VMware vSphere 8.0 Virtual Machine V2R1

a

Virtual machines (VMs) must have copy operations disabled.

CM-6 - Low - CCI-000366 - V-258703 - SV-258703r959010_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-80-000189

Vuln IDs

V-258703

Rule IDs

SV-258703r959010_rule

Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-62443r933168_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "isolation.tools.copy.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.copy.disable If the virtual machine advanced setting "isolation.tools.copy.disable" is not set to "true", this is a finding. If the virtual machine advanced setting "isolation.tools.copy.disable" does not exist, this is not a finding.

Fix: F-62352r933169_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "isolation.tools.copy.disable" value and set it to "true". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.copy.disable | Set-AdvancedSetting -Value true Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

a

Virtual machines (VMs) must have drag and drop operations disabled.

CM-6 - Low - CCI-000366 - V-258704 - SV-258704r959010_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-80-000191

Vuln IDs

V-258704

Rule IDs

SV-258704r959010_rule

Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-62444r933171_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "isolation.tools.dnd.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.dnd.disable If the virtual machine advanced setting "isolation.tools.dnd.disable" is not set to "true", this is a finding. If the virtual machine advanced setting "isolation.tools.dnd.disable" does not exist, this is not a finding.

Fix: F-62353r933172_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "isolation.tools.dnd.disable" value and set it to "true". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Set-AdvancedSetting -Value true Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

a

Virtual machines (VMs) must have paste operations disabled.

CM-6 - Low - CCI-000366 - V-258705 - SV-258705r959010_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-80-000192

Vuln IDs

V-258705

Rule IDs

SV-258705r959010_rule

Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the remote console could provide the means for an attacker to compromise the VM.

Checks: C-62445r933174_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "isolation.tools.paste.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.paste.disable If the virtual machine advanced setting "isolation.tools.paste.disable" is not set to "true", this is a finding. If the virtual machine advanced setting "isolation.tools.paste.disable" does not exist, this is not a finding.

Fix: F-62354r933175_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "isolation.tools.paste.disable" value and set it to "true". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.paste.disable | Set-AdvancedSetting -Value true Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Virtual machines (VMs) must have virtual disk shrinking disabled.

CM-6 - Medium - CCI-000366 - V-258706 - SV-258706r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000193

Vuln IDs

V-258706

Rule IDs

SV-258706r959010_rule

Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes (those without root or administrator privileges) within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to shrink is available to nonadministrative users operating within the VM's guest operating system.

Checks: C-62446r933177_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "isolation.tools.diskShrink.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable If the virtual machine advanced setting "isolation.tools.diskShrink.disable" is not set to "true", this is a finding. If the virtual machine advanced setting "isolation.tools.diskShrink.disable" does not exist, this is not a finding.

Fix: F-62355r933178_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "isolation.tools.diskShrink.disable" value and set it to "true". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Set-AdvancedSetting -Value true Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Virtual machines (VMs) must have virtual disk wiping disabled.

CM-6 - Medium - CCI-000366 - V-258707 - SV-258707r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000194

Vuln IDs

V-258707

Rule IDs

SV-258707r959010_rule

Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes (those without root or administrator privileges) within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to wipe (erase) is available to nonadministrative users operating within the VM's guest operating system.

Checks: C-62447r933180_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "isolation.tools.diskWiper.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable If the virtual machine advanced setting "isolation.tools.diskWiper.disable" is not set to "true", this is a finding. If the virtual machine advanced setting "isolation.tools.diskWiper.disable" does not exist, this is not a finding.

Fix: F-62356r933181_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "isolation.tools.diskWiper.disable" value and set it to "true". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Set-AdvancedSetting -Value true Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Virtual machines (VMs) must limit console sharing.

CM-6 - Medium - CCI-000366 - V-258708 - SV-258708r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000195

Vuln IDs

V-258708

Rule IDs

SV-258708r959010_rule

By default, more than one user at a time can connect to remote console sessions. When multiple sessions are activated, each terminal window receives a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a nonadministrator in the VM might connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a VM. For example, if a jump box is being used for an open console session and the administrator loses connection to that box, the console session remains open. Allowing two console sessions permits debugging via a shared session. For the highest security, allow only one remote console session at a time.

Checks: C-62448r933183_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "RemoteDisplay.maxConnections" value is set to "1". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name RemoteDisplay.maxConnections If the virtual machine advanced setting "RemoteDisplay.maxConnections" does not exist or is not set to "1", this is a finding.

Fix: F-62357r933184_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "RemoteDisplay.maxConnections" value and set it to "1". If the setting does not exist, add the Name and Value setting at the bottom of screen. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Set-AdvancedSetting -Value 1 Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

a

Virtual machines (VMs) must limit informational messages from the virtual machine to the VMX file.

CM-6 - Low - CCI-000366 - V-258709 - SV-258709r959010_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-80-000196

Vuln IDs

V-258709

Rule IDs

SV-258709r959010_rule

The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest operating system are capable of sending a large and continuous data stream to the host. This 1MB capacity should be sufficient for most cases, but this value can change if necessary. The value can be increased if large amounts of custom information are being stored in the configuration file. The default limit is 1MB.

Checks: C-62449r933186_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "tools.setinfo.sizeLimit" value is set to "1048576". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.setinfo.sizeLimit If the virtual machine advanced setting "tools.setinfo.sizeLimit" is not set to "1048576", this is a finding. If the virtual machine advanced setting "tools.setinfo.sizeLimit" does not exist, this is not a finding.

Fix: F-62358r933187_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "tools.setinfo.sizeLimit" value and set it to "1048576". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Set-AdvancedSetting -Value 1048576 Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Virtual machines (VMs) must prevent unauthorized removal, connection, and modification of devices.

CM-6 - Medium - CCI-000366 - V-258710 - SV-258710r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000197

Vuln IDs

V-258710

Rule IDs

SV-258710r959010_rule

In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. To use the device again, prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with nonadministrator privileges in a virtual machine can: 1. Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive. 2. Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service. 3. Modify settings on a device.

Checks: C-62450r933189_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "isolation.device.connectable.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable If the virtual machine advanced setting "isolation.device.connectable.disable" is not set to "true", this is a finding. If the virtual machine advanced setting "isolation.device.connectable.disable" does not exist, this is not a finding.

Fix: F-62359r933190_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "isolation.device.connectable.disable" value and set it to "true". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable | Set-AdvancedSetting -Value true Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Virtual machines (VMs) must not be able to obtain host information from the hypervisor.

CM-6 - Medium - CCI-000366 - V-258711 - SV-258711r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000198

Vuln IDs

V-258711

Rule IDs

SV-258711r959010_rule

If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary could use this information to inform further attacks on the host.

Checks: C-62451r933192_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "tools.guestlib.enableHostInfo" value is set to "false". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo If the virtual machine advanced setting "tools.guestlib.enableHostInfo" is not set to "false", this is a finding. If the virtual machine advanced setting "tools.guestlib.enableHostInfo" does not exist, this is not a finding.

Fix: F-62360r933193_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "tools.guestlib.enableHostInfo" value and set it to "false". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Set-AdvancedSetting -Value false Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

a

Virtual machines (VMs) must have shared salt values disabled.

CM-6 - Low - CCI-000366 - V-258712 - SV-258712r959010_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-80-000199

Vuln IDs

V-258712

Rule IDs

SV-258712r959010_rule

When salting is enabled (Mem.ShareForceSalting=1 or 2) to share a page between two virtual machines, both salt and the content of the page must be same. A salt value is a configurable advanced option for each virtual machine. The salt values can be specified manually in the virtual machine's advanced settings with the new option "sched.mem.pshare.salt". If this option is not present in the virtual machine's advanced settings, the value of the "vc.uuid" option is taken as the default value. Because the "vc.uuid" is unique to each virtual machine, by default Transparent Page Sharing (TPS) happens only among the pages belonging to a particular virtual machine (Intra-VM).

Checks: C-62452r933195_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "sched.mem.pshare.salt" setting does not exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name sched.mem.pshare.salt If the virtual machine advanced setting "sched.mem.pshare.salt" exists, this is a finding.

Fix: F-62361r933196_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Delete the "sched.mem.pshare.salt" setting. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name sched.mem.pshare.salt | Remove-AdvancedSetting Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

a

Virtual machines (VMs) must disable access through the "dvfilter" network Application Programming Interface (API).

CM-6 - Low - CCI-000366 - V-258713 - SV-258713r959010_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-80-000200

Vuln IDs

V-258713

Rule IDs

SV-258713r959010_rule

An attacker might compromise a VM by using the "dvFilter" API. Configure only VMs that need this access to use the API.

Checks: C-62453r933198_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the settings with the format "ethernet*.filter*.name" do not exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name "ethernet*.filter*.name*" If the virtual machine advanced setting "ethernet*.filter*.name" exists and dvfilters are not in use, this is a finding. If the virtual machine advanced setting "ethernet*.filter*.name" exists and the value is not valid, this is a finding.

Fix: F-62362r933199_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Look for settings with the format "ethernet*.filter*.name". Ensure only required VMs use this setting. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name ethernetX.filterY.name | Remove-AdvancedSetting Note: Change the X and Y values to match the specific setting in the organization's environment. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Virtual machines (VMs) must be configured to lock when the last console connection is closed.

CM-6 - Medium - CCI-000366 - V-258714 - SV-258714r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000201

Vuln IDs

V-258714

Rule IDs

SV-258714r959010_rule

When accessing the VM console, the guest operating system must be locked when the last console user disconnects, limiting the possibility of session hijacking. This setting only applies to Windows-based VMs with VMware tools installed.

Checks: C-62454r933201_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> VMware Remote Console Options. Verify the option "Lock the guest operating system when the last remote user disconnects" is checked. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guest.desktop.autolock If the virtual machine advanced setting "tools.guest.desktop.autolock" is not set to "true", this is a finding. If the virtual machine advanced setting "tools.guest.desktop.autolock" does not exist, this is not a finding.

Fix: F-62363r933202_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> VMware Remote Console Options. Check the box next to "Lock the guest operating system when the last remote user disconnects". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Set-AdvancedSetting -Value true

a

Virtual machines (VMs) must disable 3D features when not required.

CM-6 - Low - CCI-000366 - V-258715 - SV-258715r959010_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-80-000202

Vuln IDs

V-258715

Rule IDs

SV-258715r959010_rule

For performance reasons, it is recommended that 3D acceleration be disabled on virtual machines that do not require 3D functionality (e.g., most server workloads or desktops not using 3D applications).

Checks: C-62455r933204_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings. Expand the "Video card" and verify the "Enable 3D Support" checkbox is unchecked. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name mks.enable3d If the virtual machine advanced setting "mks.enable3d" exists and is not set to "false", this is a finding. If the virtual machine advanced setting "mks.enable3d" does not exist, this is not a finding.

Fix: F-62364r933205_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings. Expand the "Video card" and uncheck the "Enable 3D Support" checkbox. Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name mks.enable3d | Set-AdvancedSetting -Value "false" Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Virtual machines (VMs) must enable encryption for vMotion.

CM-6 - Medium - CCI-000366 - V-258716 - SV-258716r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000203

Vuln IDs

V-258716

Rule IDs

SV-258716r959010_rule

vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5, this transfer can be transparently encrypted using 256-bit AES-GCM with negligible performance impact. vSphere enables encrypted vMotion by default as "Opportunistic", meaning that encrypted channels are used where supported, but the operation will continue in plain text where encryption is not supported. For example, when vMotioning between two hosts, encryption will always be used. However, because 6.0 and earlier releases do not support this feature, vMotion from a 7.0 host to a 6.0 host would be allowed but would not be encrypted. If the encryption is set to "Required", vMotions to unsupported hosts will fail. This must be set to "Opportunistic" or "Required".

Checks: C-62456r933207_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {($_.ExtensionData.Config.MigrateEncryption -eq "disabled")} If the "Encrypted vMotion" setting does not have a value of "Opportunistic" or "Required", this is a finding.

Fix: F-62365r933208_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption. For "Encrypted vMotion" set the value to "Opportunistic" or "Required". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes $spec.MigrateEncryption = $true (Get-VM -Name <vmname>).ExtensionData.ReconfigVM($spec)

b

Virtual machines (VMs) must enable encryption for Fault Tolerance.

CM-6 - Medium - CCI-000366 - V-258717 - SV-258717r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000204

Vuln IDs

V-258717

Rule IDs

SV-258717r959010_rule

Fault Tolerance log traffic can be encrypted. This could contain sensitive data from the protected machine's memory or CPU instructions. vSphere Fault Tolerance performs frequent checks between a primary VM and secondary VM so the secondary VM can quickly resume from the last successful checkpoint. The checkpoint contains the VM state that has been modified since the previous checkpoint. When Fault Tolerance is turned on, FT encryption is set to "Opportunistic" by default, which means it enables encryption only if both the primary and secondary host are capable of encryption.

Checks: C-62457r933210_chk

If the Virtual Machine does not have Fault Tolerance enabled, this is not applicable. For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {($_.ExtensionData.Config.FtEncryptionMode -ne "ftEncryptionOpportunistic") -and ($_.ExtensionData.Config.FtEncryptionMode -ne "ftEncryptionRequired")} If the "Encrypted FT" setting does not have a value of "Opportunistic" or "Required", this is a finding.

Fix: F-62366r933211_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption. For "Encrypted FT" set the value to "Opportunistic" or "Required". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.FTEncryption = New-Object VMware.Vim.VMware.Vim.VirtualMachineConfigSpecEncryptedFtModes $spec.FT = ftEncryptionOpportunistic or ftEncryptionRequired (Get-VM -Name <vmname>).ExtensionData.ReconfigVM($spec)

b

Virtual machines (VMs) must configure log size.

CM-6 - Medium - CCI-000366 - V-258718 - SV-258718r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000205

Vuln IDs

V-258718

Rule IDs

SV-258718r959010_rule

The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations, and machine clones. By default, the size of these logs is unlimited, and they are only rotated on vMotion or power events. This can cause storage issues at scale for VMs that do not vMotion or power cycle often.

Checks: C-62458r933213_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "log.rotateSize" value is set to "2048000". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name log.rotateSize If the virtual machine advanced setting "log.rotateSize" is not set to "2048000", this is a finding. If the virtual machine advanced setting "log.rotateSize" does NOT exist, this is NOT a finding.

Fix: F-62367r933214_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "log.rotateSize" value and set it to "2048000". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name log.rotateSize | Set-AdvancedSetting -Value 2048000 Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Virtual machines (VMs) must configure log retention.

CM-6 - Medium - CCI-000366 - V-258719 - SV-258719r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000206

Vuln IDs

V-258719

Rule IDs

SV-258719r959010_rule

The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations, and machine clones. By default, 10 of these logs are retained. This is normally sufficient for most environments, but this configuration must be verified and maintained.

Checks: C-62459r933216_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Verify the "log.keepOld" value is set to "10". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name log.keepOld If the virtual machine advanced setting "log.keepOld" is not set to "10", this is a finding. If the virtual machine advanced setting "log.keepOld" does NOT exist, this is NOT a finding.

Fix: F-62368r933217_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters. Find the "log.keepOld" value and set it to "10". If the setting does not exist no action is needed. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name log.keepOld | Set-AdvancedSetting -Value 10 Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

b

Virtual machines (VMs) must enable logging.

CM-6 - Medium - CCI-000366 - V-258720 - SV-258720r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000207

Vuln IDs

V-258720

Rule IDs

SV-258720r959010_rule

The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including, but not limited to, power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations and machine clones. Due to the value these logs provide for the continued availability of each VM and potential security incidents, these logs must be enabled.

Checks: C-62460r933219_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced. Ensure that the checkbox next to "Enable logging" is checked. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {$_.ExtensionData.Config.Flags.EnableLogging -ne "True"} If logging is not enabled, this is a finding.

Fix: F-62369r933220_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced. Click the checkbox next to "Enable logging". Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.Flags = New-Object VMware.Vim.VirtualMachineFlagInfo $spec.Flags.enableLogging = $true (Get-VM -Name <vmname>).ExtensionData.ReconfigVM($spec)

b

Virtual machines (VMs) must not use independent, nonpersistent disks.

CM-6 - Medium - CCI-000366 - V-258721 - SV-258721r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000208

Vuln IDs

V-258721

Rule IDs

SV-258721r959010_rule

The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode; additionally, ensure activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked. There can be valid use cases for these types of disks, such as with an application presentation solution where read-only disks are desired, and such cases should be identified and documented.

Checks: C-62461r933222_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Review the attached hard disks and verify they are not configured as independent nonpersistent disks. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-HardDisk | Select Parent, Name, Filename, DiskType, Persistence | FT -AutoSize If the virtual machine has attached disks that are in independent nonpersistent mode and are not documented, this is a finding.

Fix: F-62370r933223_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Select the target hard disk and change the mode to persistent or uncheck Independent. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run one of the following commands: Get-VM "VM Name" | Get-HardDisk | Set-HardDisk -Persistence IndependentPersistent or Get-VM "VM Name" | Get-HardDisk | Set-HardDisk -Persistence Persistent

b

Virtual machines (VMs) must remove unneeded floppy devices.

CM-6 - Medium - CCI-000366 - V-258722 - SV-258722r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000209

Vuln IDs

V-258722

Rule IDs

SV-258722r959010_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-62462r933225_chk

Floppy drives are no longer visible through the vSphere Client and must be done via the Application Programming Interface (API) or PowerCLI. From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState If a virtual machine has a floppy drive connected, this is a finding.

Fix: F-62371r933226_fix

Floppy drives are no longer visible through the vSphere Client and must be done via the Application Programming Interface (API) or PowerCLI. The VM must be powered off to remove a floppy drive. From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-FloppyDrive | Remove-FloppyDrive

a

Virtual machines (VMs) must remove unneeded CD/DVD devices.

CM-6 - Low - CCI-000366 - V-258723 - SV-258723r959010_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

VMCH-80-000210

Vuln IDs

V-258723

Rule IDs

SV-258723r959010_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-62463r933228_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Review the VMs hardware and verify no CD/DVD drives are connected. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent,Name If a virtual machine has a CD/DVD drive connected other than temporarily, this is a finding.

Fix: F-62372r933229_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Select the CD/DVD drive and uncheck "Connected" and "Connect at power on" and remove any attached ISOs. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-CDDrive | Set-CDDrive -NoMedia

b

Virtual machines (VMs) must remove unneeded parallel devices.

CM-6 - Medium - CCI-000366 - V-258724 - SV-258724r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000211

Vuln IDs

V-258724

Rule IDs

SV-258724r959010_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-62464r933231_chk

Parallel devices are no longer visible through the vSphere Client and must be done via the Application Programming Interface (API) or PowerCLI. From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "parallel"} If a virtual machine has a parallel device present, this is a finding.

Fix: F-62373r933232_fix

Parallel devices are no longer visible through the vSphere Client and must be done via the Application Programming Interface (API) or PowerCLI. The VM must be powered off to remove a parallel device. From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $pport = (Get-VM -Name <vmname>).ExtensionData.Config.Hardware.Device | Where {$_.DeviceInfo.Label -match "Parallel"} $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.DeviceChange += New-Object VMware.Vim.VirtualDeviceConfigSpec $spec.DeviceChange[-1].device = $pport $spec.DeviceChange[-1].operation = "remove" (Get-VM -Name <vmname>).ExtensionData.ReconfigVM($spec)

b

Virtual machines (VMs) must remove unneeded serial devices.

CM-6 - Medium - CCI-000366 - V-258725 - SV-258725r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000212

Vuln IDs

V-258725

Rule IDs

SV-258725r959010_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-62465r933234_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Review the VMs hardware and verify no serial devices exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "serial"} If a virtual machine has a serial device present, this is a finding.

Fix: F-62374r933235_fix

The VM must be powered off to remove a serial device. For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Select the serial device, click the circled "X" to remove it, and click "OK".

b

Virtual machines (VMs) must remove unneeded USB devices.

CM-6 - Medium - CCI-000366 - V-258726 - SV-258726r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000213

Vuln IDs

V-258726

Rule IDs

SV-258726r959010_rule

Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation.

Checks: C-62466r933237_chk

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Review the VM's hardware and verify no USB devices exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "usb"} Get-VM | Get-UsbDevice If a virtual machine has any USB devices or USB controllers present, this is a finding. If USB smart card readers are used to pass smart cards through the VM console to a VM, the use of a USB controller and USB devices for that purpose is not a finding.

Fix: F-62375r933238_fix

For each virtual machine do the following: From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings". Select the USB controller, click the circled "X" to remove it, and click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-USBDevice | Remove-USBDevice Note: This will not remove the USB controller, just any connected devices.

b

Virtual machines (VMs) must disable DirectPath I/O devices when not required.

CM-6 - Medium - CCI-000366 - V-258727 - SV-258727r959010_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

VMCH-80-000214

Vuln IDs

V-258727

Rule IDs

SV-258727r959010_rule

VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a powerful feature for legitimate applications such as virtualized storage appliances, backup appliances, dedicated graphics, etc., but it also allows a potential attacker highly privileged access to underlying hardware and the PCI bus.

Checks: C-62467r933240_chk

For each virtual machine do the following: From the vSphere Client, view the Summary tab. Review the PCI devices section and verify none exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-PassthroughDevice If the virtual machine has passthrough devices present, and the specific device returned is not approved, this is a finding.

Fix: F-62376r933241_fix

From the vSphere Client, select the Virtual Machine, right-click and go to Edit Settings >> Virtual Hardware tab. Find the unexpected PCI device returned from the check. Hover the mouse over the device and click the circled "X" to remove the device. Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-PassthroughDevice | Remove-PassthroughDevice

Checks: C-62443r933168_chk

Fix: F-62352r933169_fix

Generate Mitigation Statement:

Checks: C-62444r933171_chk

Fix: F-62353r933172_fix

Generate Mitigation Statement:

Checks: C-62445r933174_chk

Fix: F-62354r933175_fix

Generate Mitigation Statement:

Checks: C-62446r933177_chk

Fix: F-62355r933178_fix

Generate Mitigation Statement:

Checks: C-62447r933180_chk

Fix: F-62356r933181_fix

Generate Mitigation Statement:

Checks: C-62448r933183_chk

Fix: F-62357r933184_fix

Generate Mitigation Statement:

Checks: C-62449r933186_chk

Fix: F-62358r933187_fix

Generate Mitigation Statement:

Checks: C-62450r933189_chk

Fix: F-62359r933190_fix

Generate Mitigation Statement:

Checks: C-62451r933192_chk

Fix: F-62360r933193_fix

Generate Mitigation Statement:

Checks: C-62452r933195_chk

Fix: F-62361r933196_fix

Generate Mitigation Statement:

Checks: C-62453r933198_chk

Fix: F-62362r933199_fix

Generate Mitigation Statement:

Checks: C-62454r933201_chk

Fix: F-62363r933202_fix

Generate Mitigation Statement:

Checks: C-62455r933204_chk

Fix: F-62364r933205_fix

Generate Mitigation Statement:

Checks: C-62456r933207_chk

Fix: F-62365r933208_fix

Generate Mitigation Statement:

Checks: C-62457r933210_chk

Fix: F-62366r933211_fix

Generate Mitigation Statement:

Checks: C-62458r933213_chk

Fix: F-62367r933214_fix

Generate Mitigation Statement:

Checks: C-62459r933216_chk

Fix: F-62368r933217_fix

Generate Mitigation Statement:

Checks: C-62460r933219_chk

Fix: F-62369r933220_fix

Generate Mitigation Statement:

Checks: C-62461r933222_chk

Fix: F-62370r933223_fix

Generate Mitigation Statement:

Checks: C-62462r933225_chk

Fix: F-62371r933226_fix

Generate Mitigation Statement:

Checks: C-62463r933228_chk

Fix: F-62372r933229_fix

Generate Mitigation Statement:

Checks: C-62464r933231_chk

Fix: F-62373r933232_fix

Generate Mitigation Statement:

Checks: C-62465r933234_chk

Fix: F-62374r933235_fix

Generate Mitigation Statement:

Checks: C-62466r933237_chk

Fix: F-62375r933238_fix

Generate Mitigation Statement:

Checks: C-62467r933240_chk

Fix: F-62376r933241_fix

Generate Mitigation Statement: