Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide

V1R6 · · · Released 22 Jan 2016 · 51 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

The VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R5 · 24 Jul 2015 −1

Comparison against the immediately-prior release (V1R5). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Removed rules 1

  • V-39502 High The virtual system hardware of a virtual machine must be kept secured/updated.
Sort by
c
The system must control virtual machine access to host resources.
CM-6 - High - CCI-000366 - V-39442 - SV-51300r2_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
ESXI5-VM-000001
Vuln IDs
  • V-39442
Rule IDs
  • SV-51300r2_rule
By default, all virtual machines on an ESXi host share the resources equally. By using the resource management capabilities of ESXi, such as shares and limits, you can control the server resources that a virtual machine consumes. You can use this mechanism to prevent a denial of service that causes one virtual machine to consume so much of the host's resources that other virtual machines on the same host cannot perform their intended functions.
Checks: C-46717r4_chk

Virtual machines (VMs) that have a greater risk of being exploited or attacked, or that run applications known to potentially consume resources must be constrained. From the vSphere Client/vCenter, select the Datacenter/host. Right-click the VM, select Edit Settings to check the virtual machine's memory and/or CPU shares, limits, and/or reservation(s). Appropriate values must be set for memory, CPU, advanced CPU, and disk variables. Care must be taken to ensure that the settings do not hamper dynamic resource allocation and management proper to virtualization systems. If any host VMs do not have share, limit, and/or reservation setpoints initialized, as appropriate to their respective levels of the risk of exploit or attack, this is a finding.

Fix: F-44455r2_fix

From the vCenter client, select the Datacenter/host. Right-click the VM select Edit Settings to configure the virtual machine's memory and/or CPU limits, shares, and/or reservation(s). Appropriate values must be set for memory, CPU, advanced CPU, and disk variables. With the appropriate (site-specific) level selected for the VM, select the OK button to save any change(s).

a
The system must disable tools auto install.
CM-6 - Low - CCI-000366 - V-39443 - SV-51301r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000002
Vuln IDs
  • V-39443
Rule IDs
  • SV-51301r1_rule
Tools auto install can initiate an automatic reboot, disabling this option will prevent tools from being installed automatically and prevent automatic machine reboots.
Checks: C-46718r4_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.autoInstall.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44456r4_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.autoInstall.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The system must explicitly disable copy operations.
CM-6 - Low - CCI-000366 - V-39444 - SV-51302r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000003
Vuln IDs
  • V-39444
Rule IDs
  • SV-51302r1_rule
Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.
Checks: C-46719r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.copy.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44457r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.copy.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The system must explicitly disable drag and drop operations.
CM-6 - Low - CCI-000366 - V-39445 - SV-51303r2_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000004
Vuln IDs
  • V-39445
Rule IDs
  • SV-51303r2_rule
Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.
Checks: C-46720r4_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.dnd.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the keyval is set to "FALSE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44458r3_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.dnd.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The system must explicitly disable any GUI functionality for copy/paste operations.
CM-6 - Low - CCI-000366 - V-39446 - SV-51304r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000005
Vuln IDs
  • V-39446
Rule IDs
  • SV-51304r1_rule
Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.
Checks: C-46721r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.setGUIOptions.enable keyval = FALSE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44459r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.setGUIOptions.enable keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The system must explicitly disable paste operations.
CM-6 - Low - CCI-000366 - V-39447 - SV-51305r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000006
Vuln IDs
  • V-39447
Rule IDs
  • SV-51305r1_rule
Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.
Checks: C-46722r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.paste.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44460r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.paste.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

c
The system must disable virtual disk shrinking.
CM-6 - High - CCI-000366 - V-39448 - SV-51306r1_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
ESXI5-VM-000007
Vuln IDs
  • V-39448
Rule IDs
  • SV-51306r1_rule
Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to shrink is available to non-administrative users operating within the VMs guest OS.
Checks: C-46723r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.diskShrink.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44461r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.diskShrink.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

c
The system must disable virtual disk erasure.
CM-6 - High - CCI-000366 - V-39449 - SV-51307r1_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
ESXI5-VM-000008
Vuln IDs
  • V-39449
Rule IDs
  • SV-51307r1_rule
Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes - that is, users and processes without root or administrator privileges - within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to wipe (erase) is available to non-administrative users operating within the VMs guest OS.
Checks: C-46724r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.diskWiper.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44463r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.diskWiper.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must disable HGFS file transfers.
CM-6 - Medium - CCI-000366 - V-39450 - SV-51308r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000009
Vuln IDs
  • V-39450
Rule IDs
  • SV-51308r1_rule
Certain automated operations such as automated tools upgrades, use a component into the hypervisor called "Host Guest File System" and an attacker could potentially use this to transfer files inside the guest OS.
Checks: C-46725r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.hgfsServerSet.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44464r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.hgfsServerSet.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

c
The system must not use independent, non-persistent disks.
CM-6 - High - CCI-000366 - V-39451 - SV-51309r3_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
ESXI5-VM-000010
Vuln IDs
  • V-39451
Rule IDs
  • SV-51309r3_rule
The security issue with non-persistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode; additionally, ensure activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked. System Administrator
Checks: C-46726r5_chk

If a virtual machine does not utilize independent disks, this is not applicable Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log on with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate any/all vmx files. # find / | grep vmx Check the ".vmx" file for the correct attribute/assignment pair. Note that the integer values of both X and Y (for the attribute scsiX:Y.mode) must be greater than or equal to 0 , depending upon the system configuration. # grep "^scsi" &lt;the VM's vmx file&gt; | grep independent Example output for the above command: scsi2:0.mode = "independent-persistent" If the attribute assignment is not "independent-persistent", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44465r4_fix

Configure the vmx file with the correct attribute/assignment pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following line to the vmx file. Note that X and Y must be greater than or equal to 0 (based on the system configuration). scsiX:Y.mode = "independent-persistent" Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must disable VM-to-VM communication through VMCI.
CM-6 - Medium - CCI-000366 - V-39452 - SV-51310r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000011
Vuln IDs
  • V-39452
Rule IDs
  • SV-51310r1_rule
If the interface is not restricted, a VM can detect and be detected by all other VMs with the same option enabled within the same host. This might be the intended behavior, but custom-built software can have unexpected vulnerabilities that might potentially lead to an exploit. Additionally, it is possible for a VM to detect how many other VMs are within the same ESX system by simply registering the VM. This information might also be used for a potentially malicious objective. By default, the setting is FALSE. The VM can be exposed to other VMs within the same system as long as there is at least one program connected to the VMCI socket interface.
Checks: C-46727r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = vmci0.unrestricted keyval = FALSE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44466r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = vmci0.unrestricted keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must disable VM logging, unless required.
CM-6 - Medium - CCI-000366 - V-39453 - SV-51311r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000012
Vuln IDs
  • V-39453
Rule IDs
  • SV-51311r2_rule
Excessive VM logging may degrade system performance. The following settings can be used to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files are created more frequently by limiting the maximum size of the log files. To restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial-of-service due to the datastore becoming filled.
Checks: C-46728r2_chk

If VM log file rotation is not degrading system performance and the VM requires logging to be enabled for troubleshooting, this check is not applicable. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = logging keyval = FALSE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the logging keyword is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44467r2_fix

VM logging should be disabled by default, unless required for troubleshooting. To disable logging for a VM with logging enabled, configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = logging keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must disable VM Monitor Control during normal operation.
CM-6 - Medium - CCI-000366 - V-39454 - SV-51312r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000013
Vuln IDs
  • V-39454
Rule IDs
  • SV-51312r1_rule
When Virtual Machines are running on a hypervisor they are "aware" that they are running in a virtual environment and this information is available to tools inside the guest OS. This can give attackers information about the platform that they are running on that they may not get from a normal physical server. This option completely disables all hooks for a virtual machine and the guest OS will not be aware that it is running in a virtual environment at all. This feature may be enabled for short term diagnostics and troubleshooting, but must be disabled prior to resumption of normal operations.
Checks: C-46729r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.monitor.control.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44468r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.monitor.control.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.ghi.autologon.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39456 - SV-51314r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000014
Vuln IDs
  • V-39456
Rule IDs
  • SV-51314r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46730r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.ghi.autologon.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44469r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.ghi.autologon.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.bios.bbs.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39457 - SV-51315r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000015
Vuln IDs
  • V-39457
Rule IDs
  • SV-51315r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46731r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.bios.bbs.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44784r1_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.bios.bbs.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.getCreds.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39458 - SV-51316r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000016
Vuln IDs
  • V-39458
Rule IDs
  • SV-51316r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46732r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.getCreds.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44471r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.getCreds.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.ghi.launchmenu.change must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39459 - SV-51317r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000017
Vuln IDs
  • V-39459
Rule IDs
  • SV-51317r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46733r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.ghi.launchmenu.change keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44472r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.ghi.launchmenu.change keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39461 - SV-51319r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000018
Vuln IDs
  • V-39461
Rule IDs
  • SV-51319r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46734r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.memSchedFakeSampleStats.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44473r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.memSchedFakeSampleStats.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39462 - SV-51320r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000019
Vuln IDs
  • V-39462
Rule IDs
  • SV-51320r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46735r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.ghi.protocolhandler.info.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44475r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.ghi.protocolhandler.info.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.ghi.host.shellAction.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39463 - SV-51321r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000020
Vuln IDs
  • V-39463
Rule IDs
  • SV-51321r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46736r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.ghi.host.shellAction.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44476r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.ghi.host.shellAction.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.dispTopoRequest.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39477 - SV-51335r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000021
Vuln IDs
  • V-39477
Rule IDs
  • SV-51335r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46737r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.dispTopoRequest.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44490r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.dispTopoRequest.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.trashFolderState.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39478 - SV-51336r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000022
Vuln IDs
  • V-39478
Rule IDs
  • SV-51336r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46738r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.trashFolderState.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44491r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.trashFolderState.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.ghi.trayicon.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39479 - SV-51337r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000023
Vuln IDs
  • V-39479
Rule IDs
  • SV-51337r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46739r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.ghi.trayicon.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44492r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.ghi.trayicon.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.unity.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39480 - SV-51338r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000024
Vuln IDs
  • V-39480
Rule IDs
  • SV-51338r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46740r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.unity.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44493r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unity.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39481 - SV-51339r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000025
Vuln IDs
  • V-39481
Rule IDs
  • SV-51339r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46741r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.unityInterlockOperation.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44494r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unityInterlockOperation.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.unity.push.update.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39482 - SV-51340r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000026
Vuln IDs
  • V-39482
Rule IDs
  • SV-51340r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46742r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.unity.push.update.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44495r3_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unity.push.update.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.unity.taskbar.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39483 - SV-51341r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000027
Vuln IDs
  • V-39483
Rule IDs
  • SV-51341r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46743r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.unity.taskbar.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44496r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unity.taskbar.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.unityActive.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39484 - SV-51342r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000028
Vuln IDs
  • V-39484
Rule IDs
  • SV-51342r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46744r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.unityActive.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44497r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unityActive.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.unity.windowContents.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39485 - SV-51343r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000029
Vuln IDs
  • V-39485
Rule IDs
  • SV-51343r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46745r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.unity.windowContents.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44498r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unity.windowContents.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39486 - SV-51344r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000030
Vuln IDs
  • V-39486
Rule IDs
  • SV-51344r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46746r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.vmxDnDVersionGet.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44499r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.vmxDnDVersionGet.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be initialized to decrease the VMs potential attack vectors.
CM-6 - Low - CCI-000366 - V-39487 - SV-51345r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000031
Vuln IDs
  • V-39487
Rule IDs
  • SV-51345r1_rule
Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.
Checks: C-46747r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.guestDnDVersionSet.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44500r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.guestDnDVersionSet.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The system must disable VIX messages from the VM.
CM-6 - Low - CCI-000366 - V-39488 - SV-51346r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000033
Vuln IDs
  • V-39488
Rule IDs
  • SV-51346r1_rule
The VIX API is a library for writing scripts and programs to manipulate virtual machines. If custom VIX programming is not used in the environment, then disable features to reduce the potential for vulnerabilities. Unprivileged code running in a VMware virtual machine (guest OS) may break out of the VMX process, and elevate from unprivileged guest code execution to host kernel code execution. The ability to send messages from the VM to the host is one of these features. Note that disabling this feature does "not" adversely affect the functioning of VIX operations that originate outside the guest, so certain VMware and 3rd party solutions that rely upon this capability should continue to work.
Checks: C-46748r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.tools.vixMessage.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44501r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.vixMessage.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must disconnect unauthorized floppy devices.
AC-19 - Medium - CCI-000085 - V-39489 - SV-51347r3_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000085
Version
ESXI5-VM-000034
Vuln IDs
  • V-39489
Rule IDs
  • SV-51347r3_rule
Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, the parameter must be assigned a value of false. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.System Administrator
Checks: C-46749r4_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate any/all vmx files. # find / | grep vmx Check the ".vmx" file for the correct attribute/assignment pair. Note that the integer value of X (for the attribute floppyX.present) must be greater than or equal to 0, depending upon the system configuration. # grep "^floppy" &lt;the VM's vmx file&gt; Example output for the above command: floppyX.present = "false" If the floppyX.present attribute (X must be greater than or equal to 0) is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44785r2_fix

Configure the vmx file with the correct attribute/assignment pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following line to the vmx file. Note that X must be greater than or equal to 0 (based on the system configuration). floppyX.present = "false" Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must disconnect unauthorized IDE devices.
AC-19 - Medium - CCI-000085 - V-39490 - SV-51348r2_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000085
Version
ESXI5-VM-000035
Vuln IDs
  • V-39490
Rule IDs
  • SV-51348r2_rule
Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.
Checks: C-46750r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = ideX:Y.present (X and Y &gt;= 0) keyval = FALSE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the ideX:Y.present keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44502r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = ideX:Y.present (X and Y >= 0) keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must disconnect unauthorized parallel devices.
AC-19 - Medium - CCI-000085 - V-39491 - SV-51349r2_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000085
Version
ESXI5-VM-000036
Vuln IDs
  • V-39491
Rule IDs
  • SV-51349r2_rule
Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.
Checks: C-46751r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = parallelX.present (X &gt;= 0) keyval = FALSE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44503r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = parallelX.present (X >= 0) keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must disconnect unauthorized serial devices.
AC-19 - Medium - CCI-000085 - V-39492 - SV-51350r2_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000085
Version
ESXI5-VM-000037
Vuln IDs
  • V-39492
Rule IDs
  • SV-51350r2_rule
Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.
Checks: C-46752r5_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = serialX.present (X &gt;= 0) keyval = FALSE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44504r3_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = serialX.present (X >= 0) keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must disconnect unauthorized USB devices.
AC-19 - Medium - CCI-000085 - V-39493 - SV-51351r2_rule
RMF Control
AC-19
Severity
M
CCI
CCI-000085
Version
ESXI5-VM-000038
Vuln IDs
  • V-39493
Rule IDs
  • SV-51351r2_rule
Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.
Checks: C-46753r3_chk

If USB is required, this check is not applicable. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = usb.present keyval = FALSE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the usb.present keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44505r2_fix

If USB is required, no fix is required. Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = usb.present keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must limit sharing of console connections.
CM-6 - Medium - CCI-000366 - V-39494 - SV-51352r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000039
Vuln IDs
  • V-39494
Rule IDs
  • SV-51352r1_rule
By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a non-administrator in the VM might connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example, if a jump box is being used for an open console session and the admin loses connection to that box, then the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed.
Checks: C-46754r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = RemoteDisplay.maxConnections keyval = 1 # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44506r4_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = RemoteDisplay.maxConnections keyval = 1 Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must limit VM logging records.
CM-6 - Medium - CCI-000366 - V-39495 - SV-51353r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000041
Vuln IDs
  • V-39495
Rule IDs
  • SV-51353r1_rule
Use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files are created more frequently by limiting the maximum size of the log files. If restricting the total size of logging data is wanted, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial-of-service due to the datastore becoming filled.
Checks: C-46755r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = log.keepOld keyval = 10 # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. NOTE: This setting has no effect on VMs that already have logging disabled. This setting, however, will enforce the limiting of VM logging records should there be a "temporary" need to enable VM logging to troubleshoot a VM performance issue. Re-enable Lockdown Mode on the host.

Fix: F-44507r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = log.keepOld keyval = 10 Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must limit VM logging record contents.
CM-6 - Medium - CCI-000366 - V-39496 - SV-51354r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000042
Vuln IDs
  • V-39496
Rule IDs
  • SV-51354r1_rule
Use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files are created more frequently by limiting the maximum size of the log files. If restricting the total size of logging data is wanted, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial-of-service due to the datastore becoming filled.
Checks: C-46756r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = log.rotateSize keyval = 100000 # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44508r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = log.rotateSize keyval = 100000 Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a
The system must limit informational messages from the VM to the VMX file.
CM-6 - Low - CCI-000366 - V-39497 - SV-51355r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000043
Vuln IDs
  • V-39497
Rule IDs
  • SV-51355r1_rule
The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest OS are capable of sending a large and continuous data stream to the host. This 1MB capacity should be sufficient for most cases, but this value can change if necessary. The value can be increased if large amounts of custom information are being stored in the configuration file. The default limit is 1MB.
Checks: C-46757r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = tools.setinfo.sizeLimit keyval = 1048576 # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44509r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = tools.setinfo.sizeLimit keyval = 1048576 Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must minimize use of the VM console.
CM-6 - Medium - CCI-000366 - V-39498 - SV-51356r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000044
Vuln IDs
  • V-39498
Rule IDs
  • SV-51356r1_rule
The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and removable device connectivity controls, which might potentially allow a malicious user to bring down a virtual machine. In addition, it also has a performance impact on the service console, especially if many VM console sessions are open simultaneously.
Checks: C-46758r1_chk

Remote management services, such as terminal services and SSH, must be used to interact with virtual machines. VM console access should only be granted when remote management services are unavailable or insufficient to perform necessary management tasks. Ask the SA if a VM console is used to perform VM management tasks, other than for troubleshooting (non-management) VM performance issues. If a VM console is used to perform VM management tasks, other than for troubleshooting (non-management) VM performance issues, this is a finding. If SSH and/or terminal management services are exclusively used to perform management tasks, this is not a finding.

Fix: F-44510r1_fix

Develop a policy prohibiting the use of a VM console for performing management services. This policy should include procedures for the use of SSH and Terminal Management services for VM management. Where SSH and Terminal Management services prove insufficient to troubleshoot a VM, access to the VM console may be temporarily granted for simultaneous.

b
The system must prevent unauthorized removal, connection and modification of devices by setting the isolation.device.connectable.disable keyword to true.
CM-6 - Medium - CCI-000366 - V-39499 - SV-51357r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000045
Vuln IDs
  • V-39499
Rule IDs
  • SV-51357r1_rule
Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, the virtual machine settings should use editor or configuration editor to remove any unneeded or unused hardware devices. However, the device may need to be used again, so removing it is not always a good solution. In that case, prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with non-administrator privileges in a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive.
Checks: C-46759r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.device.connectable.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44511r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.device.connectable.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must prevent unauthorized removal, connection and modification of devices.
CM-6 - Medium - CCI-000366 - V-39500 - SV-51358r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000046
Vuln IDs
  • V-39500
Rule IDs
  • SV-51358r1_rule
Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, the virtual machine settings should use editor or configuration editor to remove any unneeded or unused hardware devices. However, the device may need to be used again, so removing it is not always a good solution. In that case, prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with non-administrator privileges in a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive.
Checks: C-46760r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = isolation.device.edit.disable keyval = TRUE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44512r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.device.edit.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must not send host information to guests.
CM-6 - Medium - CCI-000366 - V-39501 - SV-51359r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000047
Vuln IDs
  • V-39501
Rule IDs
  • SV-51359r1_rule
If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host.
Checks: C-46761r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = tools.guestlib.enableHostInfo keyval = FALSE # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44513r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = tools.guestlib.enableHostInfo keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must use secure protocols for virtual serial port access.
SC-9 - Medium - CCI-001130 - V-39503 - SV-51361r1_rule
RMF Control
SC-9
Severity
M
CCI
CCI-001130
Version
ESXI5-VM-000049
Vuln IDs
  • V-39503
Rule IDs
  • SV-51361r1_rule
Serial ports are interfaces for connecting peripherals to the virtual machine. They are often used on physical systems to provide a direct, low-level connection to the console of a server, and a virtual serial port allows for the same access to a virtual machine. Serial ports allow for low-level access, which often does not have strong controls like logging or privileges.
Checks: C-46763r1_chk

Ask the SA if a secure protocol like SSH or Telnets (Telnet with SSL) as opposed to Telnet to access virtual serial ports. Note that SSH is preferred to Telnets. If Telnet is used, this is a finding.

Fix: F-44515r1_fix

Use a secure protocol like SSH or Telnets (Telnet with SSL) as opposed to Telnet to access virtual serial ports. Note that SSH is preferred to Telnets.

a
The system must use templates to deploy VMs whenever possible.
CM-6 - Low - CCI-000366 - V-39504 - SV-51362r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000050
Vuln IDs
  • V-39504
Rule IDs
  • SV-51362r1_rule
By capturing a hardened base operating system image (with no applications installed) in a template, ensure all virtual machines are created with a known baseline level of security. Then use this template to create other, application-specific templates, or use the application template to deploy virtual machines. Manual installation of the OS and applications into a VM introduces the risk of misconfiguration due to human or process error.
Checks: C-46764r1_chk

Ask the SA if hardened, patched templates are used for VM creation, properly configured OS deployments, including applications both dependent and non-dependent on VM-specific configurations. If hardened, patched templates are not used for VM creation, this is a finding.

Fix: F-44516r1_fix

Hardened, patched templates must be used for VM creation, properly configured OS deployments and applications. Applications dependent on VM-specific information must also use hardened, patched templates.

a
The system must control access to VMs through the dvfilter network APIs.
CM-6 - Low - CCI-000366 - V-39505 - SV-51363r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
ESXI5-VM-000051
Vuln IDs
  • V-39505
Rule IDs
  • SV-51363r1_rule
A VM must be configured explicitly to accept access by the dvfilter network API. This should be performed only for VMs that require the dvfilter network API. An attacker might compromise the VM by making use of this introspection channel.
Checks: C-46765r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx If a VM is not supposed to be protected by a product using the dvfilter API, ensure the following is not present in its VMX file: ethernet0.filter1.name = dv-filter1 where "ethernet0" is the network adaptor interface of the virtual machine that is to be protected, "filter1" is the number of the filter that is being used, and "dv-filter1" is the name of the particular data path kernel module that is protecting the VM. If the VM is supposed to be protected, check that the name of the data path kernel is set correctly. # grep "^ethernet" &lt;the VM's vmx file&gt; If a dvfilter is not being used, and the above command return is empty, this is not a finding. If a dvfilter is being used, and the above command return is either empty or does not contain the correctly formatted network adaptor interface, filter number , and data path kernel module, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44517r2_fix

To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. ethernet0.filter1.name = dv-filter1 Where "ethernet0" is the network adaptor interface of the virtual machine that is to be protected, "filter1" is the number of the filter that is being used, and "dv-filter1" is the name of the particular data path kernel module that is protecting the VM. Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must control access to VMs through VMsafe CPU/memory APIs.
CM-6 - Medium - CCI-000366 - V-39506 - SV-51364r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000052
Vuln IDs
  • V-39506
Rule IDs
  • SV-51364r1_rule
The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore it should be monitored for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters: one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which this protection is wanted.
Checks: C-46766r2_chk

If the VMsafe API is not used, this check is not applicable. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = vmsafe.agentAddress keyval = www.xxx.yyy.zzz (w thru z are integer values of the agent's site-specific IP Address) # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), and the VMsafe API is used, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44518r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = vmsafe.agentAddress keyval = www.xxx.yyy.zzz (w thru z are integer values of the agent's site-specific IP Address) Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must control access to VMs through the VMsafe CPU/memory vmsafe.agentPort API.
CM-6 - Medium - CCI-000366 - V-39507 - SV-51365r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000053
Vuln IDs
  • V-39507
Rule IDs
  • SV-51365r1_rule
The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore it should be monitored for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters: one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which this protection is wanted.
Checks: C-46767r2_chk

If the VMsafe API is not used, this check is not applicable. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = vmsafe.agentPort keyval = nnnn (nnnn is the port number that the VMsafe CPU/memory used to connect to the introspection virtual switch) # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the above command return is either empty or does not reflect the above keyword and keyval value(s), and the VMsafe API is used, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44519r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = vmsafe.agentPort keyval = nnnn (nnnn is the port number that the VMsafe CPU/memory used to connect to the introspection virtual switch) Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b
The system must control access to VMs through the VMsafe CPU/memory vmsafe.enable API.
CM-6 - Medium - CCI-000366 - V-39508 - SV-51366r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
ESXI5-VM-000054
Vuln IDs
  • V-39508
Rule IDs
  • SV-51366r2_rule
The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore it should be monitored for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters: one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which this protection is wanted.
Checks: C-46768r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "&lt;keyword&gt; = &lt;keyval&gt;" pair. keyword = vmsafe.enable keyval = TRUE (if the VMSafe API is used) keyval = FALSE (if the VMSafe API is "not" used) # grep "^&lt;keyword&gt;" &lt;the VM's vmx file&gt; If the keyval is set to "TRUE" and use of the VMSafe API is required, this is not a finding. Otherwise, if the keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44520r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = vmsafe.enable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.