networks" is selected and a range of authorized IP addresses is listed. If any enabled service's firewall entry is not configured for "Only allow connections from the following networks" with a range of authorized IP addresses listed, this is a finding.

Fix: F-44411r1_fix

For each host, from the vSphere client, select the host and go to "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks", and provide a range of authorized IP addresses.

b

The operating system must enforce requirements for remote connections to the information system.

AC-17 - Medium - CCI-000066 - V-39399 - SV-51257r1_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000066

Version

SRG-OS-000231-ESXI5

Vuln IDs

V-39399

Rule IDs

SV-51257r1_rule

Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from authorized networks only.

Checks: C-46673r1_chk

From the vSphere client, select the host, then select "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", and verify "Only allow connections from the following networks" is selected and a range of authorized IP addresses is listed. If any enabled service's firewall entry is not configured for "Only allow connections from the following networks" with a range of authorized IP addresses listed, this is a finding.

Fix: F-44412r1_fix

For each host, from the vSphere client, select the host and go to "Configuration >> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g., ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks", and provide a range of authorized IP addresses.

b

Access to the management network must be strictly controlled through a network gateway.

CM-6 - Medium - CCI-000366 - V-39400 - SV-51258r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000023

Vuln IDs

V-39400

Rule IDs

SV-51258r1_rule

A controlled gateway or other controlled method must be configured to access the management network. The management network must be isolated in order to prevent access by internal and external, unauthorized personnel.

Checks: C-46674r1_chk

Ask the SA if a controlled gateway or other controlled access method to the management network has been implemented and documented. Ask to see the documentation. Note that this check refers to an entity outside the scope of the ESXi server system. If a controlled gateway or other controlled access method has not been implemented or documented, this is a finding.

Fix: F-44413r1_fix

Implement and document a controlled gateway or other controlled access method to the management network. Note that this check refers to an entity outside the scope of the ESXi server system.

b

Access to the management network must be strictly controlled through a network jump box.

CM-6 - Medium - CCI-000366 - V-39401 - SV-51259r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

ESXI5-VMNET-000024

Vuln IDs

V-39401

Rule IDs

SV-51259r1_rule

Based upon an organization's risk assessment, jump boxes that run vSphere Client and other management clients (e.g., VSphere Management Assistant) must be configured. The management network must be isolated in order to prevent access by internal and external, unauthorized personnel.

Checks: C-46675r1_chk

Ask the SA if a management network jump box has been implemented and documented. Ask to see the documentation. Note that this check refers to an entity outside the scope of the ESXi server system. If a management network jump box has not been implemented or documented, this is a finding.

Fix: F-44414r1_fix

Implement and document a management network jump box solution. Note that this check refers to an entity outside the scope of the ESXi server system.

b

The SSH client must be configured to not use CBC-based ciphers.

SC-8 - Medium - CCI-001127 - V-39402 - SV-51260r2_rule

RMF Control

SC-8

Severity

M

CCI

CCI-001127

Version

SRG-OS-000157-ESXI5

Vuln IDs

V-39402

Rule IDs

SV-51260r2_rule

The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.

Checks: C-46676r2_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH client configuration for allowed ciphers. # grep -i ciphers /etc/ssh/ssh_config | grep -v '^#' Re-enable lock down mode. If the returned ciphers list contains any cipher ending with cbc, this is a finding. If the /etc/ssh/ssh_config file does not exist or the Ciphers option is not set, this is not a finding.

Fix: F-44415r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH client configuration and add/modify the "Ciphers" configuration (examples of disallowed ciphers: aes128-cbc, aes192-cbc, aes256-cbc, arcfour256blowfish-cbc, cast128-cbc, 3des-cbc). # vi /etc/ssh/ssh_config Re-enable lock down mode.

b

The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

SC-8 - Medium - CCI-001128 - V-39403 - SV-51261r3_rule

RMF Control

SC-8

Severity

M

CCI

CCI-001128

Version

SRG-OS-000158-ESXI5

Vuln IDs

V-39403

Rule IDs

SV-51261r3_rule

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.System Administrator

Checks: C-46677r3_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep -i macs /etc/ssh/ssh_config Re-enable lock down mode. If the returned list contains MACs other than a variant of the hmac-sha1 or hmac-sha2 form, this is a finding. If the /etc/ssh/ssh_config file does not exist or the MACs option is not set, this is not a finding.

Fix: F-44416r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/ssh_config Add/modify the attribute line entry to the following (quotes for emphasis only): "MACs <hmac-sha1 or hmac-sha2 variant(s)>" The above list "may" include any number of the following (current) comma-separated variants: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, hmac-sha2-512-96. Re-enable lock down mode.

b

The SSH client must be configured to only use FIPS 140-2 approved ciphers.

SC-8 - Medium - CCI-001129 - V-39404 - SV-51262r2_rule

RMF Control

SC-8

Severity

M

CCI

CCI-001129

Version

SRG-OS-000159-ESXI5

Vuln IDs

V-39404

Rule IDs

SV-51262r2_rule

DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES.

Checks: C-46678r2_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH client configuration for allowed ciphers. # grep -i ciphers /etc/ssh/ssh_config | grep -v '^#' If the returned ciphers list contains any cipher not starting with 3des or aes, this is a finding. If the /etc/ssh/ssh_config file does not exist or the Ciphers option is not set, this is not a finding. Re-enable lock down mode.

Fix: F-44417r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH client configuration and add/modify the "Ciphers" configuration (example: 3des-ctr, aes128-ctr, aes192-ctr, aes256-ctr). # vi /etc/ssh/ssh_config Re-enable lock down mode.

b

The operating system must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

SC-10 - Medium - CCI-001133 - V-39405 - SV-51263r2_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

SRG-OS-000163-ESXI5

Vuln IDs

V-39405

Rule IDs

SV-51263r2_rule

If ESXi Shell is enabled on the host and a user neglects to initiate an SSH session the idle connection will remain available indefinitely increasing the potential for someone to gain privileged access to the host.

Checks: C-46679r4_chk

From the vSphere client select the host and click "Configuration >> Advanced Settings". Select "UserVars.ESXiShellTimeOut" parameter and verify it is set to a value not to exceed 900 seconds (15 minutes). A value of 0 disables the ESXi Shell timeout. If the "UserVars.ESXiShellTimeOut" parameter is set to a value less than 1 or greater than 900, this is a finding.

Fix: F-44418r2_fix

From the vSphere client select the host and click "Configuration >> Advanced Settings". Select UserVars.ESXiShellTimeOut parameter and configure it to a value not to exceed 900 seconds (15 minutes). A value of 0 disables the ESXi Shell timeout.

c

The Image Profile and VIB Acceptance Levels must be verified.

SI-3 - High - CCI-001239 - V-39407 - SV-51265r1_rule

RMF Control

SI-3

Severity

H

CCI

CCI-001239

Version

SRG-OS-000193-ESXI5

Vuln IDs

V-39407

Rule IDs

SV-51265r1_rule

The ESXi Image profile supports four acceptance levels: (1) VMwareCertified - VIBs created, tested and signed by VMware (2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware (3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner (4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner Community Supported VIBs are not supported and do not have a digital signature. An unsigned VIB represents untested code installed on an ESXi host. To protect the security and integrity of an ESXi host, unsigned (CommunitySupported) VIBs must not be installed.

Checks: C-46681r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the host and VIB acceptance level(s) are not set to "CommunitySupported" by running the command(s): # esxcli software acceptance get # esxcli software vib list. If the host or listed VIB acceptance levels allow "CommunitySupported", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44420r2_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and set the host acceptance level to at least "PartnerSupported" by running the command: # esxcli software acceptance set --<level> Re-enable Lockdown Mode on the host.

b

Remote logging for ESXi hosts must be configured.

SI-4 - Medium - CCI-001265 - V-39408 - SV-51266r1_rule

RMF Control

SI-4

Severity

M

CCI

CCI-001265

Version

SRG-OS-000197-ESXI5

Vuln IDs

V-39408

Rule IDs

SV-51266r1_rule

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Checks: C-46682r1_chk

Verify the vSphere Syslog Collector syslog host has been configured. From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Verify the 'Syslog.global.logHost' is set to the (site-specific) syslog server hostname. If the 'Syslog.global.logHost' is unconfigured, this is a finding.

Fix: F-44421r1_fix

Step 1: Verify the vSphere Syslog Collector syslog host has been configured. If not, install/enable the vSphere Syslog Collector. Step 2: From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Step 3: Set 'Syslog.global.logHost' to the syslog server hostname.

b

The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.

AU-9 - Medium - CCI-001348 - V-39409 - SV-51267r1_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001348

Version

SRG-OS-000215-ESXI5

Vuln IDs

V-39409

Rule IDs

SV-51267r1_rule

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Checks: C-46683r1_chk

Verify the vSphere Syslog Collector syslog host has been configured. From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Verify the 'Syslog.global.logHost' is set to the (site-specific) syslog server hostname. If the 'Syslog.global.logHost' is unconfigured, this is a finding.

Fix: F-44422r1_fix

Step 1: Verify the vSphere Syslog Collector syslog host has been configured. If not, install/enable the vSphere Syslog Collector. Step 2: From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Step 3: Set 'Syslog.global.logHost' to the syslog server hostname.

b

The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.

AU-9 - Medium - CCI-001352 - V-39410 - SV-51268r1_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001352

Version

SRG-OS-000217-ESXI5

Vuln IDs

V-39410

Rule IDs

SV-51268r1_rule

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Checks: C-46684r1_chk

Verify the vSphere Syslog Collector syslog host has been configured. From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Verify the 'Syslog.global.logHost' is set to the (site-specific) syslog server hostname. If the 'Syslog.global.logHost' is unconfigured, this is a finding.

Fix: F-44423r1_fix

Step 1: Verify the vSphere Syslog Collector syslog host has been configured. If not, install/enable the vSphere Syslog Collector. Step 2: From the vSphere Client: Select the host and click "Configuration >> Advanced Settings >> Syslog >> Global". Step 3: Set 'Syslog.global.logHost' to the syslog server hostname.

c

The operating system must use cryptography to protect the confidentiality of remote access sessions.

AC-17 - High - CCI-000068 - V-39411 - SV-51269r1_rule

RMF Control

AC-17

Severity

H

CCI

CCI-000068

Version

SRG-OS-000033-ESXI5

Vuln IDs

V-39411

Rule IDs

SV-51269r1_rule

Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Using cryptography ensures confidentiality of the remote access connections.

Checks: C-46685r1_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH daemon configuration for required protocol. # grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v '^#' Re-enable lock down mode. If no lines are returned, or the returned protocol list contains anything except 2, this is a finding.

Fix: F-44424r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH daemon configuration and add/modify the "Protocol" configuration for Protocol 2 only. # vi /etc/ssh/sshd_config Re-enable lock down mode.

c

The SSH daemon must be configured to only use the SSHv2 protocol.

IA-2 - High - CCI-000774 - V-39412 - SV-51270r1_rule

RMF Control

IA-2

Severity

H

CCI

CCI-000774

Version

SRG-OS-000112-ESXI5

Vuln IDs

V-39412

Rule IDs

SV-51270r1_rule

SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.

Checks: C-46686r1_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH daemon configuration for required protocol. # grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v '^#' Re-enable lock down mode. If no lines are returned, or the returned protocol list contains anything except 2, this is a finding.

Fix: F-44425r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH daemon configuration and add/modify the "Protocol" configuration for Protocol 2 only. # vi /etc/ssh/sshd_config Re-enable lock down mode.

c

The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.

IA-2 - High - CCI-000776 - V-39413 - SV-51271r2_rule

RMF Control

IA-2

Severity

H

CCI

CCI-000776

Version

SRG-OS-000113-ESXI5

Vuln IDs

V-39413

Rule IDs

SV-51271r2_rule

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using challenges (e.g., TLS, WS_Security), time synchronous, or challenge-response one-time authenticators.

Checks: C-46687r2_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH client configuration for required protocol. # grep -i "Protocol 2" /etc/ssh/ssh_config | grep -v '^#' Re-enable lock down mode. If the returned protocol list contains anything except 2, this is a finding. If the /etc/ssh/ssh_config file does not exist or the Protocol option is not set, this is not a finding.

Fix: F-44426r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH client configuration and add/modify the "Protocol" configuration for Protocol 2 only. # vi /etc/ssh/ssh_config Re-enable lock down mode.

b

The SSH client must be configured to only use the SSHv2 protocol.

CM-6 - Medium - CCI-000366 - V-39414 - SV-51272r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005501-ESXI5-9778

Vuln IDs

V-39414

Rule IDs

SV-51272r2_rule

SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH client could provide access to the system with the privileges of the user running the client.

Checks: C-46688r3_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH client configuration for required protocol. # grep -i "Protocol 2" /etc/ssh/ssh_config | grep -v '^#' Re-enable lock down mode. If the returned protocol list contains anything except 2, this is a finding. If the /etc/ssh/ssh_config file does not exist or the Protocol option is not set, this is not a finding because the SSH client cannot enforce the Protocol setting on a compliant SSH server.

Fix: F-44427r1_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH client configuration and add/modify the "Protocol" configuration for Protocol 2 only. # vi /etc/ssh/ssh_config Re-enable lock down mode.

c

The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

AC-17 - High - CCI-001453 - V-39415 - SV-51273r2_rule

RMF Control

AC-17

Severity

H

CCI

CCI-001453

Version

SRG-OS-000250-ESXI5

Vuln IDs

V-39415

Rule IDs

SV-51273r2_rule

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.System Administrator

Checks: C-46689r2_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep -i macs /etc/ssh/sshd_config Re-enable lock down mode. If the command returns nothing, or the returned list contains MACs other than a variant of the hmac-sha1 or hmac-sha2 format, this is a finding.

Fix: F-44428r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "MACs <hmac-sha1 or hmac-sha2 variant(s)>" The above list "may" include any number of the following (current) comma-separated variants: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, hmac-sha2-512-96. Re-enable lock down mode.

b

The system must require that passwords contain at least one special character.

IA-5 - Medium - CCI-001619 - V-39416 - SV-51274r1_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001619

Version

SRG-OS-000266-ESXI5

Vuln IDs

V-39416

Rule IDs

SV-51274r1_rule

To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.

Checks: C-46690r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected settings are configured in the /etc/pam.d/passwd file. The entry format is : "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4" The "N4" field controls the behavior requiring at least one character each of the 4 different character classes (i.e., number, special, UPPER_CASE, and lower_case), with a minimum required length of 14 characters. # grep "^password" /etc/pam.d/passwd | grep requisite | grep "min=" If the "N4" password complexity field is not set to "14" or greater and the "N0" thru "N3" fields are not set to "disabled", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44429r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and ensure the expected settings of the "min" keyword are configured in the /etc/pam.d/passwd file. # vi /etc/pam.d/passwd Set the "N4" password complexity field to "14" or greater and set the "N0" thru "N3" fields to "disabled", i.e., min=disabled,disabled,disabled,disabled,14 Re-enable Lockdown Mode on the host.

b

The system must ensure proper SNMP configuration.

CM-6 - Medium - CCI-000366 - V-39417 - SV-51275r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

SRG-OS-99999-ESXI5-000144

Vuln IDs

V-39417

Rule IDs

SV-51275r1_rule

If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack. SNMP must be configured on each ESXi host using Power/v CLI. vSphere PowerCLI is a command line tool used to automate vSphere management. PowerCLI is distributed as a Windows PowerShell snapin, and includes 300+ PowerShell cmdlets and use documentation.

Checks: C-46691r2_chk

From the Power/v CLI, run: "vicfg-snmp.pl --server <server_name> -s" to determine if SNMP is being used. An alternative command option instead of the "-s" is "--show". If SNMP is not being used and "enabled" = 1, this is a finding. If the read-only community name is set to "public", this is a finding. If the read-write community name is set to private, this is a finding.

Fix: F-44430r2_fix

If SNMP is not being used, configure "enabled" = 0. From the Power/v CLI, execute "vicfg-snmp.pl --server <server_name> -D". If SNMP is being used, ensure the community name is configured: From the vSphere CLI, type "vicfg-snmp.pl --server hostname --username <username> --password <password> -c <community_name>". To enable SNMP from the vSphere CLI, type. # vicfg-snmp.pl --server <hostname> --username <username> --password <password> --enable

b

The system must prevent the use of dictionary words for passwords.

CM-6 - Medium - CCI-000366 - V-39418 - SV-51276r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN000790-ESXI5-000085

Vuln IDs

V-39418

Rule IDs

SV-51276r1_rule

An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is generally done by someone with an automated script using repeated logon attempts until the correct account and password pair is guessed. Utilities, such as cracklib, can be used to validate passwords are not dictionary words and meet other criteria during password changes.

Checks: C-46692r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and verify the expected settings are configured in the /etc/pam.d/passwd file. The entry format is : "password requisite /lib/security/pam_passwdqc.so similar=deny retry=N min=N0,N1,N2,N3,N4" The "N2" field controls the behavior enforcing "no dictionary words". This flag should be set to "disabled". # grep "^password" /etc/pam.d/passwd | grep requisite | grep "min=" If the "N2" password complexity field is not set to "disabled", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44431r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host and ensure the expected settings of the "min" keyword are configured in the /etc/pam.d/passwd file. # vi /etc/pam.d/passwd Set the "N2" password complexity field to "disabled", i.e., min=disabled,disabled,disabled,disabled,14 Re-enable Lockdown Mode on the host.

b

The SSH daemon must restrict login ability to specific users and/or groups.

CM-6 - Medium - CCI-000366 - V-39419 - SV-51277r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005521-ESXI5-000103

Vuln IDs

V-39419

Rule IDs

SV-51277r2_rule

Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access.System Administrator

Checks: C-46693r2_chk

Disable lock down mode. Enable the ESXi Shell. Check the SSH daemon configuration for the AllowGroups setting (must include the root user's group). Note that the presence of the AllowGroups attribute in the sshd_config file implies that only users belonging to groups in the AllowGroups list are able to log in. # grep -i "^AllowGroups" /etc/ssh/sshd_config | grep -i root If the "AllowGroups" attribute is not present in the file, this is a finding.

Fix: F-44432r2_fix

Disable lock down mode. Enable the ESXi Shell. Edit the SSH daemon configuration and add/modify the "AllowGroups" attribute (and attribute list) in the /etc/ssh/sshd_config configuration file. # vi /etc/ssh/sshd_config Re-enable lock down mode.

b

The SSH daemon must perform strict mode checking of home directory configuration files.

CM-6 - Medium - CCI-000366 - V-39420 - SV-51278r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005536-ESXI5-000110

Vuln IDs

V-39420

Rule IDs

SV-51278r2_rule

If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.System Administrator

Checks: C-46694r2_chk

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # grep StrictModes /etc/ssh/sshd_config If the command returns nothing, or the returned "StrictModes" attribute is set to "no", this is a finding. Re-enable lock down mode.

Fix: F-44433r2_fix

Disable lock down mode. Enable the ESXi Shell. Execute the following command(s): # vi /etc/ssh/sshd_config Add/modify the attribute line entry to the following (quotes for emphasis only): "StrictModes yes" Re-enable lock down mode.

b

Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option.

CM-6 - Medium - CCI-000366 - V-39422 - SV-51280r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN002420-ESXI5-00878

Vuln IDs

V-39422

Rule IDs

SV-51280r1_rule

The "nosuid" mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system that does not contain approved setuid files. Executing setuid files from untrusted file systems, or file systems that do not contain approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks: C-46696r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host. Check /etc/fstab and verify the nosuid mount option is used on file systems mounted from removable media, network shares, or any other file system not containing approved setuid or setgid files. Each file system line entry must contain a device specific file and may additionally contain all of the following fields, in the following order (per the NFSv3 specification): mount directory, type, OPTION(s), backup frequency, pass number (on parallel fsck) and comment. Execute the following: # cat /etc/fstab | grep -v "^#" If the "nosuid" mount OPTION is not used on file systems mounted from removable media, network shares, or any other file system that does not contain approved setuid or setgid files, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44435r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host. Edit /etc/fstab and add the nosuid mount option to all file systems mounted from removable media or network shares, and any file system not containing approved setuid or setgid files. Re-enable Lockdown Mode on the host.

b

The nosuid option must be enabled on all NFS client mounts.

CM-6 - Medium - CCI-000366 - V-39423 - SV-51281r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN005900-ESXI5-00891

Vuln IDs

V-39423

Rule IDs

SV-51281r1_rule

Enabling the nosuid mount option prevents the system from granting owner or group owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users with unprivileged access to the local system may be able to acquire privileged access by executing setuid or setgid files located on the mounted NFS file system.

Checks: C-46697r1_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host. Check the system for NFS mounts that do not use the nosuid option. Execute the following: # cat /etc/fstab | grep -i nfs | grep -v "nosuid" If the mounted NFS file systems do not use the nosuid option, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44436r1_fix

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host. Edit /etc/fstab and add the nosuid option for all NFS file systems. Re-enable Lockdown Mode on the host.

a

The system must be checked for extraneous device files at least weekly.

CM-6 - Low - CCI-000366 - V-39424 - SV-51282r3_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN002260-ESXI5-000047

Vuln IDs

V-39424

Rule IDs

SV-51282r3_rule

If an unauthorized device is allowed to exist on the system, there is the possibility the system may perform unauthorized operations.System Administrator

Checks: C-46698r3_chk

Ask the SA if the system is checked for extraneous device files on a weekly basis. To manually perform the check, disable lock down mode, enable the ESXi Shell, and execute the following command: # find / $ -type b -o -type c $ -exec ls -lL {} \; Re-enable lock down mode. If no automated or manual process is in place, this is a finding.

Fix: F-44437r2_fix

Configure the system to check for extraneous device files on a weekly basis. Refer to the Check Content section above for the basic command structure to search the file system. Additionally, ensure persistence of the command output by storing results to a target located on persistent storage.

b

The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.

CM-6 - Medium - CCI-000366 - V-39425 - SV-51283r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN002400-ESXI5-10047

Vuln IDs

V-39425

Rule IDs

SV-51283r2_rule

Files with the setuid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation, security problems can result if setuid is assigned to programs that allow reading and writing of files, or shell escapes.System Administrator

Checks: C-46699r2_chk

Ask the SA if the system is checked for unauthorized setuid files on a weekly basis. To manually perform the check, disable lock down mode, enable the ESXi Shell, and execute the following command: # find / -perm -4000 -exec ls -lL {} \; Re-enable lock down mode. If no automated or manual process is in place, this is a finding.

Fix: F-44438r2_fix

Configure the system to check for unauthorized setuid files on a weekly basis. Refer to the Check Content section above for the basic command structure to search the file system. Additionally, ensure persistence of the command output by storing results to a target located on persistent storage.

b

The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.

CM-6 - Medium - CCI-000366 - V-39426 - SV-51284r2_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN002460-ESXI5-20047

Vuln IDs

V-39426

Rule IDs

SV-51284r2_rule

Files with the setgid bit set will allow anyone running these files to be temporarily assigned the GID of the file. While many system files depend on these attributes for proper operation, security problems can result if setgid is assigned to programs that allow reading and writing of files, or shell escapes.System Administrator

Checks: C-46700r2_chk

Ask the SA if the system is checked for unauthorized setgid files on a weekly basis. To manually perform the check, disable lock down mode, enable the ESXi Shell, and execute the following command: # find / -perm -2000 -exec ls -lL {} \; Re-enable lock down mode. If no automated or manual process is in place, this is a finding.

Fix: F-44439r2_fix

Configure the system to check for unauthorized setgid files on a weekly basis. Refer to the Check Content section above for the basic command structure to search the file system. Additionally, ensure persistence of the command output by storing results to a target located on persistent storage.

a

For systems using DNS resolution, at least two name servers must be configured.

CM-6 - Low - CCI-000366 - V-39427 - SV-51285r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

GEN001375-ESXI5-000086

Vuln IDs

V-39427

Rule IDs

SV-51285r1_rule

To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.

Checks: C-46701r1_chk

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab and view the listed DNS server setting(s). If DNS is not configured and is not used, this is not a finding. If DNS is configured with less than 2 servers, this is a finding.

Fix: F-44440r1_fix

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab and view the listed DNS server setting(s). If DNS is configured has less than 2 servers configured, add a second server.

c

If the system boots from removable media, it must be stored in a safe or similarly secured container.

CM-6 - High - CCI-000366 - V-39428 - SV-51286r1_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

GEN008680-ESXI5-000056

Vuln IDs

V-39428

Rule IDs

SV-51286r1_rule

Storing the boot loader on removable media in an insecure location could allow a malicious user to modify the systems boot instructions or boot to an insecure operating system.

Checks: C-46702r1_chk

Ask the SA if the system boots from removable media. If so, ask if the boot media is stored in a secure container when not in use. If it is not, this is a finding.

Fix: F-44441r1_fix

Store the system boot media in a secure container when not in use.

c

The operating system must be a supported release.

CM-6 - High - CCI-000366 - V-39429 - SV-51287r1_rule

RMF Control

CM-6

Severity

H

CCI

CCI-000366

Version

GEN000100-ESXI5-000062

Vuln IDs

V-39429

Rule IDs

SV-51287r1_rule

An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.

Checks: C-46703r1_chk

From the vSphere Client/vCenter and select the host: View the menu header above the "Configuration" tab. If the version is not supported, this is a finding.

Fix: F-44442r1_fix

Upgrade to a supported version.

b

The system clock must be synchronized to an authoritative DoD time source.

CM-6 - Medium - CCI-000366 - V-39430 - SV-51288r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN000240-ESXI5-000058

Vuln IDs

V-39430

Rule IDs

SV-51288r1_rule

To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.

Checks: C-46704r1_chk

From the vSphere Client: Select the host and click "Configuration >> Time Configuration". Select the properties link and chose 'Options'. Select NTP Settings to view configured NTP servers. If NTP is not synchronized with an authoritative time source within DoD, this is a finding.

Fix: F-44443r2_fix

From the vSphere Client: Select the host and click "Configuration >> Time Configuration". Select the properties link and chose 'Options'. From the General tab start the NTP service and select "Start and stop with host". From the NTP Settings tab click the ' Add' button to add the organization defined, authoritative time source within DoD NTP servers.

b

The IPv6 protocol handler must not be bound to the network stack unless needed.

CM-6 - Medium - CCI-000366 - V-39431 - SV-51289r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN007700-ESXI5-000116

Vuln IDs

V-39431

Rule IDs

SV-51289r1_rule

IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host.

Checks: C-46705r1_chk

If the system uses IPv6, this is not applicable. By default, IPv6 is disabled for the management VMkernel port. To check IPv6 on VMware ESXi, from the vSphere Client/vCenter Server Home page, click Datacenter, Hosts and Clusters. Select the host and click the Configuration tab. Click the Networking link under Hardware. In the vSphere Standard Switch view, click the Properties link. Verify that IPv6 support on this host is disabled and click Cancel. If IPv6 support is enabled and the system does not use IPv6, this is a finding.

Fix: F-44444r1_fix

By default, IPv6 is disabled for the management VMkernel port. To disable IPv6 on VMware ESXi, from the vSphere Client/vCenter Server Home page, click Datacenter, Hosts and Clusters. Select the host and click the Configuration tab. Click the Networking link under Hardware. In the vSphere Standard Switch view, click the Properties link. Select Disable IPv6 support on this host and click OK. Reboot the host.

b

The IPv6 protocol handler must not be installed unless needed.

CM-6 - Medium - CCI-000366 - V-39432 - SV-51290r1_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

GEN007740-ESXI5-000118

Vuln IDs

V-39432

Rule IDs

SV-51290r1_rule

IPv6 is the next generation of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-46706r1_chk

If the system uses IPv6, this is not applicable. By default, IPv6 is disabled for the management VMkernel port used to manage ESXi. End users of the VMware ESXi infrastructure don't directly connect to the hosts. If vCenter Server is used for management tasks, configure IPv6 on vCenter instead of the ESXi hosts. The only time it is required to configure IPv6 on ESXi hosts is if the vSphere Client connects directly to manage hosts from an IPv6-only device. vSphere Client direct connections are not allowed per this STIG. All vSphere Client traffic must connect thru the vCenter Server. Ask the SA if IPv6 is enabled on the host. If the IPv6 protocol handler is enabled and the system does not use IPv6, this is a finding.

Fix: F-44445r1_fix

To disable IPv6, click the arrow next to the Inventory button in the navigation bar and select Hosts and Clusters. Select the host and click the Configuration tab. Click the Networking link under Hardware. In the Virtual Switch view, click the Properties link. De-select "Enable IPv6 support on this host" and click OK. Reboot the host in order for the change(s) to take effect.

Content changes 11

Checks: C-46510r1_chk

Fix: F-44225r1_fix

Generate Mitigation Statement:

Checks: C-46511r1_chk

Fix: F-44226r4_fix

Generate Mitigation Statement:

Checks: C-46512r1_chk

Fix: F-44227r1_fix

Generate Mitigation Statement:

Checks: C-46513r3_chk

Fix: F-44228r2_fix

Generate Mitigation Statement:

Checks: C-46514r2_chk

Fix: F-44229r2_fix

Generate Mitigation Statement:

Checks: C-46515r2_chk

Fix: F-44230r1_fix

Generate Mitigation Statement:

Checks: C-46516r4_chk

Fix: F-44231r2_fix

Generate Mitigation Statement:

Checks: C-46517r2_chk

Fix: F-44232r2_fix

Generate Mitigation Statement:

Checks: C-46518r1_chk

Fix: F-44233r1_fix

Generate Mitigation Statement:

Checks: C-46519r1_chk

Fix: F-44234r1_fix

Generate Mitigation Statement:

Checks: C-46520r1_chk

Fix: F-44235r1_fix

Generate Mitigation Statement:

Checks: C-46521r1_chk

Fix: F-44236r1_fix

Generate Mitigation Statement:

Checks: C-46522r1_chk

Fix: F-44237r1_fix

Generate Mitigation Statement:

Checks: C-46523r1_chk

Fix: F-44238r1_fix

Generate Mitigation Statement:

Checks: C-46524r1_chk

Fix: F-44239r1_fix

Generate Mitigation Statement:

Checks: C-46525r2_chk

Fix: F-44240r2_fix

Generate Mitigation Statement:

Checks: C-46526r1_chk

Fix: F-44241r1_fix

Generate Mitigation Statement:

Checks: C-46527r1_chk

Fix: F-44242r1_fix

Generate Mitigation Statement:

Checks: C-46528r1_chk

Fix: F-44243r1_fix

Generate Mitigation Statement:

Checks: C-46529r1_chk

Fix: F-44244r1_fix

Generate Mitigation Statement:

Checks: C-46530r2_chk

Fix: F-44245r2_fix

Generate Mitigation Statement:

Checks: C-46531r2_chk

Fix: F-44246r2_fix

Generate Mitigation Statement:

Checks: C-46532r2_chk

Fix: F-44247r2_fix

Generate Mitigation Statement:

Checks: C-46533r6_chk

Fix: F-44248r6_fix

Generate Mitigation Statement:

Checks: C-46534r8_chk

Fix: F-44249r7_fix

Generate Mitigation Statement:

Checks: C-46535r2_chk

Fix: F-44250r1_fix

Generate Mitigation Statement:

Checks: C-46537r5_chk