VMware vSphere 6.5 ESXi Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates +1
Comparison against the immediately-prior release (V2R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Added rules 1
- V-251043 Medium The ESXi host must protect the confidentiality and integrity of transmitted information.
- RMF Control
- AC-10
- Severity
- M
- CCI
- CCI-000054
- Version
- ESXI-65-000001
- Vuln IDs
-
- V-207602
- V-93949
- Rule IDs
-
- SV-207602r378532_rule
- SV-104035
Checks: C-7857r364205_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Scroll down to "Lockdown Mode" and verify it is set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}} If Lockdown Mode is disabled, this is a finding. For environments that do not use vCenter server to manage ESXi, this is not applicable.
Fix: F-7857r364206_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Click edit on "Lockdown Mode" and set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $level = "lockdownNormal" OR "lockdownStrict" $vmhost = Get-VMHost -Name <hostname> | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.ChangeLockdownMode($level) Note: In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes inaccessible.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000002
- Vuln IDs
-
- V-207603
- V-93951
- Rule IDs
-
- SV-207603r388482_rule
- SV-104037
Checks: C-7858r364208_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the DCUI.Access value and verify only the root user is listed. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. If the DCUI.Access is not restricted to root, this is a finding. Note: This list is only for local user accounts and should only contain the root user. For environments that do not use vCenter server to manage ESXi, this is not applicable.
Fix: F-7858r364209_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the DCUI.Access value and configure it to root. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000003
- Vuln IDs
-
- V-207604
- V-93953
- Rule IDs
-
- SV-207604r388482_rule
- SV-104039
Checks: C-7859r364211_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under lockdown mode review the exception users list. or From a PowerCLI command prompt while connected to the ESXi host run the following script: $vmhost = Get-VMHost | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.QueryLockdownExceptions() If the Exception users list contains accounts that do not require special permissions, this is a finding. Note - This list is not intended for system administrator accounts but for special circumstances such as a service account. For environments that do not use vCenter server to manage ESXi, this is not applicable.
Fix: F-7859r364212_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under lockdown mode click Edit and remove unnecessary users to the exceptions list.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- ESXI-65-000004
- Vuln IDs
-
- V-207605
- V-93955
- Rule IDs
-
- SV-207605r378607_rule
- SV-104041
Checks: C-7860r364214_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.
Fix: F-7860r364215_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<syslog server hostname>"
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- ESXI-65-000005
- Vuln IDs
-
- V-207606
- V-93957
- Rule IDs
-
- SV-207606r378517_rule
- SV-104043
Checks: C-7861r364217_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.AccountLockFailures value and verify it is set to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures and verify it is set to 3. If the Security.AccountLockFailures is set to a value other than 3, this is a finding.
Fix: F-7861r364218_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Security.AccountLockFailures value and configure it to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- ESXI-65-000006
- Vuln IDs
-
- V-207607
- V-93959
- Rule IDs
-
- SV-207607r379606_rule
- SV-104045
Checks: C-7862r364220_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.AccountUnlockTime value and verify it is set to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime and verify it is set to 900. If the Security.AccountUnlockTime is set to a value other than 900, this is a finding.
Fix: F-7862r364221_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Security.AccountUnlockTime value and configure it to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- ESXI-65-000007
- Vuln IDs
-
- V-207608
- V-93961
- Rule IDs
-
- SV-207608r378520_rule
- SV-104047
Checks: C-7863r364223_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Annotations.WelcomeMessage value and verify it contains the DoD logon banner to follow. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage Check for either of the following login banners based on the character limitations imposed by the system. An exact match of the text is required. If one of these banners is not displayed, this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't. If the DCUI logon screen does not display the DoD logon banner, this is a finding.
Fix: F-7863r364224_fix
From a PowerCLI command prompt while connected to the ESXi host copy the following contents into a script(.ps1 file) and run to set the DCUI screen to display the DoD logon banner: <script begin> $value = @" {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} "@ Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value $value <script end>
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- ESXI-65-000008
- Vuln IDs
-
- V-207609
- V-93963
- Rule IDs
-
- SV-207609r378520_rule
- SV-104049
Checks: C-7864r364226_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Config.Etc.issue value and verify it is set to DoD logon banner below. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue If the Config.Etc.issue setting (/etc/issue file) does not contain the logon banner exactly as shown below this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Fix: F-7864r364227_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Config.Etc.issue value and set it to the following. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "<insert logon banner>"
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- ESXI-65-000009
- Vuln IDs
-
- V-207610
- V-93965
- Rule IDs
-
- SV-207610r378520_rule
- SV-104051
Checks: C-7865r364229_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^Banner" /etc/ssh/sshd_config If there is no output or the output is not exactly "Banner /etc/issue", this is a finding.
Fix: F-7865r364230_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- ESXI-65-000010
- Vuln IDs
-
- V-207611
- V-93967
- Rule IDs
-
- SV-207611r766919_rule
- SV-104053
Checks: C-7866r766917_chk
Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell: # grep -i "^Ciphers" /etc/ssh/sshd_config If there is no output or the output is not exactly "Ciphers aes256-ctr,aes192-ctr,aes128-ctr", this is a finding.
Fix: F-7866r766918_fix
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes256-ctr,aes192-ctr,aes128-ctr
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-000068
- Version
- ESXI-65-000011
- Vuln IDs
-
- V-207612
- V-93969
- Rule IDs
-
- SV-207612r378610_rule
- SV-104055
Checks: C-7867r364235_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^Protocol" /etc/ssh/sshd_config If there is no output or the output is not exactly "Protocol 2", this is a finding.
Fix: F-7867r364236_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": Protocol 2
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000767
- Version
- ESXI-65-000012
- Vuln IDs
-
- V-207613
- V-93971
- Rule IDs
-
- SV-207613r378856_rule
- SV-104057
Checks: C-7868r364238_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^IgnoreRhosts" /etc/ssh/sshd_config If there is no output or the output is not exactly "IgnoreRhosts yes", this is a finding.
Fix: F-7868r364239_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000013
- Vuln IDs
-
- V-207614
- V-93973
- Rule IDs
-
- SV-207614r388482_rule
- SV-104059
Checks: C-7869r364241_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^HostbasedAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "HostbasedAuthentication no", this is a finding.
Fix: F-7869r364242_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000014
- Vuln IDs
-
- V-207615
- V-93975
- Rule IDs
-
- SV-207615r388482_rule
- SV-104061
Checks: C-7870r364244_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitRootLogin" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitRootLogin no", this is a finding.
Fix: F-7870r364245_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- ESXI-65-000015
- Vuln IDs
-
- V-207616
- V-93977
- Rule IDs
-
- SV-207616r388482_rule
- SV-104063
Checks: C-7871r364247_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitEmptyPasswords" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitEmptyPasswords no", this is a finding.
Fix: F-7871r364248_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000016
- Vuln IDs
-
- V-207617
- V-93979
- Rule IDs
-
- SV-207617r388482_rule
- SV-104065
Checks: C-7872r364250_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitUserEnvironment" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitUserEnvironment no", this is a finding.
Fix: F-7872r364251_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000017
- Vuln IDs
-
- V-207618
- V-93981
- Rule IDs
-
- SV-207618r388482_rule
- SV-104067
Checks: C-7873r364253_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^MACs" /etc/ssh/sshd_config If there is no output or the output is not exactly "MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512", this is a finding.
Fix: F-7873r364254_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000018
- Vuln IDs
-
- V-207619
- V-93983
- Rule IDs
-
- SV-207619r388482_rule
- SV-104069
Checks: C-7874r364256_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^GSSAPIAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "GSSAPIAuthentication no", this is a finding.
Fix: F-7874r364257_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": GSSAPIAuthentication no
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000019
- Vuln IDs
-
- V-207620
- V-93985
- Rule IDs
-
- SV-207620r388482_rule
- SV-104071
Checks: C-7875r364259_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^KerberosAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "KerberosAuthentication no", this is a finding.
Fix: F-7875r364260_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": KerberosAuthentication no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000020
- Vuln IDs
-
- V-207621
- V-93987
- Rule IDs
-
- SV-207621r388482_rule
- SV-104073
Checks: C-7876r364262_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^StrictModes" /etc/ssh/sshd_config If there is no output or the output is not exactly "StrictModes yes", this is a finding.
Fix: F-7876r364263_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": StrictModes yes
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000021
- Vuln IDs
-
- V-207622
- V-93989
- Rule IDs
-
- SV-207622r388482_rule
- SV-104075
Checks: C-7877r364265_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^Compression" /etc/ssh/sshd_config If there is no output or the output is not exactly "Compression no", this is a finding.
Fix: F-7877r364266_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Compression no
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000022
- Vuln IDs
-
- V-207623
- V-93991
- Rule IDs
-
- SV-207623r388482_rule
- SV-104077
Checks: C-7878r364268_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^GatewayPorts" /etc/ssh/sshd_config If there is no output or the output is not exactly "GatewayPorts no", this is a finding.
Fix: F-7878r364269_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": GatewayPorts no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000023
- Vuln IDs
-
- V-207624
- V-93993
- Rule IDs
-
- SV-207624r388482_rule
- SV-104079
Checks: C-7879r364271_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^X11Forwarding" /etc/ssh/sshd_config If there is no output or the output is not exactly "X11Forwarding no", this is a finding.
Fix: F-7879r364272_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": X11Forwarding no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000024
- Vuln IDs
-
- V-207625
- V-93995
- Rule IDs
-
- SV-207625r388482_rule
- SV-104081
Checks: C-7880r364274_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^AcceptEnv" /etc/ssh/sshd_config If there is no output or the output is not exactly "AcceptEnv", this is a finding.
Fix: F-7880r364275_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": AcceptEnv
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000025
- Vuln IDs
-
- V-207626
- V-93997
- Rule IDs
-
- SV-207626r388482_rule
- SV-104083
Checks: C-7881r364277_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitTunnel" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitTunnel no", this is a finding.
Fix: F-7881r364278_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitTunnel no
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000026
- Vuln IDs
-
- V-207627
- V-93999
- Rule IDs
-
- SV-207627r388482_rule
- SV-104085
Checks: C-7882r364280_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^ClientAliveCountMax" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveCountMax 3", this is a finding.
Fix: F-7882r364281_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveCountMax 3
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000027
- Vuln IDs
-
- V-207628
- V-94001
- Rule IDs
-
- SV-207628r388482_rule
- SV-104087
Checks: C-7883r364283_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^ClientAliveInterval" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveInterval 200", this is a finding.
Fix: F-7883r364284_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveInterval 200
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000028
- Vuln IDs
-
- V-207629
- V-94003
- Rule IDs
-
- SV-207629r388482_rule
- SV-104089
Checks: C-7884r364286_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^MaxSessions" /etc/ssh/sshd_config If there is no output or the output is not exactly "MaxSessions 1", this is a finding.
Fix: F-7884r364287_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": MaxSessions 1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000029
- Vuln IDs
-
- V-207630
- V-94005
- Rule IDs
-
- SV-207630r388482_rule
- SV-104091
Checks: C-7885r364289_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # ls -la /etc/ssh/keys-root/authorized_keys or # cat /etc/ssh/keys-root/authorized_keys If the authorized_keys file exists and is not empty, this is a finding.
Fix: F-7885r364290_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, zero or remove the /etc/ssh/keys-root/authorized_keys file: # >/etc/ssh/keys-root/authorized_keys or # rm /etc/ssh/keys-root/authorized_keys
- RMF Control
- AU-3
- Severity
- L
- CCI
- CCI-000130
- Version
- ESXI-65-000030
- Vuln IDs
-
- V-207631
- V-94007
- Rule IDs
-
- SV-207631r378616_rule
- SV-104093
Checks: C-7886r364292_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Config.HostAgent.log.level value and verify it is set to "info". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level If the Config.HostAgent.log.level setting is not set to info, this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.
Fix: F-7886r364293_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Config.HostAgent.log.level value and configure it to "info". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000192
- Version
- ESXI-65-000031
- Vuln IDs
-
- V-207632
- V-94009
- Rule IDs
-
- SV-207632r378739_rule
- SV-104095
Checks: C-7887r364295_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
Fix: F-7887r364296_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000200
- Version
- ESXI-65-000032
- Vuln IDs
-
- V-207633
- V-94011
- Rule IDs
-
- SV-207633r378763_rule
- SV-104097
Checks: C-7888r364298_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient If the remember setting is not set or is not "remember=5", this is a finding.
Fix: F-7888r364299_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in “/etc/pam.d/passwd”: password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000033
- Vuln IDs
-
- V-207634
- V-94013
- Rule IDs
-
- SV-207634r388482_rule
- SV-104099
Checks: C-7889r364301_chk
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient If sha512 is not listed, this is a finding.
Fix: F-7889r364302_fix
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in “/etc/pam.d/passwd”: password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- ESXI-65-000034
- Vuln IDs
-
- V-207635
- V-94015
- Rule IDs
-
- SV-207635r378841_rule
- SV-104101
Checks: C-7890r364304_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Config.HostAgent.plugins.solo.enableMob value and verify it is set to false. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob If the Config.HostAgent.plugins.solo.enableMob setting is not set to false, this is a finding.
Fix: F-7890r364305_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Config.HostAgent.plugins.solo.enableMob value and configure it to false. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value false
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- ESXI-65-000035
- Vuln IDs
-
- V-207636
- V-94017
- Rule IDs
-
- SV-207636r378841_rule
- SV-104103
Checks: C-7891r364307_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} If the ESXi SSH service is running, this is a finding.
Fix: F-7891r364308_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit then select the SSH service and click the Stop button to stop the service. Use the pull-down menu to change the Startup policy to "Start and stop manually" and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- ESXI-65-000036
- Vuln IDs
-
- V-207637
- V-94019
- Rule IDs
-
- SV-207637r378841_rule
- SV-104105
Checks: C-7892r364310_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit and view the "ESXi Shell" service and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} If the ESXi Shell service is running, this is a finding.
Fix: F-7892r364311_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under Services select Edit then select the ESXi Shell service and click the Stop button to stop the service. Use the pull-down menu to change the Startup policy to "Start and stop manually" and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService
- RMF Control
- IA-2
- Severity
- L
- CCI
- CCI-000764
- Version
- ESXI-65-000037
- Vuln IDs
-
- V-207638
- V-94021
- Rule IDs
-
- SV-207638r378847_rule
- SV-104107
Checks: C-7893r364313_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services. Verify the Directory Services Type is set to Active Directory. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding. If the Directory Services Type is not set to "Active Directory", this is a finding.
Fix: F-7893r364314_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services. Click Join Domain and enter the AD domain to join, select the "Using credentials” radio button and enter the credentials of an account with permissions to join machines to AD (use UPN naming – user@domain) and then click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- ESXI-65-000038
- Vuln IDs
-
- V-207639
- V-94023
- Rule IDs
-
- SV-207639r378847_rule
- SV-104109
Checks: C-7894r364316_chk
From the vSphere Web Client go to Home >> Host Profiles >> and select a Host Profile to edit. View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify if JoinADEnabled is True then JoinDomainMethod should be "FixedCAMConfigOption". If you are not using Host Profiles to join active directory, this is not a finding.
Fix: F-7894r364317_fix
From the vSphere Web Client go to Home >> Host Profiles >> and select a Host Profile to edit. View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain" and provide the IP address of the vSphere Authentication Proxy server.
- RMF Control
- IA-2
- Severity
- L
- CCI
- CCI-000764
- Version
- ESXI-65-000039
- Vuln IDs
-
- V-207640
- V-94025
- Rule IDs
-
- SV-207640r378847_rule
- SV-104111
Checks: C-7895r364319_chk
From the vSphere Web Client select the ESXi Host and go to Configuration >> System >> Advanced System Settings. Click Edit and select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.
Fix: F-7895r364320_fix
From the vSphere Web Client select the ESXi Host and go to Configuration >> System >> Advanced System Settings. Click Edit and select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
- RMF Control
- IA-2
- Severity
- L
- CCI
- CCI-000767
- Version
- ESXI-65-000040
- Vuln IDs
-
- V-207641
- V-94027
- Rule IDs
-
- SV-207641r378856_rule
- SV-104113
Checks: C-7896r364322_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services and view the Smart Card Authentication status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authentication to an Active Directory Domain. For systems that have no local user accounts, other than root and/or vpxuser, this is not applicable. For environments that do not use vCenter server to manage ESXi, this is not applicable. For systems that do not use smart cards with Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding.
Fix: F-7896r364323_fix
The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: -Active Directory domain that supports smart card authentication, smart card readers, and smart cards. -ESXi joined to an Active Directory domain. -Trusted certificates for root and intermediary certificate authorities. From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Authentication Services and click Edit and check "Enable Smart Card Authentication" checkbox, at the Certificates tab, click the green plus sign to import trusted certificate authority certificates and click OK.
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- ESXI-65-000041
- Vuln IDs
-
- V-207642
- V-94029
- Rule IDs
-
- SV-207642r378994_rule
- SV-104115
Checks: C-7897r364325_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut If the UserVars.ESXiShellInteractiveTimeOut setting is not set to 600, this is a finding.
Fix: F-7897r364326_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the UserVars.ESXiShellInteractiveTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- ESXI-65-000042
- Vuln IDs
-
- V-207643
- V-94031
- Rule IDs
-
- SV-207643r378994_rule
- SV-104117
Checks: C-7898r364328_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the UserVars.ESXiShellTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut If the UserVars.ESXiShellTimeOut setting is not set to 600, this is a finding.
Fix: F-7898r364329_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the UserVars.ESXiShellTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- ESXI-65-000043
- Vuln IDs
-
- V-207644
- V-94033
- Rule IDs
-
- SV-207644r378994_rule
- SV-104119
Checks: C-7899r364331_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the UserVars.DcuiTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut If the UserVars.DcuiTimeOut setting is not set to 600, this is a finding.
Fix: F-7899r364332_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the UserVars.DcuiTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600
- RMF Control
- SC-24
- Severity
- L
- CCI
- CCI-001665
- Version
- ESXI-65-000044
- Vuln IDs
-
- V-207645
- V-94035
- Rule IDs
-
- SV-207645r379318_rule
- SV-104121
Checks: C-7900r364334_chk
From the vSphere Web Client select the ESXi Host and right click. If the "Add Diagnostic Partition" option is greyed out then core dumps are configured. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.system.coredump.partition.get() $esxcli.system.coredump.network.get() The first command prepares for the other two. The second command shows whether there is an active core dump partition configured. The third command shows whether a network core dump collector is configured and enabled, via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables. If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding.
Fix: F-7900r364335_fix
From the vSphere Web Client select the ESXi Host and right click. Select the "Add Diagnostic Partition" option configure a core dump diagnostic partition. or From a PowerCLI command prompt while connected to the ESXi host run at least one of the following sets of commands: To configure a core dump partition: $esxcli = Get-EsxCli #View available partitions to configure $esxcli.system.coredump.partition.list() $esxcli.system.coredump.partition.set($null,"PartitionName",$null,$null) To configure a core dump collector: $esxcli = Get-EsxCli $esxcli.system.coredump.network.set($null,"vmkernel port to use",$null,"CollectorIP","CollectorPort") $esxcli.system.coredump.network.set($true)
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- ESXI-65-000045
- Vuln IDs
-
- V-207646
- V-94037
- Rule IDs
-
- SV-207646r379690_rule
- SV-104123
Checks: C-7901r364337_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Syslog.global.logDir value and verify it is set to a persistent location. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir or $esxcli = Get-EsxCli $esxcli.system.syslog.config.get() | Select LocalLogOutput,LocalLogOutputIsPersistent If the Syslog.global.logDir or LocalLogOutput value is not on persistent storage, this is a finding. If the LocalLogOutputIsPersistent value is not true, this is a finding.
Fix: F-7901r364338_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Syslog.global.logDir value and set it to a known persistent location. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value "New Log Location"
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-001891
- Version
- ESXI-65-000046
- Vuln IDs
-
- V-207647
- V-94039
- Rule IDs
-
- SV-207647r379732_rule
- SV-104125
Checks: C-7902r364340_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Time Configuration. Click Edit to verify the configured NTP servers and service startup policy. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostNTPServer Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding.
Fix: F-7902r364341_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Time Configuration. Click Edit to configure the NTP service to start and stop with the host and with authoritative DoD time sources. or From a PowerCLI command prompt while connected to the ESXi host run the following command: $NTPServers = "ntpserver1","ntpserver2" Get-VMHost | Add-VMHostNTPServer $NTPServers Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService
- RMF Control
- CM-5
- Severity
- H
- CCI
- CCI-001749
- Version
- ESXI-65-000047
- Vuln IDs
-
- V-207648
- V-94041
- Rule IDs
-
- SV-207648r379825_rule
- SV-104127
Checks: C-7903r364343_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.get() If the acceptance level is CommunitySupported, this is a finding.
Fix: F-7903r364344_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level" click Edit… and use the pull-down selection, set the acceptance level to be VMwareCertified, VMwareAccepted, or PartnerSupported. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.Set("PartnerSupported") Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- ESXI-65-000048
- Vuln IDs
-
- V-207649
- V-94043
- Rule IDs
-
- SV-207649r380176_rule
- SV-104129
Checks: C-7904r364346_chk
The vMotion VMKernel port group should in a dedicated VLAN that can be on a common standard or distributed virtual switch as long as the vMotion VLAN is not shared by any other function and it not routed to anything but ESXi hosts. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration > Networking and review the VLAN associated with the vMotion VMkernel(s) and verify they are dedicated for that purpose and are logically separated from other functions. If long distance or cross vCenter vMotion is used the vMotion network can be routable but must be accessible to only the intended ESXi hosts. If the vMotion port group is not on an isolated VLAN and/or is routable to systems other than ESXi hosts, this is a finding. For environments that do not use vCenter server to manage ESXi, this is not applicable.
Fix: F-7904r364347_fix
Configuration of the vMotion VMkernel will be unique to each environment. As an example, to modify the IP address and VLAN information to the correct network on a distributed switch do the following: From the vSphere Web Client go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Edit >> VLAN. Change the "VLAN Type" to "VLAN" and change the "VLAN ID" to a network allocated and dedicated to vMotion traffic exclusively.
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- ESXI-65-000050
- Vuln IDs
-
- V-207650
- V-94047
- Rule IDs
-
- SV-207650r380176_rule
- SV-104133
Checks: C-7905r364349_chk
IP-Based storage (iSCSI, NFS, vSAN) VMkernel port groups must be in a dedicated VLAN that can be on a common standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> VMkernel adapters and review the VLANs associated with any IP-Based storage VMkernels and verify they are dedicated for that purpose and are logically separated from other functions. If any IP-Based storage networks are not isolated from other traffic types, this is a finding. If IP-based storage is not used, this is not applicable.
Fix: F-7905r364350_fix
Configuration of an IP-Based VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel do the following: From the vSphere Web Client select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the Storage VMkernel (for vSAN only) and click Edit settings >> On the Port properties tab uncheck everything but "vSAN.” On the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK. Set the appropriate VLAN ID >> Configure >> Networking >> Virtual switches. Select the Storage portgroup (iSCSI, NFS, vSAN) and click Edit settings >> On the properties tab, enter the appropriate VLAN ID and click OK.
- RMF Control
- SC-8
- Severity
- L
- CCI
- CCI-002418
- Version
- ESXI-65-000052
- Vuln IDs
-
- V-207651
- V-94051
- Rule IDs
-
- SV-207651r380176_rule
- SV-104137
Checks: C-7906r364352_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> TCP/IP configuration. Review the default system TCP/IP stacks and verify they are configured with the appropriate IP address information. If vMotion and Provisioning VMKernels are in use and are not utilizing their own TCP/IP stack, this is a finding.
Fix: F-7906r364353_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> TCP/IP configuration >> Select a TCP/IP stack >> Click Edit >> Enter the appropriate site specific IP address information for the particular TCP/IP stack and click OK.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000053
- Vuln IDs
-
- V-207652
- V-94053
- Rule IDs
-
- SV-207652r388482_rule
- SV-104139
Checks: C-7907r364355_chk
From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostSnmp | Select * or From a console or ssh session run the follow command: esxcli system snmp get If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and read only communities is set to public, this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured from the esxcli command.
Fix: F-7907r364356_fix
To disable SNMP run the following command from a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false or From a console or ssh session run the follow command: esxcli system snmp set -e no To configure SNMP for v3 targets use the "esxcli system snmp set" command set.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000054
- Vuln IDs
-
- V-207653
- V-94055
- Rule IDs
-
- SV-207653r388482_rule
- SV-104141
Checks: C-7908r364358_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> Storage >> Storage Adapters >> Select the iSCSI adapter >> Properties >> Authentication method and view the CHAP configuration and verify CHAP is "Required" for target and host authentication. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Select AuthenticationProperties -ExpandProperty AuthenticationProperties If iSCSI is not used, this is not a finding. If iSCSI is used and CHAP is not set to "Required" for both the target and host, this is a finding. If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.
Fix: F-7908r364359_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> Storage >> Storage Adapters >> Select the iSCSI adapter >> Properties >> Authentication and click the Edit button. Set Authentication method to “Use bidirectional CHAP” and enter a unique secret for each traffic flow direction. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000055
- Vuln IDs
-
- V-207654
- V-94057
- Rule IDs
-
- SV-207654r388482_rule
- SV-104143
Checks: C-7909r364361_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Mem.ShareForceSalting value and verify it is set to 2. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting If the Mem.ShareForceSalting setting is not set to 2, this is a finding.
Fix: F-7909r364362_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Mem.ShareForceSalting value and configure it to 2. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000056
- Vuln IDs
-
- V-207655
- V-94059
- Rule IDs
-
- SV-207655r388482_rule
- SV-104145
Checks: C-7910r364364_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under the Firewall section click Edit and for each enabled service click Firewall and review the allowed IPs. Check this for Incoming and Outgoing connections. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}} If for an enabled service "Allow connections from any IP address" is selected, this is a finding.
Fix: F-7910r364365_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under the Firewall section click Edit and for each enabled service uncheck the check box to “Allow connections from any IP address,” and input the site specific network(s) required.Configure this for Incoming and Outgoing connections. or From a PowerCLI command prompt while connected to the ESXi host run the following command: $esxcli = Get-EsxCli #This disables the allow all rule for the target service $esxcli.network.firewall.ruleset.set($false,$true,"sshServer") $esxcli.network.firewall.ruleset.allowedip.add("192.168.0.0/24","sshServer") This must be done for each enabled service.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000057
- Vuln IDs
-
- V-207656
- V-94061
- Rule IDs
-
- SV-207656r388482_rule
- SV-104147
Checks: C-7911r364367_chk
From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostFirewallDefaultPolicy If the Incoming or Outgoing policies are True, this is a finding.
Fix: F-7911r364368_fix
From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostFirewallDefaultPolicy | Set-VMHostFirewallDefaultPolicy -AllowIncoming $false -AllowOutgoing $false
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000058
- Vuln IDs
-
- V-207657
- V-94063
- Rule IDs
-
- SV-207657r388482_rule
- SV-104149
Checks: C-7912r364370_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Net.BlockGuestBPDU value and verify it is set to 1. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU If the Net.BlockGuestBPDU setting is not set to 1, this is a finding.
Fix: F-7912r364371_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Net.BlockGuestBPDU value and configure it to 1. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000059
- Vuln IDs
-
- V-207658
- V-94065
- Rule IDs
-
- SV-207658r388482_rule
- SV-104151
Checks: C-7913r364373_chk
From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Forged Transmits" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Forged Transmits" policy is set to accept, this is a finding.
Fix: F-7913r364374_fix
From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Forged Transmits" to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- ESXI-65-000060
- Vuln IDs
-
- V-207659
- V-94067
- Rule IDs
-
- SV-207659r388482_rule
- SV-104153
Checks: C-7914r364376_chk
From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "MAC Address Changes" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "MAC Address Changes" policy is set to accept, this is a finding.
Fix: F-7914r364377_fix
From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "MAC Address Changes" to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000061
- Vuln IDs
-
- V-207660
- V-94069
- Rule IDs
-
- SV-207660r388482_rule
- SV-104155
Checks: C-7915r364379_chk
From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Promiscuous Mode" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Promiscuous Mode" policy is set to accept, this is a finding.
Fix: F-7915r364380_fix
From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Promiscuous Mode" to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000062
- Vuln IDs
-
- V-207661
- V-94071
- Rule IDs
-
- SV-207661r388482_rule
- SV-104157
Checks: C-7916r364382_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the Net.DVFilterBindIpAddress value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the Net.DVFilterBindIpAddress is not blank and security appliances are not in use on the host, this is a finding.
Fix: F-7916r364383_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click Edit and select the Net.DVFilterBindIpAddress value and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000063
- Vuln IDs
-
- V-207662
- V-94073
- Rule IDs
-
- SV-207662r388482_rule
- SV-104159
Checks: C-7917r364385_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with the native VLAN of the ESXi hosts attached physical switch, this is a finding.
Fix: F-7917r364386_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. Highlight a port group (where VLAN ID set to native VLAN ID) and click Edit settings. Change the VLAN ID to a non-native VLAN and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000064
- Vuln IDs
-
- V-207663
- V-94075
- Rule IDs
-
- SV-207663r388482_rule
- SV-104161
Checks: C-7918r364388_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to 4095. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanID If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.
Fix: F-7918r364389_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. Highlight a port group (where VLAN ID set to 4095) and click Edit settings. Change the VLAN ID to not be 4095 and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000065
- Vuln IDs
-
- V-207664
- V-94077
- Rule IDs
-
- SV-207664r388482_rule
- SV-104163
Checks: C-7919r364391_chk
From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to a reserved VLAN ID. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with a reserved VLAN ID, this is a finding.
Fix: F-7919r364392_fix
From the vSphere Web Client select the ESXi Host and go to Configure >> Networking >> Virtual switches. Highlight a port group (where VLAN ID set to 4095) and click Edit settings (pencil). Change the VLAN ID to not be a reserved VLAN ID and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000066
- Vuln IDs
-
- V-207665
- V-94079
- Rule IDs
-
- SV-207665r388482_rule
- SV-104165
Checks: C-7920r364394_chk
Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of external switch ports as trunk ports must be documented. Virtual Switch Tagging (VST) mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. Inspect the documentation and verify that the documentation is correct and updated on an organization defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream external switch ports. If DTP is enabled on the physical switch ports connected to the ESXi Host, this is a finding.
Fix: F-7920r364395_fix
Note that this check refers to an entity outside the physical scope of the ESXi server system. Document the configuration of external switch ports as trunk ports. Log in to the vendor-specific physical switch and disable DTP on the physical switch ports connected to the ESXi Host. Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream external switch ports.
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-65-000067
- Vuln IDs
-
- V-207666
- V-94081
- Rule IDs
-
- SV-207666r388482_rule
- SV-104167
Checks: C-7921r364397_chk
Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on an organization defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. If the physical switch's spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding.
Fix: F-7921r364398_fix
Note that this check refers to an entity outside the scope of the ESXi server system. Document the upstream physical switch configuration for spanning tree protocol disablement and/or portfast configuration for all physical ports connected to ESXi hosts. Log in to the physical switch(es) and disable spanning tree protocol and/or configure portfast for all physical ports connected to ESXi hosts. Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream physical switches.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000068
- Vuln IDs
-
- V-207667
- V-94083
- Rule IDs
-
- SV-207667r388482_rule
- SV-104169
Checks: C-7922r364400_chk
Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that unneeded VLANs are configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on an organization defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that only needed VLANs are configured for all physical ports connected to ESXi hosts. If the physical switch's configuration is trunked VLANs that are not used by ESXi for all physical ports connected to ESXi hosts, this is a finding.
Fix: F-7922r364401_fix
Note that this check refers to an entity outside the scope of the ESXi server system. Remove any VLANs trunked across physical ports connected to ESXi hosts that are not in use.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000070
- Vuln IDs
-
- V-207668
- V-94349
- Rule IDs
-
- SV-207668r388482_rule
- SV-104303
Checks: C-7923r364403_chk
The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges. From the Host Client, select the ESXi host, right click and go to "Permissions". Verify the CIM account user role is limited to read only and CIM permissions. If there is no dedicated CIM account and the root is used for CIM monitoring, this is a finding. If write access is not required and the access level is not "read-only", this is a finding.
Fix: F-7923r364404_fix
Create a role for the CIM account. From the Host Client, go to manage, then Security & Users. Select Roles then click Add Role. Provide a name for the new role then select Host >> Cim >> Ciminteraction and click Add. Add a CIM user account. From the Host Client, go to manage, then Security & Users. Select Users then click Add User. Provide a name, description, and password for the new user then click Add. Assign the CIM account permissions to the host with the new role. From the Host Client, select the ESXi host, right click and go to "Permissions". Click Add User and select the CIM account from the drop down list and select the new CIM role from the drop down list and click Add User.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- ESXI-65-000071
- Vuln IDs
-
- V-207669
- V-94477
- Rule IDs
-
- SV-207669r388482_rule
- SV-104307
Checks: C-7924r364406_chk
The downloaded ISO, offline bundle, or patch hash must be verified against the vendor's checksum to ensure the integrity and authenticity of the files. See some typical command line example(s) for both the md5 and sha1 hash check(s) directly below. # md5sum <filename>.iso # sha1sum <filename>.iso If any of the system's downloaded ISO, offline bundle, or system patch hashes cannot be verified against the vendor's checksum, this is a finding.
Fix: F-7924r364407_fix
If the hash returned from the md5sum or sha1sum commands do not match the vendor's hash, the downloaded software must be discarded. If the physical media is obtained from VMware and the security seal is broken, the software must be returned to VMware for replacement.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- ESXI-65-000072
- Vuln IDs
-
- V-207670
- V-94479
- Rule IDs
-
- SV-207670r388482_rule
- SV-104309
Checks: C-7925r364409_chk
If vCenter Update Manager is used on the network it can be used to scan all hosts for missing patches. From the vSphere Client go to Hosts and Clusters > Update Manager tab and select scan to view all hosts compliance status. If vCenter Update Manager is not used a hosts compliance status must be manually determined by the build number. The following VMware KB 1014508 can be used to correlate patches with build numbers. If the ESXi host does not have the latest patches, this is a finding. If the ESXi host is not on a supported release, this is a finding. VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them. https://www.vmware.com/support/policies/security_response
Fix: F-7925r364410_fix
If vCenter Update Manager is used on the network, hosts can be remediated from the vSphere Web Client. From the vSphere Web Client go to Hosts and Clusters >> Update Manager tab and select a non-compliant host and click the Remediate button. To manually remediate a host the patch file must be copied locally and the following command run from an SSH session connected to the ESXi host, or from the ESXi shell: esxcli software vib update -d <path to offline patch bundle.zip>
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000076
- Vuln IDs
-
- V-207673
- V-94487
- Rule IDs
-
- SV-207673r388482_rule
- SV-104317
Checks: C-7928r364418_chk
Temporarily enable SSH, connect to the ESXi host and run the following command: /usr/lib/vmware/secureboot/bin/secureBoot.py -s If the output is not Enabled, this is a finding.
Fix: F-7928r364419_fix
Temporarily enable SSH, connect to the ESXi host and run the following command: /usr/lib/vmware/secureboot/bin/secureBoot.py -c If the output indicates that Secure Boot cannot be enabled, correct the discrepancies and try again. If the discrepancies cannot be rectified this finding is downgraded to a CAT III. Consult your vendor documentation and boot the host into BIOS setup mode. Enable UEFI boot mode and Secure Boot. Restart the host. Temporarily enable SSH, connect to the ESXi host and run the following command to verify that Secure Boot is enabled: /usr/lib/vmware/secureboot/bin/secureBoot.py -s
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-65-000078
- Vuln IDs
-
- V-207674
- V-94489
- Rule IDs
-
- SV-207674r617349_rule
- SV-104319
Checks: C-7929r622444_chk
Temporarily enable SSH, connect to the ESXi host and run the following command: # openssl x509 -in /etc/vmware/ssl/rui.crt -text | grep Issuer If the issuer is not a DoD approved certificate authority, or other AO approved certificate authority, this is a finding.
Fix: F-7929r364422_fix
Obtain a DoD issued certificate and private key for the host following the below requirements: Key size: 2048 bits or more (PEM encoded) Key format: PEM. VMware supports PKCS8 and PKCS1 (RSA keys) x509 version 3 SubjectAltName must contain DNS Name=<machine_FQDN> CRT (Base-64) format Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Start time of one day before the current time CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory. Put the host into maintenance mode. Temporarily enable SSH on the host. SCP the new certificate and key to /tmp. SSH to the host. Back up the existing certificate and key: mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak Copy your new certificate and key to /etc/vmware/ssl/ and rename them to rui.crt and rui.key respectively. Restart management agents to implement the new certificate: services.sh restart From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Manage >> Settings >> Advanced Settings. Find or create the vpxd.certmgmt.mode key and set its value to custom.
- RMF Control
- IA-2
- Severity
- L
- CCI
- CCI-000770
- Version
- ESXI-65-100037
- Vuln IDs
-
- V-207675
- V-94505
- Rule IDs
-
- SV-207675r378862_rule
- SV-104335
Checks: C-7930r364424_chk
For systems that do not use Active Directory and have no local user accounts, other than "root" and/or "vpxuser", this is not applicable. From the vSphere Client select the ESXi host and go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and do have local user accounts, other than "root" and/or "vpxuser"", this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding. If you are not using Host Profiles to join active directory, this is not a finding.
Fix: F-7930r364425_fix
From the vSphere Client select the ESXi host and go to Configuration >> Authentication Services. Click "Properties" and change the "Directory Service Type" to "Active Directory", enter the domain to join, check "Use vSphere Authentication Proxy" and enter the proxy server address then click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- ESXI-65-000049
- Vuln IDs
-
- V-251043
- Rule IDs
-
- SV-251043r802909_rule
Checks: C-54478r802907_chk
From the vSphere Web Client, select the ESXi Host and go to Manage >> Networking >> VMkernel adapters. Review each VMkernel adapter that is defined and ensure it is enabled for only one type of management traffic. If any VMkernel is used for more than one type of management traffic, this is a finding.
Fix: F-54431r802908_fix
From the vSphere Web Client, select the ESXi Host and go to Configure >> Networking >> VMkernel adapters >> Select a VMkernel Adapter >> Click Edit settings >> Uncheck any additional services that have been enabled on the VMkernel adapter so that there is only one service left checked.