VMware vSphere 7.0 ESXi Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates ✎ 1
Comparison against the immediately-prior release (V1R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Content changes 1
- V-256448 Medium check The ESXi Common Information Model (CIM) service must be disabled.
- RMF Control
- AC-10
- Severity
- M
- CCI
- CCI-000054
- Version
- ESXI-70-000001
- Vuln IDs
-
- V-256375
- Rule IDs
-
- SV-256375r958398_rule
Checks: C-60050r885904_chk
For environments that do not use vCenter server to manage ESXi, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Security Profile. Scroll down to "Lockdown Mode" and verify it is set to "Enabled" (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}} If "Lockdown Mode" is disabled, this is a finding.
Fix: F-59993r885905_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Security Profile >> Lockdown Mode. Click "Edit...". Select the "Normal" or "Strict" radio buttons. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $level = "lockdownNormal" OR "lockdownStrict" $vmhost = Get-VMHost -Name <hostname> | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.ChangeLockdownMode($level) Note: In strict lockdown mode, the Direct Console User Interface (DCUI) service is stopped. If the connection to vCenter Server is lost and the vSphere Client is no longer available, the ESXi host becomes inaccessible.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000002
- Vuln IDs
-
- V-256376
- Rule IDs
-
- SV-256376r959010_rule
Checks: C-60051r885907_chk
For environments that do not use vCenter server to manage ESXi, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "DCUI.Access" value and verify only the root user is listed. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. If the "DCUI.Access" is not restricted to "root", this is a finding. Note: This list is only for local user accounts and should only contain the root user.
Fix: F-59994r885908_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "DCUI.Access" value and configure it to "root". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000003
- Vuln IDs
-
- V-256377
- Rule IDs
-
- SV-256377r959010_rule
Checks: C-60052r885910_chk
For environments that do not use vCenter server to manage ESXi, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Security Profile. Under "Lockdown Mode", review the Exception Users list. or From a PowerCLI command prompt while connected to the ESXi host, run the following script: $vmhost = Get-VMHost | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.QueryLockdownExceptions() If the Exception Users list contains accounts that do not require special permissions, this is a finding. Note: The Exception Users list is empty by default and should remain that way except under site-specific circumstances.
Fix: F-59995r885911_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Security Profile. Under "Lockdown Mode", click "Edit" and remove unnecessary users from the Exception Users list.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- ESXI-70-000004
- Vuln IDs
-
- V-256378
- Rule IDs
-
- SV-256378r958406_rule
Checks: C-60053r885913_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Syslog.global.logHost" value and verify it is set to a site-specific syslog server. Follow the conventions shown below: udp://<IP/FQDN>:514 tcp://<IP/FQDN>:514 ssl://<IP/FQDN>:1514 Multiple servers can be specified when separated by commas. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the "Syslog.global.logHost" setting is not set to a valid, site-specific syslog server, this is a finding.
Fix: F-59996r885914_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Syslog.global.logHost" value and configure it to a site-specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<syslog server hostname>"
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- ESXI-70-000005
- Vuln IDs
-
- V-256379
- Rule IDs
-
- SV-256379r958388_rule
Checks: C-60054r885916_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Security.AccountLockFailures" value and verify it is set to "3". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures If the "Security.AccountLockFailures" setting is set to a value other than "3", this is a finding.
Fix: F-59997r885917_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Security.AccountLockFailures" value and configure it to "3". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- ESXI-70-000006
- Vuln IDs
-
- V-256380
- Rule IDs
-
- SV-256380r958736_rule
Checks: C-60055r885919_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Security.AccountUnlockTime" value and verify it is set to "900". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime If the "Security.AccountUnlockTime" setting is set to a value other than "900", this is a finding.
Fix: F-59998r885920_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Security.AccountUnlockTime" value and configure it to "900". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- ESXI-70-000007
- Vuln IDs
-
- V-256381
- Rule IDs
-
- SV-256381r958390_rule
Checks: C-60056r885922_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Annotations.WelcomeMessage" value and verify it contains the DOD logon banner below. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage Banner: {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} If the "Annotations.WelcomeMessage" setting is not set to the specified banner, this is a finding.
Fix: F-59999r885923_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Annotations.WelcomeMessage" value and set it to the following. Click "OK". {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details. {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor}\n{bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align}\n{bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value "<Banner text above>"
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- ESXI-70-000008
- Vuln IDs
-
- V-256382
- Rule IDs
-
- SV-256382r958390_rule
Checks: C-60057r885925_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Config.Etc.issue" value and verify it is set to the DOD logon banner below. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue If the "Config.Etc.issue" setting (/etc/issue file) does not contain the logon banner exactly as shown below, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Fix: F-60000r885926_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Config.Etc.issue" value and set it to the following: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "<insert logon banner>"
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- ESXI-70-000009
- Vuln IDs
-
- V-256383
- Rule IDs
-
- SV-256383r958390_rule
Checks: C-60058r885928_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep banner Expected result: banner /etc/issue If the output does not match the expected result, this is a finding.
Fix: F-60001r885929_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- ESXI-70-000010
- Vuln IDs
-
- V-256384
- Rule IDs
-
- SV-256384r958408_rule
Checks: C-60059r885931_chk
From an ESXi shell, run the following command: # esxcli system security fips140 ssh get or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.security.fips140.ssh.get.invoke() Expected result: Enabled: true If the output does not match the expected result, this is a finding.
Fix: F-60002r885932_fix
From an ESXi shell, run the following command: # esxcli system security fips140 ssh set -e true or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs() $arguments.enable = $true $esxcli.system.security.fips140.ssh.set.Invoke($arguments)
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000767
- Version
- ESXI-70-000012
- Vuln IDs
-
- V-256385
- Rule IDs
-
- SV-256385r984206_rule
Checks: C-60060r885934_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep ignorerhosts Expected result: ignorerhosts yes If the output does not match the expected result, this is a finding.
Fix: F-60003r918908_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000013
- Vuln IDs
-
- V-256386
- Rule IDs
-
- SV-256386r959010_rule
Checks: C-60061r885937_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep hostbasedauthentication Expected result: hostbasedauthentication no If the output does not match the expected result, this is a finding.
Fix: F-60004r885938_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-70-000015
- Vuln IDs
-
- V-256387
- Rule IDs
-
- SV-256387r959010_rule
Checks: C-60062r885940_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep permitemptypasswords Expected result: permitemptypasswords no If the output does not match the expected result, this is a finding.
Fix: F-60005r885941_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000016
- Vuln IDs
-
- V-256388
- Rule IDs
-
- SV-256388r959010_rule
Checks: C-60063r885943_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep permituserenvironment Expected result: permituserenvironment no If the output does not match the expected result, this is a finding.
Fix: F-60006r885944_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000020
- Vuln IDs
-
- V-256389
- Rule IDs
-
- SV-256389r959010_rule
Checks: C-60064r885946_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep strictmodes Expected result: strictmodes yes If the output does not match the expected result, this is a finding.
Fix: F-60007r885947_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": StrictModes yes
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000021
- Vuln IDs
-
- V-256390
- Rule IDs
-
- SV-256390r959010_rule
Checks: C-60065r885949_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep compression Expected result: compression no If the output does not match the expected result, this is a finding.
Fix: F-60008r885950_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Compression no
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-70-000022
- Vuln IDs
-
- V-256391
- Rule IDs
-
- SV-256391r959010_rule
Checks: C-60066r885952_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep gatewayports Expected result: gatewayports no If the output does not match the expected result, this is a finding.
Fix: F-60009r885953_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": GatewayPorts no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000023
- Vuln IDs
-
- V-256392
- Rule IDs
-
- SV-256392r959010_rule
Checks: C-60067r885955_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep x11forwarding Expected result: x11forwarding no If the output does not match the expected result, this is a finding.
Fix: F-60010r885956_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": X11Forwarding no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000025
- Vuln IDs
-
- V-256393
- Rule IDs
-
- SV-256393r959010_rule
Checks: C-60068r885958_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep permittunnel Expected result: permittunnel no If the output does not match the expected result, this is a finding.
Fix: F-60011r885959_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": PermitTunnel no
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-70-000026
- Vuln IDs
-
- V-256394
- Rule IDs
-
- SV-256394r959010_rule
Checks: C-60069r885961_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep clientalivecountmax Expected result: clientalivecountmax 3 If the output does not match the expected result, this is a finding.
Fix: F-60012r885962_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveCountMax 3
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-70-000027
- Vuln IDs
-
- V-256395
- Rule IDs
-
- SV-256395r959010_rule
Checks: C-60070r885964_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep clientaliveinterval Expected result: clientaliveinterval 200 If the output does not match the expected result, this is a finding.
Fix: F-60013r885965_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveInterval 200
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000130
- Version
- ESXI-70-000030
- Vuln IDs
-
- V-256396
- Rule IDs
-
- SV-256396r958412_rule
Checks: C-60071r885967_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.log.level" value and verify it is set to "info". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level If the "Config.HostAgent.log.level" setting is not set to "info", this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.
Fix: F-60014r885968_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Config.HostAgent.log.level" value and configure it to "info". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000192
- Version
- ESXI-70-000031
- Vuln IDs
-
- V-256397
- Rule IDs
-
- SV-256397r984191_rule
Checks: C-60072r885970_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Security.PasswordQualityControl" value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the "Security.PasswordQualityControl" setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
Fix: F-60015r885971_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Security.PasswordQualityControl" value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000200
- Version
- ESXI-70-000032
- Vuln IDs
-
- V-256398
- Rule IDs
-
- SV-256398r984204_rule
Checks: C-60073r885973_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Security.PasswordHistory" value and verify it is set to "5". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistory If the "Security.PasswordHistory" setting is not set to "5" this is a finding.
Fix: F-60016r918910_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Security.PasswordHistory" value and configure it to "5". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistory | Set-AdvancedSetting -Value 5
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- ESXI-70-000034
- Vuln IDs
-
- V-256399
- Rule IDs
-
- SV-256399r958478_rule
Checks: C-60074r885976_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.plugins.solo.enableMob" value and verify it is set to "false". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob If the "Config.HostAgent.plugins.solo.enableMob" setting is not set to "false", this is a finding.
Fix: F-60017r918912_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Click "Edit". Select the "Config.HostAgent.plugins.solo.enableMob" value and configure it to "false". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value false
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- ESXI-70-000035
- Vuln IDs
-
- V-256400
- Rule IDs
-
- SV-256400r958478_rule
Checks: C-60075r885979_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Services. Under "Services", locate the "SSH" service and verify it is "Stopped". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} If the SSH service is "Running", this is a finding.
Fix: F-60018r885980_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Services. Under "Services", select the "SSH" service and click the "Stop" button. Click the "Edit Startup policy..." button. Select the "Start and stop manually" radio button. Click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- ESXI-70-000036
- Vuln IDs
-
- V-256401
- Rule IDs
-
- SV-256401r958478_rule
Checks: C-60076r885982_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Services. Under "Services", locate the "ESXi Shell" service and verify it is "Stopped". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} If the ESXi Shell service is "Running", this is a finding.
Fix: F-60019r885983_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Services. Under "Services", select the "ESXi Shell" service and click the "Stop" button. Click the "Edit Startup policy..." button. Select the "Start and stop manually" radio button. Click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService
- RMF Control
- IA-2
- Severity
- L
- CCI
- CCI-000764
- Version
- ESXI-70-000037
- Vuln IDs
-
- V-256402
- Rule IDs
-
- SV-256402r958482_rule
Checks: C-60077r885985_chk
For systems that do not use Active Directory and have no local user accounts other than root and/or service accounts, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and do have local user accounts, other than root and/or service accounts, this is a finding. If the Directory Services Type is not set to "Active Directory", this is a finding.
Fix: F-60020r885986_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Authentication Services. Click "Join Domain..." and enter the AD domain to join. Select the "Using credentials" radio button and enter the credentials of an account with permissions to join machines to AD (use UPN naming "user@domain"). Click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password" If any local user accounts are present besides root and service accounts, delete them by going to Host UI >> Manage >> Security & Users >> Users.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- ESXI-70-000038
- Vuln IDs
-
- V-256403
- Rule IDs
-
- SV-256403r958482_rule
Checks: C-60078r885988_chk
If the organization is not using Host Profiles to join Active Directory, this is not applicable. From the vSphere Client, go to Home >> Policies and Profiles >> Host Profiles. Click a Host Profile >> Configure >> Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method. If the method used to join hosts to a domain is not set to "Use vSphere Authentication Proxy to add the host to domain", this is a finding. or From a PowerCLI command prompt while connected to vCenter, run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} If "JoinADEnabled" is "True" and "JoinDomainMethod" is not "FixedCAMConfigOption", this is a finding.
Fix: F-60021r885989_fix
From the vSphere Client, go to Home >> Policies and Profiles >> Host Profiles. Click a Host Profile >> Configure >> Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration. Click "Edit Host Profile...". Set the "Join Domain Method" to "Use vSphere Authentication Proxy to add the host to domain" and provide the IP address of the vSphere Authentication Proxy server. Click "Save".
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- ESXI-70-000039
- Vuln IDs
-
- V-256404
- Rule IDs
-
- SV-256404r958482_rule
Checks: C-60079r885991_chk
For systems that do not use Active Directory, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value and verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" key is set to "ESX Admins", this is a finding.
Fix: F-60022r885992_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" key and configure its value to an appropriate Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- ESXI-70-000041
- Vuln IDs
-
- V-256405
- Rule IDs
-
- SV-256405r970703_rule
Checks: C-60080r885994_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.ESXiShellInteractiveTimeOut" value and verify it is set to "120" (two minutes). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut If the "UserVars.ESXiShellInteractiveTimeOut" setting is not set to "120", this is a finding.
Fix: F-60023r885995_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "UserVars.ESXiShellInteractiveTimeOut" value and configure it to "120". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 120
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- ESXI-70-000042
- Vuln IDs
-
- V-256406
- Rule IDs
-
- SV-256406r970703_rule
Checks: C-60081r885997_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.ESXiShellTimeOut" value and verify it is set to "600" (10 minutes). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut If the "UserVars.ESXiShellTimeOut" setting is not set to "600", this is a finding.
Fix: F-60024r885998_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "UserVars.ESXiShellTimeOut" value and configure it to "600". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- ESXI-70-000043
- Vuln IDs
-
- V-256407
- Rule IDs
-
- SV-256407r970703_rule
Checks: C-60082r886000_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.DcuiTimeOut" value and verify it is set to "120" (two minutes). or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut If the "UserVars.DcuiTimeOut" setting is not set to "120", this is a finding.
Fix: F-60025r886001_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "UserVars.DcuiTimeOut" value and configure it to "120". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 120
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- ESXI-70-000045
- Vuln IDs
-
- V-256408
- Rule IDs
-
- SV-256408r958752_rule
Checks: C-60083r886003_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Syslog.global.logDir" value and verify it is set to a persistent location. If the value of the setting is "[] /scratch/logs", verify the advanced setting "ScratchConfig.CurrentScratchLocation" is not set to "/tmp/scratch". This is a nonpersistent location. If "Syslog.global.logDir" is not configured to a persistent location, this is a finding. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.syslog.config.get.Invoke() | Select LocalLogOutput,LocalLogOutputIsPersistent If the "LocalLogOutputIsPersistent" value is not true, this is a finding.
Fix: F-60026r886004_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Syslog.global.logDir" value and set it to a known persistent location. An example is shown below, where 51dda02d-fade5016-8a08-005056171889 is the UUID of the target datastore: /vmfs/volumes/51dda02d-fade5016-8a08-005056171889 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value "New Log Location"
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-001891
- Version
- ESXI-70-000046
- Vuln IDs
-
- V-256409
- Rule IDs
-
- SV-256409r1038976_rule
Checks: C-60084r886006_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Time Configuration. Under "Current Time Configuration", verify "Time Synchronization" is set to "Network Time Protocol". Under "Network Time Protocol", verify the "NTP Servers" are authorized DOD time sources. If the ESXi host is not configured to pull time from authoritative DOD time sources, this is a finding. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostNTPServer Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} If the NTP service is not configured with authoritative DOD time sources or the service does not have a "Policy" of "on" or is stopped, this is a finding.
Fix: F-60027r886007_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Time Configuration. Under "Network Time Protocol", click "Edit...". Ensure the "NTP Servers" are authorized DOD time sources. Ensure the "NTP Service Startup Policy" is set to "Start and stop with host". Ensure the "Enable" checkbox, in the upper left, is checked. Click "OK". Click "Edit" to configure the NTP service to start and stop with the host and with authoritative DOD time sources. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $NTPServers = "ntpserver1","ntpserver2" Get-VMHost | Add-VMHostNTPServer $NTPServers Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService
- RMF Control
- CM-5
- Severity
- H
- CCI
- CCI-001749
- Version
- ESXI-70-000047
- Vuln IDs
-
- V-256410
- Rule IDs
-
- SV-256410r984242_rule
Checks: C-60085r886009_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.software.acceptance.get.Invoke() If the acceptance level is "CommunitySupported", this is a finding.
Fix: F-60028r892863_fix
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Security Profile. Under "Host Image Profile Acceptance Level", click "Edit...". Using the drop-down selection, set the acceptance level as "VMwareCertified", "VMwareAccepted", or "PartnerSupported". The default is "PartnerSupported". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.software.acceptance.set.CreateArgs() $arguments.level = "PartnerSupported" $esxcli.software.acceptance.set.Invoke($arguments) Note: "VMwareCertified" or "VMwareAccepted" may be substituted for "PartnerSupported", depending on local requirements. These are case sensitive.
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- ESXI-70-000048
- Vuln IDs
-
- V-256411
- Rule IDs
-
- SV-256411r958908_rule
Checks: C-60086r886012_chk
For environments that do not use vCenter server to manage ESXi, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking. Review the VLAN associated with the vMotion VMkernel(s) and verify they are dedicated for that purpose and are logically separated from other functions. If long distance or cross vCenter vMotion is used, the vMotion network can be routable but must be accessible to only the intended ESXi hosts. If the vMotion port group is not on an isolated VLAN and/or is routable to systems other than ESXi hosts, this is a finding.
Fix: F-60029r886013_fix
Configuration of the vMotion VMkernel will be unique to each environment. As an example, to modify the IP address and VLAN information to the correct network on a distributed switch do the following: From the vSphere Client, go to Networking. Select a distributed switch, select a port group, and then go to Configure >> Settings >> Edit >> VLAN. Change the "VLAN Type" to "VLAN" and change the "VLAN ID" to a network allocated and dedicated to vMotion traffic exclusively.
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- ESXI-70-000049
- Vuln IDs
-
- V-256412
- Rule IDs
-
- SV-256412r958908_rule
Checks: C-60087r919021_chk
From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select each VMkernel adapter that is "Enabled" for management traffic and, in the bottom pane, view the "Enabled services". If any services other than "Management" are enabled on the Management VMkernel adapter, this is a finding. From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Review the VLAN associated with each VMkernel that is "Enabled" for management traffic. Verify with the system administrator that they are dedicated for that purpose and are logically separated from other functions. If the network segment is accessible, except to networks where other management-related entities are located such as vCenter, this is a finding. If there are any other systems or devices such as VMs on the ESXi management segment, this is a finding.
Fix: F-60030r886016_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> VMkernel adapters. Select the Management VMkernel and click "Edit...". On the "Port" properties tab, uncheck all services except "Management". Click "OK". From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual switches. Find the port group that contains the Management VMkernel and click the "..." button next to the name. Click "Edit Settings". On the "Properties" tab, change the "VLAN ID" to one dedicated to Management traffic. Click "OK".
- RMF Control
- SC-8
- Severity
- M
- CCI
- CCI-002418
- Version
- ESXI-70-000050
- Vuln IDs
-
- V-256413
- Rule IDs
-
- SV-256413r958908_rule
Checks: C-60088r886018_chk
If IP-based storage is not used, this is not applicable. From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Select each IP-based storage VMkernel adapter and view the enabled services. If any services are enabled on an NFS or iSCSI IP-based storage VMkernel adapter, this is a finding. If any services are enabled on a vSAN VMkernel adapter other than vSAN, this is a finding. From the vSphere Client, select the ESXi host and go to Configure >> Networking >> VMkernel adapters. Review the VLANs associated with any IP-based storage VMkernels and verify they are dedicated for that purpose and are logically separated from other functions. If any IP-based storage networks are not isolated from other traffic types, this is a finding.
Fix: F-60031r886019_fix
Configuration of an IP-based VMkernel will be unique to each environment. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> VMkernel adapters. Select the VMkernel used for IP-based storage and click "Edit...". On the "Port" properties tab, uncheck all services. Click "OK". Note: For VMkernels used for vSAN, leave the vSAN service enabled and uncheck all others. From the vSphere Client, go to Hosts and Clusters >> select the ESXi Host >> Configure >> Networking >> Virtual switches. Find the port group that is dedicated to IP-based storage and click the "..." button next to the name. Click "Edit Settings". On the "Properties" tab, change the "VLAN ID" to one dedicated for IP-based storage traffic. Click "OK".
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000053
- Vuln IDs
-
- V-256414
- Rule IDs
-
- SV-256414r959010_rule
Checks: C-60089r886021_chk
From an ESXi shell, run the following command: # esxcli system snmp get or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostSnmp | Select * If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and read-only communities are set to "public", this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured via the "esxcli" command.
Fix: F-60032r886022_fix
To disable SNMP from an ESXi shell, run the following command: # esxcli system snmp set -e no or From a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false To configure SNMP for v3 targets, use the "esxcli system snmp set" command set locally on the host or remotely via PowerCLI.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000054
- Vuln IDs
-
- V-256415
- Rule IDs
-
- SV-256415r959010_rule
Checks: C-60090r886024_chk
If iSCSI is not used, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Storage >> Storage Adapters. Select the iSCSI adapter >> Properties >> Authentication >> Method. View the CHAP configuration and verify CHAP is required for target and host authentication. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Select AuthenticationProperties -ExpandProperty AuthenticationProperties If iSCSI is used and CHAP is not set to "required" for both the target and host, this is a finding. If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.
Fix: F-60033r886025_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Storage >> Storage Adapters. Select the iSCSI adapter >> Properties >> Authentication. Click "Edit...". Set "Authentication Method" to "Use bidirectional CHAP" and enter a unique secret for each traffic flow direction. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"
- RMF Control
- CM-6
- Severity
- L
- CCI
- CCI-000366
- Version
- ESXI-70-000055
- Vuln IDs
-
- V-256416
- Rule IDs
-
- SV-256416r959010_rule
Checks: C-60091r886027_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Mem.ShareForceSalting" value and verify it is set to "2". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting If the "Mem.ShareForceSalting" setting is not set to "2", this is a finding.
Fix: F-60034r886028_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Mem.ShareForceSalting" value and set it to "2". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000056
- Vuln IDs
-
- V-256417
- Rule IDs
-
- SV-256417r959010_rule
Checks: C-60092r886030_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Firewall. Under the "Allowed IP addresses" column, review the allowed IPs for each service. Check this for "Incoming" and "Outgoing" sections. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}} If for an enabled service "Allow connections from any IP address" is selected, this is a finding.
Fix: F-60035r886031_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Firewall. Click "Edit...". For each enabled service, uncheck the check box to "Allow connections from any IP address" and input the site-specific network(s) required. The following example formats are acceptable: 192.168.0.0/24 192.168.1.2, 2001::1/64 fd3e:29a6:0a81:e478::/64 or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 #This disables the allow all rule for the target service. We are targeting the sshServer service in this example. $arguments = $esxcli.network.firewall.ruleset.set.CreateArgs() $arguments.rulesetid = "sshServer" $arguments.allowedall = $false $esxcli.network.firewall.ruleset.set.Invoke($arguments) #Next add the allowed IPs for the service. Note doing the "vSphere Web Client" service this way may disable access but may be done through vCenter or through the console. $arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $arguments.rulesetid = "sshServer" $arguments.ipaddress = "10.0.0.0/8" $esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments) This must be done for each enabled service.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000057
- Vuln IDs
-
- V-256418
- Rule IDs
-
- SV-256418r959010_rule
Checks: C-60093r886033_chk
From an ESXi shell, run the following command: # esxcli network firewall get If the "Default Action" does not equal "DROP", this is a finding. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostFirewallDefaultPolicy If the Incoming or Outgoing policies are "True", this is a finding.
Fix: F-60036r886034_fix
From an ESXi shell, run the following command: # esxcli network firewall set --default-action=false or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostFirewallDefaultPolicy | Set-VMHostFirewallDefaultPolicy -AllowIncoming $false -AllowOutgoing $false
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000058
- Vuln IDs
-
- V-256419
- Rule IDs
-
- SV-256419r959010_rule
Checks: C-60094r886036_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Net.BlockGuestBPDU" value and verify it is set to "1". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU If the "Net.BlockGuestBPDU" setting is not set to "1", this is a finding.
Fix: F-60037r886037_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Net.BlockGuestBPDU" value and configure it to "1". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000059
- Vuln IDs
-
- V-256420
- Rule IDs
-
- SV-256420r959010_rule
Checks: C-60095r886039_chk
Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual Switches. On each standard switch, click the "..." button next to each port group. Click View Settings >> Policies tab. Verify that "Forged transmits" is set to "Reject". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch -Standard | Get-SecurityPolicy Get-VirtualPortGroup -Standard | Get-SecurityPolicy If the "Forged Transmits" policy is set to "Accept" (or "true", via PowerCLI), this is a finding.
Fix: F-60038r886040_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual Switches. On each standard switch, click the "..." button next to each port group. Click Edit Settings >> Security tab. Set "Forged transmits" to "Reject". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch -Standard | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false Get-VirtualPortGroup -Standard | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- ESXI-70-000060
- Vuln IDs
-
- V-256421
- Rule IDs
-
- SV-256421r959010_rule
Checks: C-60096r886042_chk
Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual Switches. On each standard switch, click the "..." button next to each port group. Click View Settings >> Policies tab. Verify "MAC Address Changes" is set to "Reject". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch -Standard | Get-SecurityPolicy Get-VirtualPortGroup -Standard | Get-SecurityPolicy If the "MAC Address Changes" policy is set to "Accept" (or "true", via PowerCLI), this is a finding.
Fix: F-60039r886043_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual Switches. On each standard switch, click the "..." button next to each port group. Click Edit Settings >> Security tab. Set "MAC Address Changes" to "Reject". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch -Standard | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false Get-VirtualPortGroup -Standard | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000061
- Vuln IDs
-
- V-256422
- Rule IDs
-
- SV-256422r959010_rule
Checks: C-60097r886045_chk
Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual Switches. On each standard switch, click the "..." button next to each port group. Click View Settings >> Policies tab. Verify "Promiscuous Mode" is set to "Reject". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch -Standard | Get-SecurityPolicy Get-VirtualPortGroup -Standard | Get-SecurityPolicy If the "Promiscuous Mode" policy is set to "Accept" (or "true", via PowerCLI), this is a finding.
Fix: F-60040r886046_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual Switches. On each standard switch, click the "..." button next to each port group. Click Edit Settings >> Security tab. Set "Promiscuous Mode" to "Reject". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VirtualSwitch -Standard | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false Get-VirtualPortGroup -Standard | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000062
- Vuln IDs
-
- V-256423
- Rule IDs
-
- SV-256423r959010_rule
Checks: C-60098r886048_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Net.DVFilterBindIpAddress" value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the "Net.DVFilterBindIpAddress" is not blank and security appliances are not in use on the host, this is a finding.
Fix: F-60041r886049_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Net.DVFilterBindIpAddress" value and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000063
- Vuln IDs
-
- V-256424
- Rule IDs
-
- SV-256424r959010_rule
Checks: C-60099r886051_chk
Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual switches. For each standard switch, review the "VLAN ID" on each port group. Verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Standard | Select Name, VLanId If any port group is configured with the native VLAN of the attached physical switch, this is a finding.
Fix: F-60042r886052_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual switches. For each port group on a standard switch that is configured to a native VLAN, click the "..." button next to the port group. Click "Edit Settings". On the "Properties" tab, change the "VLAN ID" to a non-native VLAN and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000064
- Vuln IDs
-
- V-256425
- Rule IDs
-
- SV-256425r959010_rule
Checks: C-60100r886054_chk
Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual switches. For each standard switch, review the "VLAN ID" on each port group and verify it is not set to "4095". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Standard | Select Name, VLanId If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.
Fix: F-60043r919425_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual switches. For each port group on a standard switch that is configured to a native VLAN, click the "..." button next to the port group. Click "Edit Settings". On the "Properties" tab, change the "VLAN ID" to an appropriate VLAN ID and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000065
- Vuln IDs
-
- V-256426
- Rule IDs
-
- SV-256426r959010_rule
Checks: C-60101r886057_chk
Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual switches. For each standard switch, review the "VLAN ID" on each port group and verify it is not set to a reserved VLAN ID. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Standard | Select Name, VLanId If any port group is configured with a reserved VLAN ID, this is a finding.
Fix: F-60044r892864_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> Networking >> Virtual switches. For each port group on a standard switch that is configured to a reserved VLAN, click the "..." button next to the port group. Click "Edit Settings". On the "Properties" tab, change the "VLAN ID" to an appropriate VLAN ID and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000070
- Vuln IDs
-
- V-256427
- Rule IDs
-
- SV-256427r959010_rule
Checks: C-60102r886060_chk
If CIM monitoring is not implemented, this is not applicable. From the Host Client, select the ESXi host, right-click, and go to "Permissions". Verify the CIM service account is assigned the "Read-only" role or a custom role as described in the discussion. If there is no dedicated CIM service account, this is a finding. If the CIM service account has more permissions than necessary as noted in the discussion, this is a finding.
Fix: F-60045r886061_fix
If write access is required, create a new role for the CIM service account: From the Host Client, go to Manage >> Security & Users. Select "Roles" and click "Add role". Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add". Add a CIM service account: From the Host Client, go to Manage >> Security & Users. Select "Users" and click "Add user". Provide a name, description, and password for the new user and click "Add". Assign the CIM service account permissions to the host with the new role: From the Host Client, select the ESXi host, right-click, and go to "Permissions". Click "Add User", select the CIM service account from the drop-down list, and select either "Read-only" or the role just created. Click "Add User".
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- ESXI-70-000072
- Vuln IDs
-
- V-256428
- Rule IDs
-
- SV-256428r959010_rule
Checks: C-60103r886063_chk
Determine the current version and build: From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Summary. Note the version string next to "Hypervisor:". or From a Secure Shell (SSH) session connected to the ESXi host, or from the ESXi shell, run the following command: # vmware -v Because ESXi hosts should never be able to touch the internet, manually compare the current ESXi version and patch level to the latest available on vmware.com: https://kb.vmware.com/s/article/2143832 If the ESXi host does not have the latest patches, this is a finding. If the ESXi host is not on a supported release, this is a finding. VMware also publishes Advisories on security patches and offers a way to subscribe to email alerts for them. Go to: https://www.vmware.com/support/policies/security_response
Fix: F-60046r886064_fix
ESXi can be patched in multiple ways, and this fix text does not cover all methods. Manual patching when image profiles are not used: - Download the latest "offline bundle" .zip update from vmware.com. Verify the hash. - Transfer the file to a datastore accessible by the ESXi host, local or remote. - Put the ESXi host into maintenance mode. - From an ESXi shell, run the following command: esxcli software vib update -d <path to offline patch bundle.zip> Manual patching when image profiles are used: From an ESXi shell, run the following command: # esxcli software sources profile list -d /vmfs/volumes/<your datastore>/<bundle name.zip> Note the available profiles. The organization will usually want the one ending in "-standard". # esxcli software profile update -p <selected profile> -d /vmfs/volumes/<your datastore>/<bundle name.zip> There will be little output during the update. Once complete, reboot the host for changes to take effect.
- RMF Control
- SC-8
- Severity
- H
- CCI
- CCI-002420
- Version
- ESXI-70-000074
- Vuln IDs
-
- V-256429
- Rule IDs
-
- SV-256429r959010_rule
Checks: C-60104r886066_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.ESXiVPsDisabledProtocols" value and verify it is set to the following: tlsv1,tlsv1.1,sslv3 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols If the "UserVars.ESXiVPsDisabledProtocols" setting is not set to "tlsv1,tlsv1.1,sslv3" or the setting does not exist, this is a finding.
Fix: F-60047r886067_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.ESXiVPsDisabledProtocols" value and set it to the following: tlsv1,tlsv1.1,sslv3 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiVPsDisabledProtocols | Set-AdvancedSetting -Value "tlsv1,tlsv1.1,sslv3" Reboot the host for changes to take effect.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000076
- Vuln IDs
-
- V-256430
- Rule IDs
-
- SV-256430r959010_rule
Checks: C-60105r886069_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/secureboot/bin/secureBoot.py -s If the output is not "Enabled", this is a finding.
Fix: F-60048r886070_fix
From an ESXi shell, run the following command: # /usr/lib/vmware/secureboot/bin/secureBoot.py -c If the output indicates that Secure Boot cannot be enabled, correct the discrepancies and try again. If the discrepancies cannot be rectified, this finding is downgraded to a CAT III.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000078
- Vuln IDs
-
- V-256431
- Rule IDs
-
- SV-256431r959010_rule
Checks: C-60106r886072_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Certificate. If the issuer is not a DOD-approved certificate authority, this is a finding. If the host will never be accessed directly (virtual machine console connections bypass vCenter), this is not a finding.
Fix: F-60049r886073_fix
Join the ESXi host to vCenter before replacing the certificate. Obtain a DOD-issued certificate and private key for the host following the requirements below: Key size: 2048 bits or more (PEM encoded) Key format: PEM VMware supports PKCS8 and PKCS1 (RSA keys) x509 version 3 SubjectAltName must contain DNS Name=<machine_FQDN> CRT (Base-64) format Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Start time of one day before the current time CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory From the vSphere Web Client, select the ESXi host's vCenter Server >> Configure >> System >> Advanced Settings. Select the "vpxd.certmgmt.mode" value and ensure it is set to "custom". Put the host into maintenance mode. Temporarily enable Secure Shell (SSH) on the host. Use Secure Copy Protocol (SCP) to transfer the new certificate and key to /tmp. SSH to the host. Back up the existing certificate and key: # mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak # mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak Copy the new certificate and key to "/etc/vmware/ssl/" and rename them to "rui.crt" and "rui.key" respectively. Restart management agents to implement the new certificate: # services.sh restart
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000079
- Vuln IDs
-
- V-256432
- Rule IDs
-
- SV-256432r959010_rule
Checks: C-60107r886075_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.SuppressShellWarning" value and verify it is set to "0". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning If the "UserVars.SuppressShellWarning" setting is not set to "0" or the setting does not exist, this is a finding.
Fix: F-60050r918916_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "UserVars.SuppressShellWarning" value and set it to "0". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value "0"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000081
- Vuln IDs
-
- V-256433
- Rule IDs
-
- SV-256433r959010_rule
Checks: C-60108r886078_chk
From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.SuppressHyperthreadWarning" value and verify it is set to "0". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning If "UserVars.SuppressHyperthreadWarning" is not set to "0" or the setting does not exist, this is a finding.
Fix: F-60051r919024_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "UserVars.SuppressHyperthreadWarning" value and set it to "0". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning | Set-AdvancedSetting -Value "0"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000082
- Vuln IDs
-
- V-256434
- Rule IDs
-
- SV-256434r959010_rule
Checks: C-60109r886081_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep allowtcpforwarding Expected result: allowtcpforwarding no If the output does not match the expected result, this is a finding.
Fix: F-60052r886082_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": AllowTcpForwarding no
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000083
- Vuln IDs
-
- V-256435
- Rule IDs
-
- SV-256435r959010_rule
Checks: C-60110r886084_chk
From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Services. Locate the "slpd" service and verify that the "Daemon" is "Stopped" and the "Startup Policy" is set to "Start and stop manually". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "slpd"} If the slpd service does not have a "Policy" of "off" or is running, this is a finding.
Fix: F-60053r886085_fix
From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Services. Select the "slpd" service. If the service is started, click "Stop". Click "Edit Startup Policy...". Select "Start and stop manually". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "slpd"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "slpd"} | Stop-VMHostService
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000084
- Vuln IDs
-
- V-256436
- Rule IDs
-
- SV-256436r959010_rule
Checks: C-60111r919015_chk
From an ESXi shell, run the following command: # esxcli system auditrecords get or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.auditrecords.get.invoke()|Format-List Example result: AuditRecordRemoteTransmissionActive : true AuditRecordStorageActive : true AuditRecordStorageCapacity : 100 AuditRecordStorageDirectory : /scratch/auditLog Note: The "Audit Record Storage Directory" may differ from the default above, but it must still be located on persistent storage. If audit record storage is not active and configured, this is a finding.
Fix: F-60054r919016_fix
From an ESXi shell, run the following commands: Optional: Set the audit log location to persistent storage. This is set to "/scratch/auditLog" by default and does not normally need to be changed. # esxcli system auditrecords local set --directory="/full/path/here" Mandatory: # esxcli system auditrecords local set --size=100 # esxcli system auditrecords local enable # esxcli system auditrecords remote enable # esxcli system syslog reload or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.auditrecords.local.set.CreateArgs() *Optional* $arguments.directory = "/full/path/here" $arguments.size="100" $esxcli.system.auditrecords.local.set.Invoke($arguments) $esxcli.system.auditrecords.local.enable.Invoke() $esxcli.system.auditrecords.remote.enable.Invoke()
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000085
- Vuln IDs
-
- V-256437
- Rule IDs
-
- SV-256437r959010_rule
Checks: C-60112r918920_chk
If SSL is not used for the syslog target, this is not applicable. From an ESXi shell, run the following command: # esxcli system syslog config get|grep 509 or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.syslog.config.get.invoke()|Select StrictX509Compliance Expected result: Strict X509Compliance: true If the output does not match the expected result, this is a finding.
Fix: F-60055r886091_fix
From an ESXi shell, run the following commands: # esxcli system syslog config set --x509-strict="true" # esxcli system syslog reload or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.syslog.config.set.CreateArgs() $arguments.x509strict = $true $esxcli.system.syslog.config.set.Invoke($arguments) $esxcli.system.syslog.reload.Invoke()
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000086
- Vuln IDs
-
- V-256438
- Rule IDs
-
- SV-256438r959010_rule
Checks: C-60113r886093_chk
If SSL is not used for a syslog target, this is not applicable. From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Syslog.global.logCheckSSLCerts" value and verify it is set to "true". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts If the "Syslog.global.logCheckSSLCerts" setting is not set to "true", this is a finding.
Fix: F-60056r886094_fix
To configure SSL syslog endpoint certificate checking it must be turned on and also the trusted certificate chain must be added to ESXi's trusted store. From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Syslog.global.logCheckSSLCerts" value and set it to "true". Copy the PEM formatted trusted CA certificate so that is accessible to the host and append the contents to /etc/vmware/ssl/castore.pem by running the follow command: # <path/to/cacert> >> /etc/vmware/ssl/castore.pem or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts | Set-AdvancedSetting -Value "true" Copy the PEM formatted trusted CA certificate so that is accessible to the host. $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.security.certificatestore.add.CreateArgs() $arguments.filename = <path/to/cacert> $esxcli.system.security.certificatestore.add.Invoke($arguments)
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000087
- Vuln IDs
-
- V-256439
- Rule IDs
-
- SV-256439r959010_rule
Checks: C-60114r886096_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Mem.MemEagerZero" value and verify it is set to "1". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.MemEagerZero If the "Mem.MemEagerZero" setting is not set to "1", this is a finding.
Fix: F-60057r919027_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Mem.MemEagerZero" value and set it to "1". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.MemEagerZero | Set-AdvancedSetting -Value "1"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000088
- Vuln IDs
-
- V-256440
- Rule IDs
-
- SV-256440r959010_rule
Checks: C-60115r886099_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.vmacore.soap.sessionTimeout" value and verify it is set to "30". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.vmacore.soap.sessionTimeout If the "Config.HostAgent.vmacore.soap.sessionTimeout" setting is not set to "30", this is a finding.
Fix: F-60058r886100_fix
From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.vmacore.soap.sessionTimeout" value and set it to "30". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.vmacore.soap.sessionTimeout | Set-AdvancedSetting -Value "30"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000089
- Vuln IDs
-
- V-256441
- Rule IDs
-
- SV-256441r959010_rule
Checks: C-60116r886102_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.HostClientSessionTimeout" value and verify it is set to "600". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.HostClientSessionTimeout If the "UserVars.HostClientSessionTimeout" setting is not set to "600", this is a finding.
Fix: F-60059r886103_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "UserVars.HostClientSessionTimeout" value and set it to "600". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.HostClientSessionTimeout | Set-AdvancedSetting -Value "600"
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- ESXI-70-000090
- Vuln IDs
-
- V-256442
- Rule IDs
-
- SV-256442r958408_rule
Checks: C-60117r886105_chk
From an ESXi shell, run the following command: # esxcli system security fips140 rhttpproxy get or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.security.fips140.rhttpproxy.get.invoke() Expected result: Enabled: true If the output does not match the expected result, this is a finding.
Fix: F-60060r886106_fix
From an ESXi shell, run the following command: # esxcli system security fips140 rhttpproxy set -e true or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.security.fips140.rhttpproxy.set.CreateArgs() $arguments.enable = $true $esxcli.system.security.fips140.rhttpproxy.set.Invoke($arguments)
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000091
- Vuln IDs
-
- V-256443
- Rule IDs
-
- SV-256443r959010_rule
Checks: C-60118r886108_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Security.PasswordMaxDays" value and verify it is set to "90". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordMaxDays If the "Security.PasswordMaxDays" setting is not set to "90", this is a finding.
Fix: F-60061r919029_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Security.PasswordMaxDays" value and set it to "90". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordMaxDays | Set-AdvancedSetting -Value "90"
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000092
- Vuln IDs
-
- V-256444
- Rule IDs
-
- SV-256444r959010_rule
Checks: C-60119r886111_chk
From an ESXi shell, run the following command: # stat -c "%s" /etc/vmware/settings Expected result: 0 If the output does not match the expected result, this is a finding.
Fix: F-60062r886112_fix
From an ESXi shell, run the following command: # echo -n >/etc/vmware/settings
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000093
- Vuln IDs
-
- V-256445
- Rule IDs
-
- SV-256445r959010_rule
Checks: C-60120r886114_chk
From an ESXi shell, run the following command: # grep "^vmx\.log" /etc/vmware/config If the command produces any output, this is a finding.
Fix: F-60063r918926_fix
From an ESXi shell, run the following commands: # cp /etc/vmware/config /etc/vmware/config.bak # grep -v "^vmx\.log" /etc/vmware/config.bak>/etc/vmware/config
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000094
- Vuln IDs
-
- V-256446
- Rule IDs
-
- SV-256446r959010_rule
Checks: C-60121r918928_chk
If the ESXi host does not have a compatible TPM, this finding is downgraded to a CAT III. From an ESXi shell, run the following command: # esxcli system settings encryption get|grep Mode or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.settings.encryption.get.invoke() | Select Mode Expected result: Mode: TPM If the output does not match the expected result, this is a finding.
Fix: F-60064r886118_fix
Ensure the TPM 2.0 chip is enabled in the BIOS and the ESX UI does not show any errors about a present but unavailable TPM. This setting cannot be configured until the TPM is properly enabled in the BIOS. From an ESXi shell, run the following command: # esxcli system settings encryption set --mode=TPM or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.settings.encryption.set.CreateArgs() $arguments.mode = "TPM" $esxcli.system.settings.encryption.set.Invoke($arguments) Evacuate the host and gracefully reboot for changes to take effect.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001494
- Version
- ESXI-70-000095
- Vuln IDs
-
- V-256447
- Rule IDs
-
- SV-256447r959010_rule
Checks: C-60122r886120_chk
If the ESXi host does not have a compatible TPM, this finding is downgraded to a CAT III. From an ESXi shell, run the following command: # esxcli system settings encryption get|grep "Secure Boot" or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.settings.encryption.get.invoke() | Select RequireSecureBoot Expected result: Require Secure Boot: true If the output does not match the expected result, this is a finding.
Fix: F-60065r886121_fix
This setting cannot be configured until Secure Boot is properly enabled in the BIOS. From an ESXi shell, run the following command: # esxcli system settings encryption set --require-secure-boot=true or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.settings.encryption.set.CreateArgs() $arguments.requiresecureboot = $true $esxcli.system.settings.encryption.set.Invoke($arguments) Evacuate the host and gracefully reboot for changes to take effect.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- ESXI-70-000097
- Vuln IDs
-
- V-256448
- Rule IDs
-
- SV-256448r1051419_rule
Checks: C-60123r1051418_chk
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Services. Locate the "CIM Server" service and verify the "Daemon" is "Stopped" and the "Startup Policy" is set to "Start and stop manually". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "CIM Server"} If the "CIM Server" service does not have a "Policy" of "off" or is running, this is a finding.
Fix: F-60066r886124_fix
From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Services. Select the "CIM Server" service. If the service is started, click "Stop". Click "Edit Startup Policy...". Select "Start and stop manually". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Stop-VMHostService
- RMF Control
- SC-13
- Severity
- M
- CCI
- CCI-002450
- Version
- ESXI-70-000274
- Vuln IDs
-
- V-256449
- Rule IDs
-
- SV-256449r959006_rule
Checks: C-60124r886126_chk
From an ESXi shell, run the following command: # /usr/lib/vmware/openssh/bin/sshd -T|grep ciphers Expected result: ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr If the output does not match the expected result, this is a finding.
Fix: F-60067r886127_fix
From an ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr