Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Scroll down to "Lockdown Mode" and verify it is enabled ("Normal" or "Strict"). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}} If Lockdown Mode is disabled, this is a finding. For environments that do not use vCenter server to manage ESXi, this is Not Applicable.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Click "Edit" in "Lockdown Mode" and enable ("Normal" or "Strict"). or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $level = "lockdownNormal" OR "lockdownStrict" $vmhost = Get-VMHost -Name <hostname> | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.ChangeLockdownMode($level) Note: In Strict Lockdown Mode, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Client is no longer available, the ESXi host becomes inaccessible.
For environments that do not use vCenter server to manage ESXi, this is Not Applicable. From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "DCUI.Access" value and verify that only the root user is listed. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. If the DCUI.Access is not restricted to root, this is a finding. Note: This list is only for local user accounts and should only contain the root user.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "DCUI.Access" value, and configure it to root. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"
For environments that do not use vCenter server to manage ESXi, this is Not Applicable. From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under Lockdown Mode, review the Exception Users list. or From a PowerCLI command prompt while connected to the ESXi host, run the following script: $vmhost = Get-VMHost | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.QueryLockdownExceptions() If the Exception Users list contains accounts that do not require special permissions, this is a finding. Note: This list is not intended for system administrator accounts but for special circumstances such as a service account.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Lockdown Mode", click "Edit" and remove unnecessary users from the exceptions list.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Syslog.global.logHost" value and verify it is set to a site-specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the "Syslog.global.logHost" setting is not set to a site-specific syslog server, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Syslog.global.logHost" value, and configure it to a site-specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<syslog server hostname>"
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.AccountLockFailures" value and verify it is set to "3". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures If "Security.AccountLockFailures" is set to a value other than "3", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Security.AccountLockFailures" value, and configure it to "3". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.AccountUnlockTime" value and verify it is set to "900". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime If the "Security.AccountUnlockTime" is set to a value other than "900", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit" and select the "Security.AccountUnlockTime" value and configure it to "900". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Annotations.WelcomeMessage" value and verify it contains the DoD logon banner to follow. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage Check for either of the following logon banners based on the character limitations imposed by the system. An exact match of the text is required. If one of these banners is not displayed, this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't. If the DCUI logon screen does not display the DoD logon banner, this is a finding.
From a PowerCLI command prompt while connected to the ESXi host, copy the following contents into a script(.ps1 file) and run to set the DCUI screen to display the DoD logon banner: <script begin> $value = @" {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} "@ Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value $value <script end>
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Config.Etc.issue" value and verify it is set to the DoD logon banner below. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue If the "Config.Etc.issue" setting (/etc/issue file) does not contain the logon banner exactly as shown below, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Config.Etc.issue" value, and set it to the following: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "<insert logon banner>"
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^Banner" /etc/ssh/sshd_config If there is no output or the output is not exactly "Banner /etc/issue", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue
To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell: # grep -i "^FipsMode" /etc/ssh/sshd_config or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.security.fips140.ssh.get.invoke() If there is no output or the output is not exactly "FipsMode yes" over SSH, or enabled is not "true" over PowerCLI, this is a finding.
Limit the ciphers to FIPS-approved algorithms. From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": FipsMode yes or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs() $arguments.enable = $true $esxcli.system.security.fips140.ssh.set.Invoke($arguments)
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^IgnoreRhosts" /etc/ssh/sshd_config If there is no output or the output is not exactly "IgnoreRhosts yes", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^HostbasedAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "HostbasedAuthentication no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitRootLogin" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitRootLogin no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitEmptyPasswords" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitEmptyPasswords no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitUserEnvironment" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitUserEnvironment no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^GSSAPIAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "GSSAPIAuthentication no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": GSSAPIAuthentication no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^KerberosAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "KerberosAuthentication no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": KerberosAuthentication no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^StrictModes" /etc/ssh/sshd_config If there is no output or the output is not exactly "StrictModes yes", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": StrictModes yes
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^Compression" /etc/ssh/sshd_config If there is no output or the output is not exactly "Compression no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Compression no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^GatewayPorts" /etc/ssh/sshd_config If there is no output or the output is not exactly "GatewayPorts no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": GatewayPorts no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^X11Forwarding" /etc/ssh/sshd_config If there is no output or the output is not exactly "X11Forwarding no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": X11Forwarding no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^AcceptEnv" /etc/ssh/sshd_config If there is no output or the output is not exactly "AcceptEnv", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": AcceptEnv
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^PermitTunnel" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitTunnel no", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitTunnel no
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^ClientAliveCountMax" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveCountMax 3", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveCountMax 3
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^ClientAliveInterval" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveInterval 200", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveInterval 200
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^MaxSessions" /etc/ssh/sshd_config If there is no output or the output is not exactly "MaxSessions 1", this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": MaxSessions 1
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # ls -la /etc/ssh/keys-root/authorized_keys or # cat /etc/ssh/keys-root/authorized_keys If the "authorized_keys" file exists and is not empty, this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, zero out or remove the /etc/ssh/keys-root/authorized_keys file: # >/etc/ssh/keys-root/authorized_keys or # rm /etc/ssh/keys-root/authorized_keys
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.log.level" value and verify it is set to "info". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level If the "Config.HostAgent.log.level" setting is not set to "info", this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Config.HostAgent.log.level" value, and configure it to "info". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.PasswordQualityControl" value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the "Security.PasswordQualityControl" setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Security.PasswordQualityControl" value, and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.PasswordHistory" value and verify it is set to "5". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistory If the "Security.PasswordHistory" setting is not set to "5", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Security.PasswordHistory" value and configure it to "5". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistory | Set-AdvancedSetting -Value 5
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient If sha512 is not listed, this is a finding.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in “/etc/pam.d/passwd”: password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.plugins.solo.enableMob" value and verify it is set to "false". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob If the "Config.HostAgent.plugins.solo.enableMob" setting is not set to "false", this is a finding.
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit" and select the "Config.HostAgent.plugins.solo.enableMob" value and configure it to "false". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value false
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "Edit", view the "SSH" service, and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} If the ESXi SSH service is running, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "SSH" service and click the "Stop" button to stop the service. Use Edit Startup policy to "Start and stop manually" and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "Edit", view the "ESXi Shell" service, and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} If the ESXi Shell service is running, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "ESXi Shell" service and click the "Stop" button to stop the service. Use Edit Startup policy to "Start and stop manually" and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService
From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services. Click "Join Domain" and enter the AD domain to join. Select the "Using credentials” radio button, enter the credentials of an account with permissions to join machines to AD (use UPN naming – user@domain), and then click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
From the vSphere Client, go to Home >> Host Profiles and select a Host Profile to edit. View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify that if "JoinADEnabled" is "True", "JoinDomainMethod" is "FixedCAMConfigOption". If not using Host Profiles to join active directory, this is not a finding.
From the vSphere Client, go to Home >> Host Profiles and select a Host Profile to edit. View the settings under Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain" and provide the IP address of the vSphere Authentication Proxy server.
From the vSphere Client, select the ESXi host and go to Configuration >> System >> Advanced System Settings. Click "Edit" and select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value and verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory, this is Not Applicable. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" key is set to "ESX Admins", this is a finding.
From the vSphere Client, select the ESXi host and go to Configuration >> System >> Advanced System Settings. Click "Edit" and select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" key and configure its value to an appropriate Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Authentication Services and view the Smart Card Authentication status. If "Smart Card Mode" is "Disabled", this is a finding. For environments that do not have PKI or AD available, this is Not Applicable.
The following are prerequisites to configuration of smart card authentication for the ESXi DCUI: - Active Directory domain that supports smart card authentication, smart card readers, and smart cards; - ESXi joined to an Active Directory domain; and - Trusted certificates for root and intermediary certificate authorities. From the vSphere Client, select the ESXi host and go to Configure >> System >> Authentication Services, click "Edit", and check the "Enable Smart Card Authentication" checkbox. At the "Certificates" tab, click the green plus sign to import trusted certificate authority certificates and click "OK".
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "UserVars.ESXiShellInteractiveTimeOut" value and verify it is set to "120" (2 Minutes). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut If the "UserVars.ESXiShellInteractiveTimeOut" setting is not set to "120", this is a finding.
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "UserVars.ESXiShellInteractiveTimeOut" value, and configure it to "120". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 120
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the "UserVars.ESXiShellTimeOut" value and verify it is set to "600" (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut If the "UserVars.ESXiShellTimeOut" setting is not set to "600", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "UserVars.ESXiShellTimeOut" value, and configure it to "600". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "UserVars.DcuiTimeOut" value and verify it is set to "120" (2 minutes). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut If the "UserVars.DcuiTimeOut" setting is not set to "120", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "UserVars.DcuiTimeOut" value, and configure it to "120". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 120
From the vSphere Client, select the ESXi host and right-click. If the "Add Diagnostic Partition" option is greyed out, core dumps are configured. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.coredump.partition.get.Invoke() $esxcli.system.coredump.network.get.Invoke() The first command prepares for the other two. The second command shows whether an active core dump partition is configured. The third command shows whether a network core dump collector is configured and enabled via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables. If there is an active core dump partition, via the second command, this is not a finding. If there is a network core dump collector configured and enabled, this is not a finding. If there is no core dump partition and no network core dump collector configured, this is a finding.
From the vSphere Client, select the ESXi host and right-click. Select the "Add Diagnostic Partition" option to configure a core dump diagnostic partition. or From a PowerCLI command prompt while connected to the ESXi host, run at least one of the following sets of commands: To configure a core dump partition: $esxcli = Get-EsxCli -v2 #View available partitions to configure $esxcli.system.coredump.partition.list.Invoke() $arguments = $esxcli.system.coredump.partition.set.CreateArgs() $arguments.partition = "<NAA ID of target partition from output listed previously>" $esxcli.system.coredump.partition.set.Invoke($arguments) #You can't set the partition and enable it at the same time so now we can enable it $arguments = $esxcli.system.coredump.partition.set.CreateArgs() $arguments.enable = $true $esxcli.system.coredump.partition.set.Invoke($arguments) To configure a core dump collector: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.coredump.network.set.CreateArgs() $arguments.interfacename = "<vmkernel port to use>" $arguments.serverip = "<collector IP>" $arguments.serverport = "<collector port>" $arguments = $esxcli.system.coredump.network.set.Invoke($arguments) $arguments = $esxcli.system.coredump.network.set.CreateArgs() $arguments.enable = $true $arguments = $esxcli.system.coredump.network.set.Invoke($arguments)
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Syslog.global.logDir" value and verify it is set to a persistent location. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.syslog.config.get.Invoke() | Select LocalLogOutput,LocalLogOutputIsPersistent If the "LocalLogOutputIsPersistent" value is not true, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit" and select the "Syslog.global.logDir" value and set it to a known persistent location. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value "New Log Location"
From the vSphere Client, select the ESXi host and go to Configure >> System >> Time Configuration. Click "Edit" to verify the configured NTP servers and service startup policy. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostNTPServer Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} If the NTP service is not configured with authoritative DoD time sources or the service does not have a "Policy" of "on" or is stopped, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Time Configuration. Click "Edit" to configure the NTP service to start and stop with the host and with authoritative DoD time sources. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: $NTPServers = "ntpserver1","ntpserver2" Get-VMHost | Add-VMHostNTPServer $NTPServers Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.software.acceptance.get.Invoke() If the acceptance level is "CommunitySupported", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", click "Edit". Using the pull-down selection, set the acceptance level to be "VMwareCertified", "VMwareAccepted", or "PartnerSupported". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.software.acceptance.set.CreateArgs() $arguments.level = "PartnerSupported" $esxcli.software.acceptance.set.Invoke($arguments) Note: "VMwareCertified" or "VMwareAccepted" may be substituted for "PartnerSupported", depending on local requirements. These are also case sensitive.
Verify the vMotion VMKernel port group is in a dedicated VLAN, which can be on a common standard or distributed virtual switch as long as the vMotion VLAN is not shared by any other function and is not routed to anything but ESXi hosts. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. The check for this will be unique per environment. From the vSphere Client, select the ESXi host and go to Configuration >> Networking. Review the VLAN associated with the vMotion VMkernel(s) and verify it is dedicated for that purpose and logically separated from other functions. If long distance or cross-vCenter vMotion is used, the vMotion network can be routable but must be accessible to only the intended ESXi hosts. If the vMotion port group is not on an isolated VLAN and/or is routable to systems other than ESXi hosts, this is a finding.
Configuration of the vMotion VMkernel will be unique to each environment. As an example, to modify the IP address and VLAN information to the correct network on a distributed switch, do the following: From the vSphere Client, go to Networking >> Select a distributed switch >> Select a port group >> Configure >> Settings >> Edit >> VLAN. Change the "VLAN Type" to "VLAN" and change the "VLAN ID" to a network allocated and dedicated to vMotion traffic exclusively.
Verify the Management VMkernel port group is on a dedicated VLAN, which can be on a common standard or distributed virtual switch as long as the Management VLAN is not shared by any other function and is not accessible to anything other than management-related functions such as vCenter. The check for this will be unique per environment. From the vSphere Client, select the ESXi host and go to Configure >> Networking. Review the VLAN associated with the Management VMkernel and verify it is dedicated for that purpose and is logically separated from other functions. If the network segment is accessible, except to networks where other management-related entities such as vCenter are located, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the Management VMkernel and click "Edit". On the Port properties tab, uncheck everything but "Management.” On the IP Settings tab, enter the appropriate IP address and subnet information and click "OK". Set the appropriate VLAN ID >> Configure >> Networking >> Virtual switches. Select the Management portgroup and click "Edit". On the properties tab, enter the appropriate VLAN ID and click "OK".
If IP-based storage is not used, this is Not Applicable. Verify that IP-based storage (iSCSI, NFS, vSAN) VMkernel port groups are in a dedicated VLAN, which can be on a standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Client, select the ESXi Host and go to Configure >> Networking >> VMkernel adapters. Review the VLANs associated with any IP-based storage VMkernels and verify it is dedicated for that purpose and logically separated from other functions. If any IP-based storage networks are not isolated from other traffic types, this is a finding.
Configuration of an IP-Based VMkernel will be unique to each environment. However, as an example, to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel, do the following: vSAN Example: From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select the dedicated vSAN VMkernel adapter and click Edit settings. On the Port properties tab, uncheck everything but "vSAN.” On the IP Settings tab, enter the appropriate IP address and subnet information and click "OK". Set the appropriate VLAN ID by navigating to Configure >> Networking >> Virtual switches. Select the appropriate portgroup (iSCSI, NFS, vSAN) and click Edit settings. On the properties tab, enter the appropriate VLAN ID and click "OK".
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> TCP/IP configuration. Review the default system TCP/IP stacks and verify they are configured with the appropriate IP address information. If vMotion and Provisioning VMKernels are in use and are not using their own TCP/IP stack, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> TCP/IP configuration. Select a TCP/IP stack and click "Edit". Enter the appropriate site-specific IP address information for the particular TCP/IP stack and click "OK".
From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostSnmp | Select * or From an console or ssh session, run the follow command: esxcli system snmp get If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and read-only communities is set to "public", this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured from the esxcli command.
To disable SNMP, run the following command from a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false or From a console or ssh session, run the follow command: esxcli system snmp set -e no To configure SNMP for v3 targets, use the "esxcli system snmp set" command set.
From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters. Select the iSCSI adapter >> Properties >> Authentication method, view the CHAP configuration, and verify CHAP is required for target and host authentication. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Select AuthenticationProperties -ExpandProperty AuthenticationProperties If iSCSI is not used, this is not a finding. If iSCSI is used and CHAP is not set to "required" for both the target and host, this is a finding. If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> Storage >> Storage Adapters. Select the iSCSI adapter >> Properties >> Authentication and click the "Edit" button. Set Authentication method to “Use bidirectional CHAP” and enter a unique secret for each traffic flow direction. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Mem.ShareForceSalting" value and verify it is set to "2". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting If the "Mem.ShareForceSalting" setting is not set to "2", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Mem.ShareForceSalting" value, and configure it to "2". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2
From the vSphere Client, select the ESXi host and go to Configure >> System >> Firewall. Under the "Firewall" section, click "Edit". For each enabled service, click "Firewall" and review the allowed IPs. Check this for incoming and outgoing connections. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}} If for an enabled service "Allow connections from any IP address" is selected, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Firewall. Under the "Firewall" section, click "Edit". For each enabled service, uncheck the check box to “Allow connections from any IP address” and input the site-specific network(s) required. Configure this for incoming and outgoing connections. The following example formats are acceptable: 192.168.0.0/24 192.168.1.2, 2001::1/64 fd3e:29a6:0a81:e478::/64 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: $esxcli = Get-EsxCli -v2 #This disables the allow all rule for the target service. We are targeting the sshServer service in this example. $arguments = $esxcli.network.firewall.ruleset.set.CreateArgs() $arguments.rulesetid = "sshServer" $arguments.allowedall = $false $esxcli.network.firewall.ruleset.set.Invoke($arguments) #Next add the allowed IPs for the service. Note doing the "vSphere Web Client" service this way may disable access but may be done through vCenter or through the console. $arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $arguments.rulesetid = "sshServer" $arguments.ipaddress = "10.0.0.0/8" $esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments) This must be done for each enabled service.
From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostFirewallDefaultPolicy If the Incoming or Outgoing policies are "True", this is a finding.
From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostFirewallDefaultPolicy | Set-VMHostFirewallDefaultPolicy -AllowIncoming $false -AllowOutgoing $false
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Net.BlockGuestBPDU" value and verify it is set to "1". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU If the "Net.BlockGuestBPDU" setting is not set to "1", this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Net.BlockGuestBPDU" value, and configure it to "1". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Forged Transmits" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Forged Transmits" policy is set to accept (or true, via PowerCLI), this is a finding.
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group, click Edit settings (dots) and change "Forged Transmits" to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "MAC Address Changes" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "MAC Address Changes" policy is set to accept (or true, via PowerCLI), this is a finding.
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group, click Edit settings (dots) and change "MAC Address Changes" to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true
From the vSphere Client, go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify that "Promiscuous Mode" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Promiscuous Mode" policy is set to accept (or true, via PowerCLI), this is a finding.
From the vSphere Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group, click Edit settings (dots) and change "Promiscuous Mode" to reject. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true
From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings. Select the "Net.DVFilterBindIpAddress" value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the "Net.DVFilterBindIpAddress" is not blank and security appliances are not in use on the host, this is a finding.
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit", select the "Net.DVFilterBindIpAddress" value, and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with the native VLAN of the attached physical switch, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. Highlight the port group where VLAN ID is set to native VLAN ID and click Edit settings (dots). Change the VLAN ID to a non-native VLAN and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to 4095. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup | Select Name, VLanID If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. Highlight a port group where VLAN ID is set to 4095 and click Edit settings (dots). Change the VLAN ID to an appropriate VLAN and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. For each virtual switch, review the port group VLAN tags and verify they are not set to a reserved VLAN ID. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with a reserved VLAN ID, this is a finding.
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. Highlight a port group where VLAN ID is set to a reserved value and click "Edit" settings (dots). Change the VLAN ID to an appropriate VLAN and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of external switch ports as trunk ports must be documented. VST mode does not support DTP, so the trunk must be static and unconditional. Inspect the documentation and verify that it is correct and updated according to an organization-defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream external switch ports. If DTP is enabled on the physical switch ports connected to the ESXi host, this is a finding.
Note that this check refers to an entity outside the physical scope of the ESXi server system. Document the configuration of external switch ports as trunk ports. Log in to the vendor-specific physical switch and disable DTP on the physical switch ports connected to the ESXi host. Update the documentation according to an organization-defined frequency or whenever modifications are made to either ESXi hosts or the upstream external switch ports.
Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated according to an organization-defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. If the physical switch's spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding.
Note that this check refers to an entity outside the scope of the ESXi server system. Document the upstream physical switch configuration for spanning tree protocol disablement and/or portfast configuration for all physical ports connected to ESXi hosts. Log in to the physical switch(es) and disable spanning tree protocol and/or configure portfast for all physical ports connected to ESXi hosts. Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream physical switches.
Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that unneeded VLANs are configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated according to an organization-defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that only needed VLANs are configured for all physical ports connected to ESXi hosts. If the physical switch's configuration is trunked VLANs that are not used by ESXi for all physical ports connected to ESXi hosts, this is a finding.
Note that this check refers to an entity outside the scope of the ESXi server system. Remove any VLANs trunked across physical ports connected to ESXi hosts that are not in use.
From the Host Client, select the ESXi host, right-click and go to "Permissions". Verify the CIM account user role is limited to read only and CIM permissions. If there is no dedicated CIM account and the root is used for CIM monitoring, this is a finding. If write access is not required and the access level is not "read-only", this is a finding.
Create a role for the CIM account: From the Host Client, go to Manage >> Security & Users. Select "Roles" and click "Add Role". Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add". Add a CIM user account: From the Host Client, go to Manage >> Security & Users. Select "Users" and click "Add User". Provide a name, description, and password for the new user and click "Add". Assign the CIM account permissions to the host with the new role. From the Host Client, select the ESXi host, right-click, and go to "Permissions". Click "Add User", select the CIM account from the drop-down list, select the new CIM role from the drop-down list, and click "Add User".
The downloaded ISO, offline bundle, or patch hash must be verified against the vendor's checksum to ensure the integrity and authenticity of the files. See some typical command line example(s) for both the md5 and sha1 hash check(s) below: # md5sum <filename>.iso # sha1sum <filename>.iso If any of the system's downloaded ISO, offline bundle, or system patch hashes cannot be verified against the vendor's checksum, this is a finding.
If the hash returned from the "md5sum" or "sha1sum" commands do not match the vendor's hash, the downloaded software must be discarded. If the physical media is obtained from VMware and the security seal is broken, the software must be returned to VMware for replacement.
If vCenter Update Manager is used on the network, it can be used to scan all hosts for missing patches. From the vSphere Client, go to Hosts and Clusters >> Updates. Check under "Attached Baselines" and verify that a compliance check has been run. If vCenter Update Manager is not used, host compliance status must be determined manually by the build number. VMware KB 1014508 can be used to correlate patches with build numbers. If the ESXi host does not have the latest patches, this is a finding. If the ESXi host is not on a supported release, this is a finding. VMware also publishes Advisories on security patches and offers a way to subscribe to email alerts for them. Go to: https://www.vmware.com/support/policies/security_response
If vCenter Update Manager is used on the network, hosts can be remediated from the vSphere Web Client. From the vSphere Client, go to Hosts and Clusters >> Updates. Check under "Attached Baselines". If there are no baselines attached, select the drop-down "Attach >> Attach Baseline or Baseline Group". Select "attach" and select the type of patches. Click on Check Compliance to check Host(s) Compliance. To manually remediate a host, the patch file must be copied locally and the following command run from an SSH session connected to the ESXi host or from the ESXi shell: esxcli software vib update -d <path to offline patch bundle.zip>
From the vSphere Web Client, select the host and click Configure >> System >> Advanced System Settings. Find the "UserVars.ESXiVPsDisabledProtocols" value and verify that it is set to the following: tlsv1,tlsv1.1,sslv3 If the value is not set as above or it does not exist, this is a finding. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols If the value returned is not "tlsv1,tlsv1.1,sslv3" or the setting does not exist, this is a finding.
From the vSphere Web Client, select the host and click Configure >> System >> Advanced System Settings. Find the "UserVars.ESXiVPsDisabledProtocols" value and set it to the following: tlsv1,tlsv1.1,sslv3 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols | Set-AdvancedSetting -Value "tlsv1,tlsv1.1,sslv3" A host reboot is required for changes to take effect.
Temporarily enable SSH, connect to the ESXi host, and run the following command: /usr/lib/vmware/secureboot/bin/secureBoot.py -s If the output is not "Enabled", this is a finding.
Temporarily enable SSH, connect to the ESXi host, and run the following command: /usr/lib/vmware/secureboot/bin/secureBoot.py -c If the output indicates that Secure Boot cannot be enabled, correct the discrepancies and try again. If the discrepancies cannot be rectified, this finding is downgraded to a CAT III. Consult vendor documentation and boot the host into BIOS setup mode. Enable UEFI boot mode and Secure Boot. Restart the host. Temporarily enable SSH, connect to the ESXi host, and run the following command to verify that Secure Boot is enabled: /usr/lib/vmware/secureboot/bin/secureBoot.py -s
From the vSphere Web Client, select the host and click Configure >> System >> Certificate. If the issuer is not a DoD-approved certificate authority, this is a finding. If the host will never be accessed directly (VM console connections bypass vCenter), this is not a finding.
Obtain a DoD-issued certificate and private key for the host following the requirements below: Key size: 2048 bits or more (PEM encoded) Key format: PEM; VMware supports PKCS8 and PKCS1 (RSA keys) x509 version 3 SubjectAltName must contain DNS Name=<machine_FQDN> CRT (Base-64) format Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Start time of one day before the current time. CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory. Put the host into maintenance mode. Temporarily enable SSH on the host. SCP the new certificate and key to /tmp. SSH to the host. Back up the existing certificate and key: mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak Copy the new certificate and key to /etc/vmware/ssl/ and rename them to rui.crt and rui.key respectively. Restart management agents to implement the new certificate: services.sh restart From the vSphere Web Client, select the vCenter Server and click Configure >> System >> Advanced Settings. Find the "vpxd.certmgmt value" and set it to "custom".
From the vSphere Web Client, select the host and click Configure >> System >> Advanced System Settings. Find the "UserVars.SuppressShellWarning" value and verify that it is set to the following: 0 If the value is not set as above or does not exist, this is a finding. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning If the value returned is not "0" or the setting does not exist, this is a finding.
From the vSphere Web Client, select the host and click Configure >> System >> Advanced System Settings. Find the "UserVars.SuppressShellWarning" value and set it to the following: 0 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value "0"
Verify that only FIPS-approved ciphers are used by running the following command: # grep -i "^Ciphers" /etc/ssh/sshd_config If there is no output, or the output is not exactly "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr", this is a finding.
Limit the ciphers to algorithms that are FIPS approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. Add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
ESXi 6.7 is no longer supported by the vendor. If the server is running ESXi 6.7, this is a finding.
Upgrade to a supported version.