View STIG - VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide V1R7

c

The system must control virtual machine access to host resources.

CM-6 - High - CCI-000366 - V-39442 - SV-51300r2_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

ESXI5-VM-000001

Vuln IDs

V-39442

Rule IDs

SV-51300r2_rule

By default, all virtual machines on an ESXi host share the resources equally. By using the resource management capabilities of ESXi, such as shares and limits, you can control the server resources that a virtual machine consumes. You can use this mechanism to prevent a denial of service that causes one virtual machine to consume so much of the host's resources that other virtual machines on the same host cannot perform their intended functions.

Checks: C-46717r4_chk

Virtual machines (VMs) that have a greater risk of being exploited or attacked, or that run applications known to potentially consume resources must be constrained. From the vSphere Client/vCenter, select the Datacenter/host. Right-click the VM, select Edit Settings to check the virtual machine's memory and/or CPU shares, limits, and/or reservation(s). Appropriate values must be set for memory, CPU, advanced CPU, and disk variables. Care must be taken to ensure that the settings do not hamper dynamic resource allocation and management proper to virtualization systems. If any host VMs do not have share, limit, and/or reservation setpoints initialized, as appropriate to their respective levels of the risk of exploit or attack, this is a finding.

Fix: F-44455r2_fix

From the vCenter client, select the Datacenter/host. Right-click the VM select Edit Settings to configure the virtual machine's memory and/or CPU limits, shares, and/or reservation(s). Appropriate values must be set for memory, CPU, advanced CPU, and disk variables. With the appropriate (site-specific) level selected for the VM, select the OK button to save any change(s).

a

The system must disable tools auto install.

CM-6 - Low - CCI-000366 - V-39443 - SV-51301r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000002

Vuln IDs

V-39443

Rule IDs

SV-51301r1_rule

Tools auto install can initiate an automatic reboot, disabling this option will prevent tools from being installed automatically and prevent automatic machine reboots.

Checks: C-46718r4_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.autoInstall.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44456r4_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.autoInstall.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The system must explicitly disable copy operations.

CM-6 - Low - CCI-000366 - V-39444 - SV-51302r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000003

Vuln IDs

V-39444

Rule IDs

SV-51302r1_rule

Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-46719r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.copy.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44457r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.copy.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The system must explicitly disable drag and drop operations.

CM-6 - Low - CCI-000366 - V-39445 - SV-51303r2_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000004

Vuln IDs

V-39445

Rule IDs

SV-51303r2_rule

Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-46720r4_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.dnd.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the keyval is set to "FALSE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44458r3_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.dnd.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The system must explicitly disable any GUI functionality for copy/paste operations.

CM-6 - Low - CCI-000366 - V-39446 - SV-51304r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000005

Vuln IDs

V-39446

Rule IDs

SV-51304r1_rule

Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-46721r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.setGUIOptions.enable keyval = FALSE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44459r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.setGUIOptions.enable keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The system must explicitly disable paste operations.

CM-6 - Low - CCI-000366 - V-39447 - SV-51305r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000006

Vuln IDs

V-39447

Rule IDs

SV-51305r1_rule

Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-46722r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.paste.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44460r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.paste.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

c

The system must disable virtual disk shrinking.

CM-6 - High - CCI-000366 - V-39448 - SV-51306r1_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

ESXI5-VM-000007

Vuln IDs

V-39448

Rule IDs

SV-51306r1_rule

Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to shrink is available to non-administrative users operating within the VMs guest OS.

Checks: C-46723r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.diskShrink.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44461r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.diskShrink.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

c

The system must disable virtual disk erasure.

CM-6 - High - CCI-000366 - V-39449 - SV-51307r1_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

ESXI5-VM-000008

Vuln IDs

V-39449

Rule IDs

SV-51307r1_rule

Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes - that is, users and processes without root or administrator privileges - within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to wipe (erase) is available to non-administrative users operating within the VMs guest OS.

Checks: C-46724r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.diskWiper.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44463r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.diskWiper.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must disable HGFS file transfers.

CM-6 - Medium - CCI-000366 - V-39450 - SV-51308r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000009

Vuln IDs

V-39450

Rule IDs

SV-51308r1_rule

Certain automated operations such as automated tools upgrades, use a component into the hypervisor called "Host Guest File System" and an attacker could potentially use this to transfer files inside the guest OS.

Checks: C-46725r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.hgfsServerSet.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44464r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.hgfsServerSet.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

c

The system must not use independent, non-persistent disks.

CM-6 - High - CCI-000366 - V-39451 - SV-51309r3_rule

RMF Control

CM-6

Severity

High

CCI

CCI-000366

Version

ESXI5-VM-000010

Vuln IDs

V-39451

Rule IDs

SV-51309r3_rule

The security issue with non-persistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode; additionally, ensure activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked. System Administrator

Checks: C-46726r5_chk

If a virtual machine does not utilize independent disks, this is not applicable Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log on with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate any/all vmx files. # find / | grep vmx Check the ".vmx" file for the correct attribute/assignment pair. Note that the integer values of both X and Y (for the attribute scsiX:Y.mode) must be greater than or equal to 0 , depending upon the system configuration. # grep "^scsi" <the VM's vmx file> | grep independent Example output for the above command: scsi2:0.mode = "independent-persistent" If the attribute assignment is not "independent-persistent", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44465r4_fix

Configure the vmx file with the correct attribute/assignment pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following line to the vmx file. Note that X and Y must be greater than or equal to 0 (based on the system configuration). scsiX:Y.mode = "independent-persistent" Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must disable VM-to-VM communication through VMCI.

CM-6 - Medium - CCI-000366 - V-39452 - SV-51310r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000011

Vuln IDs

V-39452

Rule IDs

SV-51310r1_rule

If the interface is not restricted, a VM can detect and be detected by all other VMs with the same option enabled within the same host. This might be the intended behavior, but custom-built software can have unexpected vulnerabilities that might potentially lead to an exploit. Additionally, it is possible for a VM to detect how many other VMs are within the same ESX system by simply registering the VM. This information might also be used for a potentially malicious objective. By default, the setting is FALSE. The VM can be exposed to other VMs within the same system as long as there is at least one program connected to the VMCI socket interface.

Checks: C-46727r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = vmci0.unrestricted keyval = FALSE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44466r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = vmci0.unrestricted keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must disable VM logging, unless required.

CM-6 - Medium - CCI-000366 - V-39453 - SV-51311r2_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000012

Vuln IDs

V-39453

Rule IDs

SV-51311r2_rule

Excessive VM logging may degrade system performance. The following settings can be used to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files are created more frequently by limiting the maximum size of the log files. To restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial-of-service due to the datastore becoming filled.

Checks: C-46728r2_chk

If VM log file rotation is not degrading system performance and the VM requires logging to be enabled for troubleshooting, this check is not applicable. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = logging keyval = FALSE # grep "^<keyword>" <the VM's vmx file> If the logging keyword is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44467r2_fix

VM logging should be disabled by default, unless required for troubleshooting. To disable logging for a VM with logging enabled, configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = logging keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must disable VM Monitor Control during normal operation.

CM-6 - Medium - CCI-000366 - V-39454 - SV-51312r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000013

Vuln IDs

V-39454

Rule IDs

SV-51312r1_rule

When Virtual Machines are running on a hypervisor they are "aware" that they are running in a virtual environment and this information is available to tools inside the guest OS. This can give attackers information about the platform that they are running on that they may not get from a normal physical server. This option completely disables all hooks for a virtual machine and the guest OS will not be aware that it is running in a virtual environment at all. This feature may be enabled for short term diagnostics and troubleshooting, but must be disabled prior to resumption of normal operations.

Checks: C-46729r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.monitor.control.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44468r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.monitor.control.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.ghi.autologon.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39456 - SV-51314r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000014

Vuln IDs

V-39456

Rule IDs

SV-51314r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46730r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.ghi.autologon.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44469r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.ghi.autologon.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.bios.bbs.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39457 - SV-51315r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000015

Vuln IDs

V-39457

Rule IDs

SV-51315r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46731r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.bios.bbs.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44784r1_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.bios.bbs.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.getCreds.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39458 - SV-51316r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000016

Vuln IDs

V-39458

Rule IDs

SV-51316r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46732r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.getCreds.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44471r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.getCreds.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.ghi.launchmenu.change must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39459 - SV-51317r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000017

Vuln IDs

V-39459

Rule IDs

SV-51317r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46733r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.ghi.launchmenu.change keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44472r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.ghi.launchmenu.change keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39461 - SV-51319r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000018

Vuln IDs

V-39461

Rule IDs

SV-51319r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46734r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.memSchedFakeSampleStats.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44473r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.memSchedFakeSampleStats.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39462 - SV-51320r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000019

Vuln IDs

V-39462

Rule IDs

SV-51320r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46735r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.ghi.protocolhandler.info.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44475r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.ghi.protocolhandler.info.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.ghi.host.shellAction.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39463 - SV-51321r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000020

Vuln IDs

V-39463

Rule IDs

SV-51321r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46736r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.ghi.host.shellAction.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44476r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.ghi.host.shellAction.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.dispTopoRequest.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39477 - SV-51335r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000021

Vuln IDs

V-39477

Rule IDs

SV-51335r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46737r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.dispTopoRequest.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44490r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.dispTopoRequest.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.trashFolderState.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39478 - SV-51336r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000022

Vuln IDs

V-39478

Rule IDs

SV-51336r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46738r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.trashFolderState.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44491r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.trashFolderState.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.ghi.trayicon.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39479 - SV-51337r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000023

Vuln IDs

V-39479

Rule IDs

SV-51337r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46739r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.ghi.trayicon.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44492r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.ghi.trayicon.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.unity.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39480 - SV-51338r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000024

Vuln IDs

V-39480

Rule IDs

SV-51338r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46740r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.unity.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44493r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unity.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39481 - SV-51339r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000025

Vuln IDs

V-39481

Rule IDs

SV-51339r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46741r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.unityInterlockOperation.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44494r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unityInterlockOperation.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.unity.push.update.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39482 - SV-51340r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000026

Vuln IDs

V-39482

Rule IDs

SV-51340r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46742r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.unity.push.update.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44495r3_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unity.push.update.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.unity.taskbar.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39483 - SV-51341r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000027

Vuln IDs

V-39483

Rule IDs

SV-51341r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46743r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.unity.taskbar.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44496r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unity.taskbar.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.unityActive.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39484 - SV-51342r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000028

Vuln IDs

V-39484

Rule IDs

SV-51342r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46744r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.unityActive.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44497r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unityActive.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.unity.windowContents.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39485 - SV-51343r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000029

Vuln IDs

V-39485

Rule IDs

SV-51343r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46745r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.unity.windowContents.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44498r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.unity.windowContents.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39486 - SV-51344r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000030

Vuln IDs

V-39486

Rule IDs

SV-51344r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46746r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.vmxDnDVersionGet.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44499r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.vmxDnDVersionGet.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be initialized to decrease the VMs potential attack vectors.

CM-6 - Low - CCI-000366 - V-39487 - SV-51345r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000031

Vuln IDs

V-39487

Rule IDs

SV-51345r1_rule

Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Checks: C-46747r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.guestDnDVersionSet.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44500r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.guestDnDVersionSet.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The system must disable VIX messages from the VM.

CM-6 - Low - CCI-000366 - V-39488 - SV-51346r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000033

Vuln IDs

V-39488

Rule IDs

SV-51346r1_rule

The VIX API is a library for writing scripts and programs to manipulate virtual machines. If custom VIX programming is not used in the environment, then disable features to reduce the potential for vulnerabilities. Unprivileged code running in a VMware virtual machine (guest OS) may break out of the VMX process, and elevate from unprivileged guest code execution to host kernel code execution. The ability to send messages from the VM to the host is one of these features. Note that disabling this feature does "not" adversely affect the functioning of VIX operations that originate outside the guest, so certain VMware and 3rd party solutions that rely upon this capability should continue to work.

Checks: C-46748r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.tools.vixMessage.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44501r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.tools.vixMessage.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must disconnect unauthorized floppy devices.

AC-19 - Medium - CCI-000085 - V-39489 - SV-51347r3_rule

RMF Control

AC-19

Severity

Medium

CCI

CCI-000085

Version

ESXI5-VM-000034

Vuln IDs

V-39489

Rule IDs

SV-51347r3_rule

Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, the parameter must be assigned a value of false. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.System Administrator

Checks: C-46749r4_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate any/all vmx files. # find / | grep vmx Check the ".vmx" file for the correct attribute/assignment pair. Note that the integer value of X (for the attribute floppyX.present) must be greater than or equal to 0, depending upon the system configuration. # grep "^floppy" <the VM's vmx file> Example output for the above command: floppyX.present = "false" If the floppyX.present attribute (X must be greater than or equal to 0) is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44785r2_fix

Configure the vmx file with the correct attribute/assignment pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following line to the vmx file. Note that X must be greater than or equal to 0 (based on the system configuration). floppyX.present = "false" Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must disconnect unauthorized IDE devices.

AC-19 - Medium - CCI-000085 - V-39490 - SV-51348r3_rule

RMF Control

AC-19

Severity

Medium

CCI

CCI-000085

Version

ESXI5-VM-000035

Vuln IDs

V-39490

Rule IDs

SV-51348r3_rule

Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.

Checks: C-46750r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = ideX:Y.present (X and Y >= 0) keyval = FALSE # grep "^<keyword>" <the VM's vmx file> If the ideX:Y.present keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44502r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = ideX:Y.present (X and Y >= 0) keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must disconnect unauthorized parallel devices.

AC-19 - Medium - CCI-000085 - V-39491 - SV-51349r2_rule

RMF Control

AC-19

Severity

Medium

CCI

CCI-000085

Version

ESXI5-VM-000036

Vuln IDs

V-39491

Rule IDs

SV-51349r2_rule

Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.

Checks: C-46751r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = parallelX.present (X >= 0) keyval = FALSE # grep "^<keyword>" <the VM's vmx file> If the keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44503r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = parallelX.present (X >= 0) keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must disconnect unauthorized serial devices.

AC-19 - Medium - CCI-000085 - V-39492 - SV-51350r2_rule

RMF Control

AC-19

Severity

Medium

CCI

CCI-000085

Version

ESXI5-VM-000037

Vuln IDs

V-39492

Rule IDs

SV-51350r2_rule

Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.

Checks: C-46752r5_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = serialX.present (X >= 0) keyval = FALSE # grep "^<keyword>" <the VM's vmx file> If the keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44504r3_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = serialX.present (X >= 0) keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must disconnect unauthorized USB devices.

AC-19 - Medium - CCI-000085 - V-39493 - SV-51351r2_rule

RMF Control

AC-19

Severity

Medium

CCI

CCI-000085

Version

ESXI5-VM-000038

Vuln IDs

V-39493

Rule IDs

SV-51351r2_rule

Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.

Checks: C-46753r3_chk

If USB is required, this check is not applicable. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = usb.present keyval = FALSE # grep "^<keyword>" <the VM's vmx file> If the usb.present keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44505r2_fix

If USB is required, no fix is required. Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = usb.present keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must limit sharing of console connections.

CM-6 - Medium - CCI-000366 - V-39494 - SV-51352r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000039

Vuln IDs

V-39494

Rule IDs

SV-51352r1_rule

By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a non-administrator in the VM might connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example, if a jump box is being used for an open console session and the admin loses connection to that box, then the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed.

Checks: C-46754r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = RemoteDisplay.maxConnections keyval = 1 # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44506r4_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = RemoteDisplay.maxConnections keyval = 1 Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must limit VM logging records.

CM-6 - Medium - CCI-000366 - V-39495 - SV-51353r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000041

Vuln IDs

V-39495

Rule IDs

SV-51353r1_rule

Use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files are created more frequently by limiting the maximum size of the log files. If restricting the total size of logging data is wanted, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial-of-service due to the datastore becoming filled.

Checks: C-46755r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = log.keepOld keyval = 10 # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. NOTE: This setting has no effect on VMs that already have logging disabled. This setting, however, will enforce the limiting of VM logging records should there be a "temporary" need to enable VM logging to troubleshoot a VM performance issue. Re-enable Lockdown Mode on the host.

Fix: F-44507r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = log.keepOld keyval = 10 Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must limit VM logging record contents.

CM-6 - Medium - CCI-000366 - V-39496 - SV-51354r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000042

Vuln IDs

V-39496

Rule IDs

SV-51354r1_rule

Use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files are created more frequently by limiting the maximum size of the log files. If restricting the total size of logging data is wanted, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial-of-service due to the datastore becoming filled.

Checks: C-46756r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = log.rotateSize keyval = 100000 # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44508r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = log.rotateSize keyval = 100000 Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

a

The system must limit informational messages from the VM to the VMX file.

CM-6 - Low - CCI-000366 - V-39497 - SV-51355r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000043

Vuln IDs

V-39497

Rule IDs

SV-51355r1_rule

The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest OS are capable of sending a large and continuous data stream to the host. This 1MB capacity should be sufficient for most cases, but this value can change if necessary. The value can be increased if large amounts of custom information are being stored in the configuration file. The default limit is 1MB.

Checks: C-46757r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = tools.setinfo.sizeLimit keyval = 1048576 # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44509r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = tools.setinfo.sizeLimit keyval = 1048576 Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must minimize use of the VM console.

CM-6 - Medium - CCI-000366 - V-39498 - SV-51356r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000044

Vuln IDs

V-39498

Rule IDs

SV-51356r1_rule

The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and removable device connectivity controls, which might potentially allow a malicious user to bring down a virtual machine. In addition, it also has a performance impact on the service console, especially if many VM console sessions are open simultaneously.

Checks: C-46758r1_chk

Remote management services, such as terminal services and SSH, must be used to interact with virtual machines. VM console access should only be granted when remote management services are unavailable or insufficient to perform necessary management tasks. Ask the SA if a VM console is used to perform VM management tasks, other than for troubleshooting (non-management) VM performance issues. If a VM console is used to perform VM management tasks, other than for troubleshooting (non-management) VM performance issues, this is a finding. If SSH and/or terminal management services are exclusively used to perform management tasks, this is not a finding.

Fix: F-44510r1_fix

Develop a policy prohibiting the use of a VM console for performing management services. This policy should include procedures for the use of SSH and Terminal Management services for VM management. Where SSH and Terminal Management services prove insufficient to troubleshoot a VM, access to the VM console may be temporarily granted for simultaneous.

b

The system must prevent unauthorized removal, connection and modification of devices by setting the isolation.device.connectable.disable keyword to true.

CM-6 - Medium - CCI-000366 - V-39499 - SV-51357r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000045

Vuln IDs

V-39499

Rule IDs

SV-51357r1_rule

Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, the virtual machine settings should use editor or configuration editor to remove any unneeded or unused hardware devices. However, the device may need to be used again, so removing it is not always a good solution. In that case, prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with non-administrator privileges in a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive.

Checks: C-46759r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.device.connectable.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44511r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.device.connectable.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must prevent unauthorized removal, connection and modification of devices.

CM-6 - Medium - CCI-000366 - V-39500 - SV-51358r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000046

Vuln IDs

V-39500

Rule IDs

SV-51358r1_rule

Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, the virtual machine settings should use editor or configuration editor to remove any unneeded or unused hardware devices. However, the device may need to be used again, so removing it is not always a good solution. In that case, prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with non-administrator privileges in a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive.

Checks: C-46760r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = isolation.device.edit.disable keyval = TRUE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44512r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = isolation.device.edit.disable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must not send host information to guests.

CM-6 - Medium - CCI-000366 - V-39501 - SV-51359r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000047

Vuln IDs

V-39501

Rule IDs

SV-51359r1_rule

If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host.

Checks: C-46761r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = tools.guestlib.enableHostInfo keyval = FALSE # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44513r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = tools.guestlib.enableHostInfo keyval = FALSE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must use secure protocols for virtual serial port access.

SC-9 - Medium - CCI-001130 - V-39503 - SV-51361r1_rule

RMF Control

SC-9

Severity

Medium

CCI

CCI-001130

Version

ESXI5-VM-000049

Vuln IDs

V-39503

Rule IDs

SV-51361r1_rule

Serial ports are interfaces for connecting peripherals to the virtual machine. They are often used on physical systems to provide a direct, low-level connection to the console of a server, and a virtual serial port allows for the same access to a virtual machine. Serial ports allow for low-level access, which often does not have strong controls like logging or privileges.

Checks: C-46763r1_chk

Ask the SA if a secure protocol like SSH or Telnets (Telnet with SSL) as opposed to Telnet to access virtual serial ports. Note that SSH is preferred to Telnets. If Telnet is used, this is a finding.

Fix: F-44515r1_fix

Use a secure protocol like SSH or Telnets (Telnet with SSL) as opposed to Telnet to access virtual serial ports. Note that SSH is preferred to Telnets.

a

The system must use templates to deploy VMs whenever possible.

CM-6 - Low - CCI-000366 - V-39504 - SV-51362r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000050

Vuln IDs

V-39504

Rule IDs

SV-51362r1_rule

By capturing a hardened base operating system image (with no applications installed) in a template, ensure all virtual machines are created with a known baseline level of security. Then use this template to create other, application-specific templates, or use the application template to deploy virtual machines. Manual installation of the OS and applications into a VM introduces the risk of misconfiguration due to human or process error.

Checks: C-46764r1_chk

Ask the SA if hardened, patched templates are used for VM creation, properly configured OS deployments, including applications both dependent and non-dependent on VM-specific configurations. If hardened, patched templates are not used for VM creation, this is a finding.

Fix: F-44516r1_fix

Hardened, patched templates must be used for VM creation, properly configured OS deployments and applications. Applications dependent on VM-specific information must also use hardened, patched templates.

a

The system must control access to VMs through the dvfilter network APIs.

CM-6 - Low - CCI-000366 - V-39505 - SV-51363r1_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

ESXI5-VM-000051

Vuln IDs

V-39505

Rule IDs

SV-51363r1_rule

A VM must be configured explicitly to accept access by the dvfilter network API. This should be performed only for VMs that require the dvfilter network API. An attacker might compromise the VM by making use of this introspection channel.

Checks: C-46765r2_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx If a VM is not supposed to be protected by a product using the dvfilter API, ensure the following is not present in its VMX file: ethernet0.filter1.name = dv-filter1 where "ethernet0" is the network adaptor interface of the virtual machine that is to be protected, "filter1" is the number of the filter that is being used, and "dv-filter1" is the name of the particular data path kernel module that is protecting the VM. If the VM is supposed to be protected, check that the name of the data path kernel is set correctly. # grep "^ethernet" <the VM's vmx file> If a dvfilter is not being used, and the above command return is empty, this is not a finding. If a dvfilter is being used, and the above command return is either empty or does not contain the correctly formatted network adaptor interface, filter number , and data path kernel module, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44517r2_fix

To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. ethernet0.filter1.name = dv-filter1 Where "ethernet0" is the network adaptor interface of the virtual machine that is to be protected, "filter1" is the number of the filter that is being used, and "dv-filter1" is the name of the particular data path kernel module that is protecting the VM. Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must control access to VMs through VMsafe CPU/memory APIs.

CM-6 - Medium - CCI-000366 - V-39506 - SV-51364r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000052

Vuln IDs

V-39506

Rule IDs

SV-51364r1_rule

The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore it should be monitored for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters: one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which this protection is wanted.

Checks: C-46766r2_chk

If the VMsafe API is not used, this check is not applicable. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = vmsafe.agentAddress keyval = www.xxx.yyy.zzz (w thru z are integer values of the agent's site-specific IP Address) # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), and the VMsafe API is used, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44518r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = vmsafe.agentAddress keyval = www.xxx.yyy.zzz (w thru z are integer values of the agent's site-specific IP Address) Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must control access to VMs through the VMsafe CPU/memory vmsafe.agentPort API.

CM-6 - Medium - CCI-000366 - V-39507 - SV-51365r1_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000053

Vuln IDs

V-39507

Rule IDs

SV-51365r1_rule

The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore it should be monitored for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters: one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which this protection is wanted.

Checks: C-46767r2_chk

If the VMsafe API is not used, this check is not applicable. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = vmsafe.agentPort keyval = nnnn (nnnn is the port number that the VMsafe CPU/memory used to connect to the introspection virtual switch) # grep "^<keyword>" <the VM's vmx file> If the above command return is either empty or does not reflect the above keyword and keyval value(s), and the VMsafe API is used, this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44519r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = vmsafe.agentPort keyval = nnnn (nnnn is the port number that the VMsafe CPU/memory used to connect to the introspection virtual switch) Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

b

The system must control access to VMs through the VMsafe CPU/memory vmsafe.enable API.

CM-6 - Medium - CCI-000366 - V-39508 - SV-51366r2_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

ESXI5-VM-000054

Vuln IDs

V-39508

Rule IDs

SV-51366r2_rule

The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore it should be monitored for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API. This involves three parameters: one to enable the API, one to set the IP address used by the security virtual appliance on the introspection vSwitch, and one to set the port number for that IP address. If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which this protection is wanted.

Checks: C-46768r3_chk

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and locate the VM's vmx file. # find / | grep vmx Check the VM's ".vmx" file for the correct "<keyword> = <keyval>" pair. keyword = vmsafe.enable keyval = TRUE (if the VMSafe API is used) keyval = FALSE (if the VMSafe API is "not" used) # grep "^<keyword>" <the VM's vmx file> If the keyval is set to "TRUE" and use of the VMSafe API is required, this is not a finding. Otherwise, if the keyval is set to "TRUE", this is a finding. Re-enable Lockdown Mode on the host.

Fix: F-44520r2_fix

Configure the VM with the correct "<keyword> = <keyval>" pair. To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Remove from inventory. Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file. # find / | grep vmx Add the following to the VM's vmx file. keyword = "keyval" Where: keyword = vmsafe.enable keyval = TRUE Re-enable Lockdown Mode on the host. Re-register the VM with the vCenter Server: Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage. Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.

VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide

Compare

View

Checks: C-46717r4_chk

Fix: F-44455r2_fix

Generate Mitigation Statement:

Checks: C-46718r4_chk

Fix: F-44456r4_fix

Generate Mitigation Statement:

Checks: C-46719r2_chk

Fix: F-44457r2_fix

Generate Mitigation Statement:

Checks: C-46720r4_chk

Fix: F-44458r3_fix

Generate Mitigation Statement:

Checks: C-46721r2_chk

Fix: F-44459r2_fix

Generate Mitigation Statement:

Checks: C-46722r2_chk

Fix: F-44460r2_fix

Generate Mitigation Statement:

Checks: C-46723r2_chk

Fix: F-44461r2_fix

Generate Mitigation Statement:

Checks: C-46724r2_chk

Fix: F-44463r2_fix

Generate Mitigation Statement:

Checks: C-46725r2_chk

Fix: F-44464r2_fix

Generate Mitigation Statement:

Checks: C-46726r5_chk

Fix: F-44465r4_fix

Generate Mitigation Statement:

Checks: C-46727r2_chk

Fix: F-44466r2_fix

Generate Mitigation Statement:

Checks: C-46728r2_chk

Fix: F-44467r2_fix

Generate Mitigation Statement:

Checks: C-46729r2_chk

Fix: F-44468r2_fix

Generate Mitigation Statement:

Checks: C-46730r2_chk

Fix: F-44469r2_fix

Generate Mitigation Statement:

Checks: C-46731r2_chk

Fix: F-44784r1_fix

Generate Mitigation Statement:

Checks: C-46732r2_chk

Fix: F-44471r2_fix

Generate Mitigation Statement:

Checks: C-46733r2_chk

Fix: F-44472r2_fix

Generate Mitigation Statement:

Checks: C-46734r2_chk

Fix: F-44473r2_fix

Generate Mitigation Statement:

Checks: C-46735r2_chk

Fix: F-44475r2_fix

Generate Mitigation Statement:

Checks: C-46736r2_chk

Fix: F-44476r2_fix

Generate Mitigation Statement:

Checks: C-46737r2_chk

Fix: F-44490r2_fix

Generate Mitigation Statement:

Checks: C-46738r2_chk

Fix: F-44491r2_fix

Generate Mitigation Statement:

Checks: C-46739r2_chk

Fix: F-44492r2_fix

Generate Mitigation Statement:

Checks: C-46740r2_chk

Fix: F-44493r2_fix

Generate Mitigation Statement:

Checks: C-46741r2_chk

Fix: F-44494r2_fix

Generate Mitigation Statement:

Checks: C-46742r2_chk

Fix: F-44495r3_fix