VMware vSphere 7.0 Virtual Machine V1R3

a

Copy operations must be disabled on the virtual machine (VM).

CM-6 - Low - CCI-000366 - V-256450 - SV-256450r886393_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-70-000001

Vuln IDs

V-256450

Rule IDs

SV-256450r886393_rule

Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-60125r886391_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "isolation.tools.copy.disable" value is set to true. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.copy.disable If the virtual machine advanced setting "isolation.tools.copy.disable" does not exist or is not set to "true", this is a finding.

Fix: F-60068r886392_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "isolation.tools.copy.disable" value and set it to "true". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as noted below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name isolation.tools.copy.disable -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.copy.disable | Set-AdvancedSetting -Value true

a

Drag and drop operations must be disabled on the virtual machine (VM).

CM-6 - Low - CCI-000366 - V-256451 - SV-256451r886396_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-70-000002

Vuln IDs

V-256451

Rule IDs

SV-256451r886396_rule

Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-60126r886394_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "isolation.tools.dnd.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.dnd.disable If the virtual machine advanced setting "isolation.tools.dnd.disable" does not exist or is not set to "true", this is a finding.

Fix: F-60069r886395_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "isolation.tools.dnd.disable" value is set to "true". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as noted below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name isolation.tools.dnd.disable -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Set-AdvancedSetting -Value true

a

Paste operations must be disabled on the virtual machine (VM).

CM-6 - Low - CCI-000366 - V-256452 - SV-256452r886399_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-70-000003

Vuln IDs

V-256452

Rule IDs

SV-256452r886399_rule

Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-60127r886397_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "isolation.tools.paste.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.paste.disable If the virtual machine advanced setting "isolation.tools.paste.disable" does not exist or is not set to "true", this is a finding.

Fix: F-60070r886398_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "isolation.tools.paste.disable" value and set it to "true". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name isolation.tools.paste.disable -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.paste.disable | Set-AdvancedSetting -Value true

b

Virtual disk shrinking must be disabled on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256453 - SV-256453r886402_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000004

Vuln IDs

V-256453

Rule IDs

SV-256453r886402_rule

Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes (those without root or administrator privileges) within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to shrink is available to nonadministrative users operating within the VM's guest operating system.

Checks: C-60128r886400_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "isolation.tools.diskShrink.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable If the virtual machine advanced setting "isolation.tools.diskShrink.disable" does not exist or is not set to "true", this is a finding.

Fix: F-60071r886401_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "isolation.tools.diskShrink.disable" value and set it to "true". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name isolation.tools.diskShrink.disable -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Set-AdvancedSetting -Value true

b

Virtual disk wiping must be disabled on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256454 - SV-256454r886405_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000005

Vuln IDs

V-256454

Rule IDs

SV-256454r886405_rule

Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes (those without root or administrator privileges) within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to wipe (erase) is available to nonadministrative users operating within the VM's guest operating system.

Checks: C-60129r886403_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "isolation.tools.diskWiper.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable If the virtual machine advanced setting "isolation.tools.diskWiper.disable" does not exist or is not set to "true", this is a finding.

Fix: F-60072r886404_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "isolation.tools.diskWiper.disable" value and set it to "true". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name isolation.tools.diskWiper.disable -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Set-AdvancedSetting -Value true

b

Independent, nonpersistent disks must not be used on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256455 - SV-256455r886408_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000006

Vuln IDs

V-256455

Rule IDs

SV-256455r886408_rule

The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode; additionally, ensure activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked. There can be valid use cases for these types of disks, such as with an application presentation solution where read-only disks are desired, and such cases should be identified and documented.

Checks: C-60130r886406_chk

From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Review the attached hard disks and verify they are not configured as independent nonpersistent disks. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-HardDisk | Select Parent, Name, Filename, DiskType, Persistence | FT -AutoSize If the virtual machine has attached disks that are in independent nonpersistent mode and are not documented, this is a finding.

Fix: F-60073r886407_fix

From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Select the target hard disk and change the mode to "persistent" or uncheck "Independent". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. Get-VM "VM Name" | Get-HardDisk | Set-HardDisk -Persistence IndependentPersistent or Get-VM "VM Name" | Get-HardDisk | Set-HardDisk -Persistence Persistent

b

Host Guest File System (HGFS) file transfers must be disabled on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256456 - SV-256456r886411_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000007

Vuln IDs

V-256456

Rule IDs

SV-256456r886411_rule

Setting "isolation.tools.hgfsServerSet.disable" to "true" disables registration of the guest's HGFS server with the host. Application Programming Interfaces (APIs) that use HGFS to transfer files to and from the guest operating system, such as some VIX commands, will not function. An attacker could use this to transfer files inside the guest operating system.

Checks: C-60131r886409_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "isolation.tools.hgfsServerSet.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable If the virtual machine advanced setting "isolation.tools.hgfsServerSet.disable" does not exist or is not set to "true", this is a finding.

Fix: F-60074r886410_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "isolation.tools.hgfsServerSet.disable" value and set it to "true". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable | Set-AdvancedSetting -Value true

b

Unauthorized floppy devices must be disconnected on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256457 - SV-256457r886414_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000008

Vuln IDs

V-256457

Rule IDs

SV-256457r886414_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-60132r886412_chk

Floppy drives are no longer visible through the vSphere Client and must be done via the Application Programming Interface (API) or PowerCLI. From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState If a virtual machine has a floppy drive connected, this is a finding.

Fix: F-60075r886413_fix

Floppy drives are no longer visible through the vSphere Client and must be done via the API or PowerCLI. From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-FloppyDrive | Remove-FloppyDrive Note: The VM must be powered off to remove the floppy drive.

a

Unauthorized CD/DVD devices must be disconnected on the virtual machine (VM).

CM-6 - Low - CCI-000366 - V-256458 - SV-256458r886417_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-70-000009

Vuln IDs

V-256458

Rule IDs

SV-256458r886417_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-60133r886415_chk

From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Review the VM's hardware and verify no CD/DVD drives are connected. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent,Name If a virtual machine has a CD/DVD drive connected other than temporarily, this is a finding.

Fix: F-60076r886416_fix

From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Select the CD/DVD drive and uncheck "Connected" and "Connect at power on" and remove any attached ISOs. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-CDDrive | Set-CDDrive -NoMedia

b

Unauthorized parallel devices must be disconnected on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256459 - SV-256459r886420_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000010

Vuln IDs

V-256459

Rule IDs

SV-256459r886420_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-60134r886418_chk

From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Review the VM's hardware and verify no parallel devices exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "parallel"} If a virtual machine has a parallel device present, this is a finding.

Fix: F-60077r886419_fix

The VM must be powered off to remove a parallel device. From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Select the parallel device, click the circled "X" to remove it, and click "OK".

b

Unauthorized serial devices must be disconnected on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256460 - SV-256460r886423_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000011

Vuln IDs

V-256460

Rule IDs

SV-256460r886423_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-60135r886421_chk

From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Review the VM's hardware and verify no serial devices exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "serial"} If a virtual machine has a serial device present, this is a finding.

Fix: F-60078r886422_fix

The VM must be powered off to remove a serial device. From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Select the serial device, click the circled "X" to remove it, and click "OK".

b

Unauthorized USB devices must be disconnected on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256461 - SV-256461r886426_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000012

Vuln IDs

V-256461

Rule IDs

SV-256461r886426_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-60136r886424_chk

From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Review the VM's hardware and verify no USB devices exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "usb"} Get-VM | Get-UsbDevice If a virtual machine has any USB devices or USB controllers present, this is a finding. If USB smart card readers are used to pass smart cards through the VM console to a VM, the use of a USB controller and USB devices for that purpose is not a finding.

Fix: F-60079r886425_fix

From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Select the USB controller, click the circled "X" to remove it, and click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-USBDevice | Remove-USBDevice Note: This will not remove the USB controller, just any connected devices.

b

Console connection sharing must be limited on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256462 - SV-256462r886429_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000013

Vuln IDs

V-256462

Rule IDs

SV-256462r886429_rule

By default, more than one user at a time can connect to remote console sessions. When multiple sessions are activated, each terminal window receives a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a nonadministrator in the VM might connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a VM. For example, if a jump box is being used for an open console session and the administrator loses connection to that box, the console session remains open. Allowing two console sessions permits debugging via a shared session. For the highest security, allow only one remote console session at a time.

Checks: C-60137r886427_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "RemoteDisplay.maxConnections" value is set to "1". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name RemoteDisplay.maxConnections If the virtual machine advanced setting "RemoteDisplay.maxConnections" does not exist or is not set to "1", this is a finding.

Fix: F-60080r886428_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "RemoteDisplay.maxConnections" value and set it to "1". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name RemoteDisplay.maxConnections -Value 1 If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Set-AdvancedSetting -Value 1

a

Informational messages from the virtual machine to the VMX file must be limited on the virtual machine (VM).

CM-6 - Low - CCI-000366 - V-256463 - SV-256463r886432_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-70-000015

Vuln IDs

V-256463

Rule IDs

SV-256463r886432_rule

The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest operating system are capable of sending a large and continuous data stream to the host. This 1MB capacity should be sufficient for most cases, but this value can change if necessary. The value can be increased if large amounts of custom information are being stored in the configuration file. The default limit is 1MB.

Checks: C-60138r886430_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "tools.setinfo.sizeLimit" value is set to "1048576". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.setinfo.sizeLimit If the virtual machine advanced setting "tools.setinfo.sizeLimit" does not exist or is not set to "1048576", this is a finding.

Fix: F-60081r886431_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "tools.setinfo.sizeLimit" value and set it to "1048576". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name tools.setinfo.sizeLimit -Value 1048576 If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Set-AdvancedSetting -Value 1048576

b

Unauthorized removal, connection, and modification of devices must be prevented on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256464 - SV-256464r886435_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000016

Vuln IDs

V-256464

Rule IDs

SV-256464r886435_rule

In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. To use the device again, prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with nonadministrator privileges in a virtual machine can: 1. Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive. 2. Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service. 3. Modify settings on a device.

Checks: C-60139r886433_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "isolation.device.connectable.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable If the virtual machine advanced setting "isolation.device.connectable.disable" does not exist or is not set to "true", this is a finding.

Fix: F-60082r886434_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "isolation.device.connectable.disable" value and set it to "true". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name isolation.device.connectable.disable -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable | Set-AdvancedSetting -Value true

b

The virtual machine (VM) must not be able to obtain host information from the hypervisor.

CM-6 - Medium - CCI-000366 - V-256465 - SV-256465r886438_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000017

Vuln IDs

V-256465

Rule IDs

SV-256465r886438_rule

If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary could use this information to inform further attacks on the host.

Checks: C-60140r886436_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "tools.guestlib.enableHostInfo" value is set to "false". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo If the virtual machine advanced setting "tools.guestlib.enableHostInfo" does not exist or is not set to "false", this is a finding.

Fix: F-60083r886437_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "tools.guestlib.enableHostInfo" value and set it to "false". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name tools.guestlib.enableHostInfo -Value false If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Set-AdvancedSetting -Value false

a

Shared salt values must be disabled on the virtual machine (VM).

CM-6 - Low - CCI-000366 - V-256466 - SV-256466r886441_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-70-000018

Vuln IDs

V-256466

Rule IDs

SV-256466r886441_rule

When salting is enabled (Mem.ShareForceSalting=1 or 2) to share a page between two virtual machines, both salt and the content of the page must be same. A salt value is a configurable advanced option for each virtual machine. The salt values can be specified manually in the virtual machine's advanced settings with the new option "sched.mem.pshare.salt". If this option is not present in the virtual machine's advanced settings, the value of the "vc.uuid" option is taken as the default value. Because the "vc.uuid" is unique to each virtual machine, by default Transparent Page Sharing (TPS) happens only among the pages belonging to a particular virtual machine (Intra-VM).

Checks: C-60141r886439_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "sched.mem.pshare.salt" setting does not exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name sched.mem.pshare.salt If the virtual machine advanced setting "sched.mem.pshare.salt" exists, this is a finding.

Fix: F-60084r886440_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Delete the "sched.mem.pshare.salt" setting. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name sched.mem.pshare.salt | Remove-AdvancedSetting

a

Access to virtual machines (VMs) through the "dvfilter" network Application Programming Interface (API) must be controlled.

CM-6 - Low - CCI-000366 - V-256467 - SV-256467r886444_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-70-000019

Vuln IDs

V-256467

Rule IDs

SV-256467r886444_rule

An attacker might compromise a VM by using the "dvFilter" API. Configure only VMs that need this access to use the API.

Checks: C-60142r886442_chk

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Look for settings with the format "ethernet*.filter*.name". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name "ethernet*.filter*.name*" If the virtual machine advanced setting "ethernet*.filter*.name" exists and dvfilters are not in use, this is a finding. If the virtual machine advanced setting "ethernet*.filter*.name" exists and the value is not valid, this is a finding.

Fix: F-60085r886443_fix

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Look for settings with the format "ethernet*.filter*.name". Ensure only required VMs use this setting. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name ethernetX.filterY.name | Remove-AdvancedSetting Note: Change the X and Y values to match the specific setting in the organization's environment.

a

System administrators must use templates to deploy virtual machines (VMs) whenever possible.

CM-6 - Low - CCI-000366 - V-256468 - SV-256468r886447_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-70-000020

Vuln IDs

V-256468

Rule IDs

SV-256468r886447_rule

Capture a hardened base operating system image (with no applications installed) in a template to ensure all VMs are created with a known baseline level of security. Use this template to create other, application-specific templates, or use the application template to deploy VMs. Manual installation of the operating system and applications into a VM introduces the risk of misconfiguration due to human or process error.

Checks: C-60143r886445_chk

Ask the system administrator if hardened, patched templates are used for VM creation and properly configured operating system deployments, including applications dependent and nondependent on VM-specific configurations. If hardened, patched templates are not used for VM creation, this is a finding.

Fix: F-60086r886446_fix

Create hardened VM templates to use for operating system deployments.

b

Use of the virtual machine (VM) console must be minimized.

CM-6 - Medium - CCI-000366 - V-256469 - SV-256469r886450_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000021

Vuln IDs

V-256469

Rule IDs

SV-256469r886450_rule

The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and removable device connectivity controls, which could allow a malicious user to bring down a VM. In addition, it impacts performance on the service console, especially if many VM console sessions are open simultaneously.

Checks: C-60144r886448_chk

Remote management services, such as terminal services and Secure Shell (SSH), must be used to interact with VMs. VM console access should only be granted when remote management services are unavailable or insufficient to perform necessary management tasks. Ask the system administrator if a VM console is used to perform VM management tasks other than for troubleshooting VM issues. If a VM console is used to perform VM management tasks other than for troubleshooting VM issues, this is a finding. If SSH and/or terminal management services are exclusively used to perform management tasks, this is not a finding.

Fix: F-60087r886449_fix

Develop a policy prohibiting the use of a VM console for performing management services. This policy should include procedures for the use of SSH and Terminal Management services for VM management. Where SSH and Terminal Management services prove insufficient to troubleshoot a VM, access to the VM console may be granted temporarily.

b

The virtual machine (VM) guest operating system must be locked when the last console connection is closed.

CM-6 - Medium - CCI-000366 - V-256470 - SV-256470r886453_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000022

Vuln IDs

V-256470

Rule IDs

SV-256470r886453_rule

When accessing the VM console, the guest operating system must be locked when the last console user disconnects, limiting the possibility of session hijacking. This setting only applies to Windows-based VMs with VMware tools installed.

Checks: C-60145r886451_chk

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "tools.guest.desktop.autolock" value and verify it is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guest.desktop.autolock If the virtual machine advanced setting "tools.guest.desktop.autolock" does not exist or is not set to "true", this is a finding. If the VM is not Windows-based, this is not a finding.

Fix: F-60088r886452_fix

From the vSphere Client, select the Virtual Machine, right-click and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find or create the "tools.guest.desktop.autolock" value and set it to "true". Note: The VM must be powered off to modify the advanced settings through the vSphere Client. It is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. In this case, the modified settings will not take effect until a cold boot of the VM. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name tools.guest.desktop.autolock -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Set-AdvancedSetting -Value true

a

All 3D features on the virtual machine (VM) must be disabled when not required.

CM-6 - Low - CCI-000366 - V-256471 - SV-256471r919035_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-70-000023

Vuln IDs

V-256471

Rule IDs

SV-256471r919035_rule

For performance reasons, it is recommended that 3D acceleration be disabled on virtual machines that do not require 3D functionality (e.g., most server workloads or desktops not using 3D applications).

Checks: C-60146r919033_chk

For each virtual machine do the following: From the vSphere Client, right-click the virtual machine and go to Edit Settings. Expand the "Video card" and verify the "Enable 3D Support" checkbox is unchecked. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name mks.enable3d If the virtual machine advanced setting "mks.enable3d" exists and is not set to "false", this is a finding. If the virtual machine advanced setting "mks.enable3d" does not exist, this is not a finding.

Fix: F-60089r919034_fix

For each virtual machine do the following: From the vSphere Client, right-click the virtual machine and go to "Edit Settings". Expand the "Video card" and uncheck the "Enable 3D Support" checkbox. Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as noted below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name mks.enable3d -Value false If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name mks.enable3d | Set-AdvancedSetting -Value false Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Encryption must be enabled for vMotion on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256472 - SV-256472r919037_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000024

Vuln IDs

V-256472

Rule IDs

SV-256472r919037_rule

vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5, this transfer can be transparently encrypted using 256-bit AES-GCM with negligible performance impact. vSphere enables encrypted vMotion by default as "Opportunistic", meaning that encrypted channels are used where supported but the operation will continue in plain text where encryption is not supported. For example, when vMotioning between two hosts, encryption will always be used. However, because 6.0 and earlier releases do not support this feature, vMotion from a 7.0 host to a 6.0 host would be allowed but would not be encrypted. If the encryption is set to "Required", vMotions to unsupported hosts will fail. This must be set to "Opportunistic" or "Required".

Checks: C-60147r919036_chk

From the vSphere Client, select the virtual machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> Encrypted vMotion. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {($_.ExtensionData.Config.MigrateEncryption -eq "disabled")} If the setting does not have a value of "Opportunistic" or "Required", this is a finding.

Fix: F-60090r886458_fix

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> Encrypted vMotion. Set the value to "Opportunistic" or "Required". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes $spec.MigrateEncryption = $true (Get-VM -Name <vmname>).ExtensionData.ReconfigVM($spec)

b

Logging must be enabled on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256473 - SV-256473r886462_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000025

Vuln IDs

V-256473

Rule IDs

SV-256473r886462_rule

The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations and machine clones. Due to the value these logs provide for the continued availability of each VM and potential security incidents, these logs must be enabled.

Checks: C-60148r886460_chk

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Settings. Ensure that the checkbox next to "Enable logging" is checked. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {$_.ExtensionData.Config.Flags.EnableLogging -ne "True"} If logging is not enabled, this is a finding.

Fix: F-60091r886461_fix

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Settings. Click the checkbox next to "Enable logging". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.Flags = New-Object VMware.Vim.VirtualMachineFlagInfo $spec.Flags.enableLogging = $true (Get-VM -Name <vmname>).ExtensionData.ReconfigVM($spec)

b

Log size must be configured properly on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256474 - SV-256474r886465_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000026

Vuln IDs

V-256474

Rule IDs

SV-256474r886465_rule

The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations, and machine clones. By default, the size of these logs is unlimited, and they are only rotated on vMotion or power events. This can cause storage issues at scale for VMs that do not vMotion or power cycle often.

Checks: C-60149r886463_chk

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "log.rotateSize" value and verify it is set to "2048000". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name log.rotateSize If the virtual machine advanced setting "log.rotateSize" does not exist or is not set to "2048000", this is a finding.

Fix: F-60092r886464_fix

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "log.rotateSize" value and set it to "2048000". Note: The VM must be powered off to modify the advanced settings through the vSphere Client. It is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. In this case, the modified settings will not take effect until a cold boot of the VM. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name log.rotateSize -Value 2048000 If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name log.rotateSize | Set-AdvancedSetting -Value 2048000

b

Log retention must be configured properly on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256475 - SV-256475r886468_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000027

Vuln IDs

V-256475

Rule IDs

SV-256475r886468_rule

The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations, and machine clones. By default, 10 of these logs are retained. This is normally sufficient for most environments, but this configuration must be verified and maintained.

Checks: C-60150r886466_chk

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "log.keepOld" value and verify it is set to "10". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name log.keepOld If the virtual machine advanced setting "log.keepOld" is not set to "10", this is a finding. If the virtual machine advanced setting "log.keepOld" does not exist, this is not a finding.

Fix: F-60093r886467_fix

From the vSphere Client, select the Virtual Machine, right-click and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "log.keepOld" value and set it to "10". Note: The VM must be powered off to modify the advanced settings through the vSphere Client. It is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. In this case, the modified settings will not take effect until a cold boot of the VM. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name log.keepOld -Value 10 If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name log.keepOld | Set-AdvancedSetting -Value 10

b

DirectPath I/O must be disabled on the virtual machine (VM) when not required.

CM-6 - Medium - CCI-000366 - V-256476 - SV-256476r886471_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000028

Vuln IDs

V-256476

Rule IDs

SV-256476r886471_rule

VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a powerful feature for legitimate applications such as virtualized storage appliances, backup appliances, dedicated graphics, etc., but it also allows a potential attacker highly privileged access to underlying hardware and the PCI bus.

Checks: C-60151r886469_chk

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find any "pciPassthruX.present" value (where "X" is a count starting at 0) and verify it is set to "FALSE" or "". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name "pciPassthru*.present" | Select Entity, Name, Value If the virtual machine advanced setting "pciPassthruX.present" is present, and the specific device returned is not approved, this is a finding. If the virtual machine advanced setting "pciPassthruX.present" is not present, this is not a finding.

Fix: F-60094r886470_fix

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> Virtual Hardware tab. Find the unexpected PCI device returned from the check. Hover the mouse over the device and click the circled "X" to remove the device. Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name pciPassthruX.present | Remove-AdvancedSetting Note: Change the "X" value to match the specific setting in the organization's environment.

b

Encryption must be enabled for Fault Tolerance on the virtual machine (VM).

CM-6 - Medium - CCI-000366 - V-256477 - SV-256477r942499_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-70-000029

Vuln IDs

V-256477

Rule IDs

SV-256477r942499_rule

Fault Tolerance log traffic can be encrypted. This could contain sensitive data from the protected machine's memory or CPU instructions. vSphere Fault Tolerance performs frequent checks between a primary VM and secondary VM so the secondary VM can quickly resume from the last successful checkpoint. The checkpoint contains the VM state that has been modified since the previous checkpoint. When Fault Tolerance is turned on, FT encryption is set to "Opportunistic" by default, which means it enables encryption only if both the primary and secondary host are capable of encryption.

Checks: C-60152r942498_chk

If the VM does not have Fault Tolerance enabled, this is not applicable. From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> Encrypted FT. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {$_.ExtensionData.Config.FtEncryptionMode -eq "ftEncryptionDisabled"} If the setting does not have a value of "Opportunistic" or "Required", this is a finding.

Fix: F-60095r886473_fix

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> FT Encryption. Set the value to "Opportunistic" or "Required". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.FTEncryption = New-Object VMware.Vim.VMware.Vim.VirtualMachineConfigSpecEncryptedFtModes $spec.FT = ftEncryptionOpportunistic or ftEncryptionRequired (Get-VM -Name <vmname>).ExtensionData.ReconfigVM($spec)

Content changes 1

Checks: C-60125r886391_chk

Fix: F-60068r886392_fix

Generate Mitigation Statement:

Checks: C-60126r886394_chk

Fix: F-60069r886395_fix

Generate Mitigation Statement:

Checks: C-60127r886397_chk

Fix: F-60070r886398_fix

Generate Mitigation Statement:

Checks: C-60128r886400_chk

Fix: F-60071r886401_fix

Generate Mitigation Statement:

Checks: C-60129r886403_chk

Fix: F-60072r886404_fix

Generate Mitigation Statement:

Checks: C-60130r886406_chk

Fix: F-60073r886407_fix

Generate Mitigation Statement:

Checks: C-60131r886409_chk

Fix: F-60074r886410_fix

Generate Mitigation Statement:

Checks: C-60132r886412_chk

Fix: F-60075r886413_fix

Generate Mitigation Statement:

Checks: C-60133r886415_chk

Fix: F-60076r886416_fix

Generate Mitigation Statement:

Checks: C-60134r886418_chk

Fix: F-60077r886419_fix

Generate Mitigation Statement:

Checks: C-60135r886421_chk

Fix: F-60078r886422_fix

Generate Mitigation Statement:

Checks: C-60136r886424_chk

Fix: F-60079r886425_fix

Generate Mitigation Statement:

Checks: C-60137r886427_chk

Fix: F-60080r886428_fix

Generate Mitigation Statement:

Checks: C-60138r886430_chk

Fix: F-60081r886431_fix

Generate Mitigation Statement:

Checks: C-60139r886433_chk

Fix: F-60082r886434_fix

Generate Mitigation Statement:

Checks: C-60140r886436_chk

Fix: F-60083r886437_fix

Generate Mitigation Statement:

Checks: C-60141r886439_chk

Fix: F-60084r886440_fix

Generate Mitigation Statement:

Checks: C-60142r886442_chk

Fix: F-60085r886443_fix

Generate Mitigation Statement:

Checks: C-60143r886445_chk

Fix: F-60086r886446_fix

Generate Mitigation Statement:

Checks: C-60144r886448_chk

Fix: F-60087r886449_fix

Generate Mitigation Statement:

Checks: C-60145r886451_chk

Fix: F-60088r886452_fix

Generate Mitigation Statement:

Checks: C-60146r919033_chk

Fix: F-60089r919034_fix

Generate Mitigation Statement:

Checks: C-60147r919036_chk

Fix: F-60090r886458_fix

Generate Mitigation Statement:

Checks: C-60148r886460_chk

Fix: F-60091r886461_fix

Generate Mitigation Statement:

Checks: C-60149r886463_chk

Fix: F-60092r886464_fix

Generate Mitigation Statement:

Checks: C-60150r886466_chk

Fix: F-60093r886467_fix

Generate Mitigation Statement:

Checks: C-60151r886469_chk