Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> System >> Security Profile. Scroll down to "Lockdown Mode" and verify it is set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}} If Lockdown Mode is disabled, this is a finding. For environments that do not use vCenter server to manage ESXi, this is not applicable.
From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> System >> Security Profile. Click edit on "Lockdown Mode" and set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $level = "lockdownNormal" OR "lockdownStrict" $vmhost = Get-VMHost -Name <hostname> | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.ChangeLockdownMode($level) Note: In strict lockdown mode, which is new in vSphere 6.0, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes inaccessible.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the DCUI.Access value and verify only the root user is listed. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root. If the DCUI.Access is not restricted to root, this is a finding. Note: This list is only for local user accounts and should only contain the root user.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the DCUI.Access value and configure it to root. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access | Set-AdvancedSetting -Value "root"
From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> Security Profile. Under lockdown mode review the exception users list. or From a PowerCLI command prompt while connected to the ESXi host run the following script: $vmhost = Get-VMHost | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.QueryLockdownExceptions() If the exception users list contains accounts that do not require special permissions, this is a finding. Note: This list is not intended for system administrator accounts but for special circumstances such as a service account.
From the vSphere Web Client select the ESXi Host and go to Manage >> Settings >> Security Profile. Under lockdown mode click Edit and remove unnecessary users to the exceptions list.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountLockFailures value and verify it is set to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures and verify it is set to 3. If the Security.AccountLockFailures is set to a value other than 3, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountLockFailures value and configure it to 3. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountUnlockTime value and verify it is set to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime and verify it is set to 900. If the Security.AccountUnlockTime is set to a value other than 900, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.AccountUnlockTime value and configure it to 900. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Annotations.WelcomeMessage value and verify it contains the DoD logon banner: From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage Check for either of the following login banners based on the character limitations imposed by the system. An exact match of the text is required. If one of these banners is not displayed, this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't. If the DCUI logon screen does not display the DoD logon banner, this is a finding.
From a PowerCLI command prompt while connected to the ESXi host copy the following contents into a script(.ps1 file) and run to set the DCUI screen to display the DoD logon banner: <script begin> $value = @" {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} {bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black} {/color}{/bgcolor} " @Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value $value <script end>
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.Etc.issue value and verify it is set to the following: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue If the Config.Etc.issue setting (/etc/issue file) does not contain the logon banner exactly as shown above, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.Etc.issue value and configure it to one of the following. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue | Set-AdvancedSetting -Value "<insert logon banner>"
To verify the Banner setting, run the following command: # grep -i "^Banner" /etc/ssh/sshd_config If there is no output or the output is not exactly "Banner /etc/issue", this is a finding.
To set the Banner setting, add or correct the following line in "/etc/ssh/sshd_config": Banner /etc/issue
Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i "^Ciphers" /etc/ssh/sshd_config If there is no output or the output is not "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc", or a subset of this list, this is a finding.
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. Add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
To verify which SSH protocol version is configured, run the following command: # grep -i "^Protocol" /etc/ssh/sshd_config If there is no output or the output is not exactly "Protocol 2", this is a finding.
Only SSH protocol version 2 connections should be permitted. Add or correct the following line in "/etc/ssh/sshd_config": Protocol 2
To verify how the SSH daemon's "IgnoreRhosts" option is set, run the following command: # grep -i "^IgnoreRhosts" /etc/ssh/sshd_config If there is no output or the output is not exactly "IgnoreRhosts yes", this is a finding.
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files. Add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes
To verify how the SSH daemon's "HostbasedAuthentication" option is set, run the following command: # grep -i "^HostbasedAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "HostbasedAuthentication no", this is a finding.
SSH's cryptographic host-based authentication is more secure than ".rhosts" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. Add or correct the following line in "/etc/ssh/sshd_config": HostbasedAuthentication no
To verify how the SSH daemon's "PermitRootLogin" option is set, run the following command: # grep -i "^PermitRootLogin" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitRootLogin no", this is a finding.
The root user should never be allowed to log in to a system directly over a network. Add or correct the following line in "/etc/ssh/sshd_config": PermitRootLogin no
To verify how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: # grep -i "^PermitEmptyPasswords" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitEmptyPasswords no", this is a finding.
To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no
To verify users are not able to present environment daemons, run the following command: # grep -i "^PermitUserEnvironment" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitUserEnvironment no", this is a finding.
To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in "/etc/ssh/sshd_config": PermitUserEnvironment no
To verify the MACs setting, run the following command: # grep -i "^MACs" /etc/ssh/sshd_config If there is no output or the output is not exactly "MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512", this is a finding.
To set the MACs setting, add or correct the following line in "/etc/ssh/sshd_config": MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512
To verify the GSSAPIAuthentication setting, run the following command: # grep -i "^GSSAPIAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "GSSAPIAuthentication no", this is a finding.
To set the GSSAPIAuthentication setting, add or correct the following line in "/etc/ssh/sshd_config": GSSAPIAuthentication no
To verify the KerberosAuthentication setting, run the following command: # grep -i "^KerberosAuthentication" /etc/ssh/sshd_config If there is no output or the output is not exactly "KerberosAuthentication no", this is a finding.
To set the KerberosAuthentication setting, add or correct the following line in "/etc/ssh/sshd_config": KerberosAuthentication no
To verify the StrictModes setting, run the following command: # grep -i "^StrictModes" /etc/ssh/sshd_config If there is no output or the output is not exactly "StrictModes yes", this is a finding.
To set the StrictModes setting, add or correct the following line in "/etc/ssh/sshd_config": StrictModes yes
To verify the Compression setting, run the following command: # grep -i "^Compression" /etc/ssh/sshd_config If there is no output or the output is not exactly "Compression no", this is a finding.
To set the Compression setting, add or correct the following line in "/etc/ssh/sshd_config": Compression no
To verify the GatewayPorts setting, run the following command: # grep -i "^GatewayPorts" /etc/ssh/sshd_config If there is no output or the output is not exactly "GatewayPorts no", this is a finding.
To set the GatewayPorts setting, add or correct the following line in "/etc/ssh/sshd_config": GatewayPorts no
To verify the X11Forwarding setting, run the following command: # grep -i "^X11Forwarding" /etc/ssh/sshd_config If there is no output or the output is not exactly "X11Forwarding no", this is a finding.
To set the X11Forwarding setting, add or correct the following line in "/etc/ssh/sshd_config": X11Forwarding no
To verify the AcceptEnv setting, run the following command: # grep -i "^AcceptEnv" /etc/ssh/sshd_config If there is no output or the output is not exactly "AcceptEnv", this is a finding.
To set the AcceptEnv setting, add or correct the following line in "/etc/ssh/sshd_config": AcceptEnv
To verify the PermitTunnel setting, run the following command: # grep -i "^PermitTunnel" /etc/ssh/sshd_config If there is no output or the output is not exactly "PermitTunnel no", this is a finding.
To set the PermitTunnel setting, add or correct the following line in "/etc/ssh/sshd_config": PermitTunnel no
To verify the ClientAliveCountMax setting, run the following command: # grep -i "^ClientAliveCountMax" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveCountMax 3", this is a finding.
To set the ClientAliveCountMax setting, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveCountMax 3
To verify the ClientAliveInterval setting, run the following command: # grep -i "^ClientAliveInterval" /etc/ssh/sshd_config If there is no output or the output is not exactly "ClientAliveInterval 200", this is a finding.
To set the ClientAliveInterval setting, add or correct the following line in "/etc/ssh/sshd_config": ClientAliveInterval 200
To verify the MaxSessions setting, run the following command: # grep -i "^MaxSessions" /etc/ssh/sshd_config If there is no output or the output is not exactly "MaxSessions 1", this is a finding.
To set the MaxSessions setting, add or correct the following line in "/etc/ssh/sshd_config": MaxSessions 1
Log in to the host and verify the /etc/ssh/keys-root/authorized_keys file does not exist or is empty (zero bytes): # ls -la /etc/ssh/keys-root/authorized_keys or #cat /etc/ssh/keys-root/authorized_keys If the authorized_keys file exists and is not empty, this is a finding.
As root, log in to the host and zero/remove /etc/ssh/keys-root/authorized_keys file: # >/etc/ssh/keys-root/authorized_keys or # rm /etc/ssh/keys-root/authorized_keys
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and verify it is set to the default level of info. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level If the Config.HostAgent.log.level setting is not set to info, this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and configure it to info. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
To verify the remember setting, run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient If the remember setting is not set or is not "remember=5", this is a finding.
To set the remember option, add or correct the following line in "/etc/pam.d/passwd": password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5
To verify the password hash setting, run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient If sha512 is not listed, this is a finding.
To set the remember option, add or correct the following line in "/etc/pam.d/passwd": password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.solo.enableMob value and verify it is set to false. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob If the Config.HostAgent.plugins.solo.enableMob setting is not set to false, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.solo.enableMob value and configure it to false. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value false
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} If the ESXi SSH service is running, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit then select the SSH service and click options. Change the service to "Start and stop manually" and stop the service and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit and view the "ESXi Shell" service and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} If the ESXi Shell service is running, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit then select the ESXi Shell service and click options. Change the service to "Start and stop manually" and stop the service and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService
From the vSphere Client select the ESXi Host and go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.
From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
From the vSphere Client go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify if "JoinADEnabled" is "True" then "JoinDomainMethod" should be "FixedCAMConfigOption". For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding.
When using host profiles do the following: From the vSphere Client go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain" and provide the IP address of the vSphere Authentication Proxy server. To join a host to Active Directory manually without host profiles do the following: From the vSphere Client select the ESXi Host and go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain".
From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.
From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. View the Smart Card Authentication status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authenticate to an Active Directory Domain. For systems that have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. For systems that do not use smart cards with Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding.
The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: -Active Directory domain that supports smart card authentication, smart card readers, and smart cards. -ESXi joined to an Active Directory domain. -Trusted certificates for root and intermediary certificate authorities. From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. Edit the Smart Card Authentication configuration to add trusted certificate authority certificates. Select "Enable Smart Card Authentication". Click OK. For more information see the vSphere 6.0 documentation on VMware's website.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut If the UserVars.ESXiShellInteractiveTimeOut setting is not set to 600, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut If the UserVars.ESXiShellTimeOut setting is not set to 600, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.DcuiTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut If the UserVars.DcuiTimeOut setting is not set to 600, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.DcuiTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600
From the vSphere Web Client select the ESXi Host and right click. If the "Add Diagnostic Partition" option is greyed out then core dumps are configured. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.system.coredump.partition.get() $esxcli.system.coredump.network.get() The first command prepares for the other two. The second command shows whether there is an active core dump partition configured. The third command shows whether a network core dump collector is configured and enabled, via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables. If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding.
From the vSphere Web Client select the ESXi Host and right click. Select the "Add Diagnostic Partition" option configure a core dump diagnostic partition. or From a PowerCLI command prompt while connected to the ESXi host run at least one of the following sets of commands: To configure a core dump partition: $esxcli = Get-EsxCli #View available partitions to configure $esxcli.system.coredump.partition.list() $esxcli.system.coredump.partition.set($null,"PartitionName",$null,$null) To configure a core dump collector: $esxcli = Get-EsxCli $esxcli.system.coredump.network.set($null,"vmkernel port to use",$null,"CollectorIP","CollectorPort") $esxcli.system.coredump.network.set($true)
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logDir value and verify it is set to a persistent location. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir or $esxcli = Get-EsxCli $esxcli.system.syslog.config.get() | Select LocalLogOutput,LocalLogOutputIsPersistent If the Syslog.global.logDir or LocalLogOutput value is not on persistent storage, this is a finding. If the LocalLogOutputIsPersistent value is not true, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logDir value and set it to a known persistent location. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value "New Log Location"
From the vSphere Client select the ESXi Host and go to Configuration >> Time Configuration. Select Properties >> Options and view the configured NTP servers and service startup policy. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostNTPServer Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Time Configuration. Select Properties >> Options and configure the NTP service to start and stop with the host and with authoritative DoD time sources. or From a PowerCLI command prompt while connected to the ESXi host run the following command: $NTPServers = "ntpserver1","ntpserver2" Get-VMHost | Add-VMHostNTPServer $NTPServers Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.get() If the acceptance level is CommunitySupported, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" edit the acceptance level to be either VMwareCertified, VMwareAccepted, or PartnerSupported. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.Set("PartnerSupported") Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.
The vMotion VMkernel port group should in a dedicated VLAN that can be on a common standard or distributed virtual switch as long as the vMotion VLAN is not shared by any other function and it not routed to anything but ESXi hosts. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration >> Networking and review the VLAN associated with the vMotion VMkernel(s) and verify they are dedicated for that purpose and are logically separated from other functions. If long distance or cross vCenter vMotion is used the vMotion network can be routable but must be accessible to only the intended ESXi hosts. If the vMotion port group is not on an isolated VLAN and/or is routable to systems other than ESXi hosts, this is a finding. For environments that do not use vCenter server to manage ESXi, this is not applicable.
Configuration of the vMotion VMkernel will be unique to each environment. As an example, to modify the IP address and VLAN information to the correct network on a standard switch do the following: From the vSphere Client select the ESXi host and go to Configuration >> Networking >> On the vSwitch that contains the vMotion VMkernel select Properties. Select the vMotion VMkernel and click Edit >> On the General tab uncheck everything but "vMotion" and set the appropriate VLAN ID >> Go to the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK.
The Management VMkernel port group should in a dedicated VLAN that can be on a common standard or distributed virtual switch as long as the Management VLAN is not shared by any other function and it not routed to anything other than management related functions such as vCenter. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration >> Networking and review the VLAN associated with the Management VMkernel and verify they are dedicated for that purpose and are logically separated from other functions. If the network segment is routed, except to networks where other management-related entities are located such as vCenter, this is a finding. If production virtual machine traffic is routed to this network, this is a finding.
Configuration of the Management VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch do the following: From the vSphere Client select the ESXi host and go to Configuration >> Networking >> On the vSwitch that contains the Management VMkernel select Properties. Select the Management VMkernel and click Edit >> On the General tab uncheck everything but "Management Traffic" and set the appropriate VLAN ID >> Go to the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK.
IP-Based storage (iSCSI, NFS, VSAN) VMkernel port groups must be in a dedicated VLAN that can be on a common standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration >> Networking and review the VLANs associated with any IP-Based storage VMkernels and verify they are dedicated for that purpose and are logically separated from other functions. If any IP-Based storage networks are not isolated from other traffic types, this is a finding. If IP-based storage is not used, this is not applicable.
Configuration of an IP-Based VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel do the following: From the vSphere Client select the ESXi host and go to Configuration >> Networking >> On the vSwitch that contains the iSCSI VMkernel select Properties. Select the iSCSI VMkernel and click Edit >> On the General tab uncheck everything and set the appropriate VLAN ID >> Go to the IP Settings tab >> Enter the appropriate IP address and subnet information and click OK.
From the vSphere Web Client select the ESXi Host and go to Manage >> Networking >> VMkernel adapters. Review each VMkernel adapter that is defined and ensure it is enabled for only one type of management traffic. If any VMkernel is used for more than one type of management traffic, this is a finding.
From the vSphere Web Client select the ESXi Host and go to Manage >> Networking >> VMkernel adapters >> Select a VMkernel Adapter >> Click Edit >> Uncheck any additional services that have been enabled on the VMkernel adapter so that there is only one service left checked.
From the vSphere Web Client select the ESXi Host and go to Manage >> Networking >> TCP/IP configuration. Review the default system TCP/IP stacks and verify they are configured with the appropriate IP address information. If any system TCP/IP stack is configured and not in use by a VMkernel adapter, this is a finding.
From the vSphere Web Client select the ESXi Host and go to Manage >> Networking >> TCP/IP configuration >> Select a TCP/IP stack >> Click Edit >> Enter the appropriate site specific IP address information for the particular TCP/IP stack and click OK.
From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostSnmp | Select * or From a console or ssh session run the follow command: esxcli system snmp get If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and "read only communities" is set to public, this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured from the esxcli command.
To disable SNMP run the following command from a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false or From a console or ssh session run the follow command: esxcli system snmp set -e no To configure SNMP for v3 targets use the "esxcli system snmp set" command set.
From the vSphere Client select the ESXi Host and go to Configuration >> Storage Adapters >> Select the iSCSI adapter >> Properties >> CHAP. View the CHAP configuration and verify CHAP is required for target and host authentication. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Select AuthenticationProperties -ExpandProperty AuthenticationProperties If iSCSI is not used, this is not a finding. If iSCSI is used and CHAP is not set to required for both the target and host, this is a finding. If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Storage Adapters >> Select the iSCSI adapter >> Properties >> CHAP. Change CHAP and Mutual CHAP to "Use CHAP" and enter a unique secret. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Mem.ShareForceSalting value and verify it is set to 2. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting If the Mem.ShareForceSalting setting is not set to 2, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Mem.ShareForceSalting value and configure it to 2. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under the Firewall section select properties and for each enabled service click Firewall and review the allowed IPs. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}} If for an enabled service "Allow connections from any IP address" is selected, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under the Firewall section select properties and for each enabled service click the "Only allow connections from the following networks" option and input the site specific network(s). or From a PowerCLI command prompt while connected to the ESXi host run the following command: $esxcli = Get-EsxCli #This disables the allow all rule for the target service $esxcli.network.firewall.ruleset.set($false,$true,"sshServer") $esxcli.network.firewall.ruleset.allowedip.add("192.168.0.0/24","sshServer") This must be done for each enabled service.
From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostFirewallDefaultPolicy If the Incoming or Outgoing policies are True, this is a finding.
From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostFirewallDefaultPolicy | Set-VMHostFirewallDefaultPolicy -AllowIncoming $false -AllowOutgoing $false
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.BlockGuestBPDU value and verify it is set to 1. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU If the Net.BlockGuestBPDU setting is not set to 1, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.BlockGuestBPDU value and configure it to 1. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1
From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. View the properties on each virtual switch and port group and verify "Forged Transmits" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Forged Transmits" policy is set to accept, this is a finding.
From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. For each virtual switch go to properties and change "Forged Transmits" to reject for the switch and each port group. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true
From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. View the properties on each virtual switch and port group and verify "MAC Address Changes" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "MAC Address Changes" policy is set to accept, this is a finding.
From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. For each virtual switch go to properties and change "MAC Address Changes" to reject for the switch and each port group. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true
From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. View the properties on each virtual switch and port group and verify "Promiscuous Mode" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Promiscuous Mode" policy is set to accept, this is a finding.
From the vSphere Client go to Configuration >> Networking >> vSphere Standard Switch. For each virtual switch go to properties and change "Promiscuous Mode" to reject for the switch and each port group. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.DVFilterBindIpAddress value and verify the value is blank or the correct IP address of a security appliance if in use. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress If the Net.DVFilterBindIpAddress is not blank and security appliances are not in use on the host, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Net.DVFilterBindIpAddress setting and remove any incorrect addresses. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""
From the vSphere Client select the ESXi Host and go to Configuration >> Networking. Review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with the native VLAN of the ESXi hosts attached physical switch, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Networking >> Select properties on the virtual switch >> Select the port group and click Edit. Change the VLAN ID to a non-native VLAN and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
From the vSphere Client select the ESXi Host and go to Configuration >> Networking. Review the port group VLAN tags and verify they are not set 4095. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanID If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Networking >> Select properties on the virtual switch >> Select the port group and click Edit. Change the VLAN ID to not be 4095 and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
From the vSphere Client select the ESXi Host and go to Configuration >> Networking. Review the port group VLAN tags and verify they are not set to a reserved VLAN ID. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanId If any port group is configured with a reserved VLAN ID, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Networking >> Select properties on the virtual switch >> Select the port group and click Edit. Change the VLAN ID to not be a reserved VLAN ID and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"
Note: This check refers to an entity outside the physical scope of the ESXi server system. The configuration of external switch ports as trunk ports must be documented. Virtual Switch Tagging (VST) mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. Inspect the documentation and verify that the documentation is correct and updated on a regular basis and/or whenever modifications are made to either ESXi hosts or the upstream external switch ports. If DTP is enabled on the physical switch ports connected to the ESXi Host, this is a finding.
Note: This check refers to an entity outside the physical scope of the ESXi server system. Document the configuration of external switch ports as trunk ports. Log in to the vendor-specific physical switch and disable DTP on the physical switch ports connected to the ESXi Host. Update the documentation on a regular basis or whenever modifications are made to either ESXi hosts or the upstream external switch ports.
Note: This check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on a regular basis and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. If the physical switch's spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding.
Note: This fix refers to an entity outside the scope of the ESXi server system. Document the upstream physical switch configuration for spanning tree protocol disablement and/or portfast configuration for all physical ports connected to ESXi hosts. Log in to the physical switch(es) and disable spanning tree protocol and/or configure portfast for all physical ports connected to ESXi hosts. Update the documentation on a regular basis or whenever modifications are made to either ESXi hosts or the upstream physical switches.
Note: This check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that unneeded VLANs are configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on a regular basis and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that only needed VLANs are configured for all physical ports connected to ESXi hosts. If the physical switch's configuration is trunked VLANs that are not used by ESXi for all physical ports connected to ESXi hosts, this is a finding.
Note: This fix refers to an entity outside the scope of the ESXi server system. Remove any VLANs trunked across physical ports connected to ESXi hosts that are not in use.
If the CIM account does not exist, this check is not applicable. If write access is required, this check is not applicable. From the vSphere client, select the ESXi host, and go to "Permissions". Select the CIM account user, then right-click and select properties to verify read-only access. If write access is not required and the access level is not "read-only", this is a finding.
From the vSphere client, select the ESXi host; go to "Local Users and Groups". Create a limited-privileged, read-only service account for CIM. Place the CIM account into the "root" group. Select Users and right-click in the user screen. Select "Add", then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the "Host >> Config >> System Management" and "Host >> CIM >> CIMInteraction" privileges.
The downloaded ISO, offline bundle, or patch hash must be verified against the vendor's checksum to ensure the integrity and authenticity of the files. See some typical command line example(s) for both the md5 and sha1 hash check(s) directly below. # md5sum <filename>.iso # sha1sum <filename>.iso If any of the system's downloaded ISO, offline bundle, or system patch hashes cannot be verified against the vendor's checksum, this is a finding.
If the hash returned from the md5sum or sha1sum commands do not match the vendor's hash, the downloaded software must be discarded. If the physical media is obtained from VMware and the security seal is broken, the software must be returned to VMware for replacement.
If vCenter Update Manager is used on the network it can be used to scan all hosts for missing patches. From the vSphere Client go to Hosts and Clusters >> Update Manager tab and select scan to view all hosts’ compliance status. If vCenter Update Manager is not used, a host’s compliance status must be manually determined by the build number. The following VMware KB 1014508 can be used to correlate patches with build numbers. If the ESXi host does not have the latest patches, this is a finding. If the ESXi host is not on a supported release, this is a finding. VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them. https://www.vmware.com/support/policies/security_response
If vCenter Update Manager is used on the network, hosts can be remediated from the vSphere Client. From the vSphere Client go to Hosts and Clusters > Update Manager tab and select a non-compliant host and click the Remediate button. To manually remediate a host the patch file must be copied locally and the following command run: esxcli software vib update -d <path to offline patch bundle.zip>
From the vSphere Web Client, select the ESXi Host and go to Manage >> Settings >> System >> Security Profile. Scroll down to "Lockdown Mode". Verify it is set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}} If "Lockdown Mode" is disabled, this is a finding. For environments that do not use vCenter server to manage ESXi, this is Not Applicable.
From the vSphere Web Client, select the ESXi Host and go to Manage >> Settings >> System >> Security Profile. Click edit on "Lockdown Mode" and set to Enabled (Normal or Strict). or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $level = "lockdownNormal" OR "lockdownStrict" $vmhost = Get-VMHost -Name <hostname> | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.ChangeLockdownMode($level) Note: In strict lockdown mode, which is new in vSphere 6.0, the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes inaccessible.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Annotations.WelcomeMessage value and verify it contains the DoD logon banner: From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage Check for either of the following login banners based on the character limitations imposed by the system. An exact match of the text is required. If one of these banners is not displayed, this is a finding. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests- -not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OR I've read & consent to terms in IS user agreem't. If the DCUI logon screen does not display the DoD logon banner, this is a finding.
From a PowerCLI command prompt while connected to the ESXi host copy the following contents into a script(.ps1 file) and run to set the DCUI screen to display the DoD logon banner: <script begin> $value = @" {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{hostname} , {ip}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{esxproduct} {esxversion}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:yellow}{memory} RAM{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:black}{color:white}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} using this IS (which includes any device attached to this IS), you consent to the following conditions: {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} enforcement (LE), and counterintelligence (CI) investigations.{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - At any time, the USG may inspect and seize data stored on this IS.{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} interception, and search, and may be disclosed or used for any USG-authorized purpose. {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} for your personal benefit or privacy.{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or monitoring of the content of privileged communications, or work product, related to personal representation {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work {/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black} product are private and confidential. See User Agreement for details.{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{align:left}{bgcolor:yellow}{color:black}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} {bgcolor:black} {/color}{align:left}{bgcolor:dark-grey}{color:white} <F2> Accept Conditions and Customize System / View Logs{/align}{align:right}<F12> Accept Conditions and Shut Down/Restart {bgcolor:black} {/color}{/color}{/bgcolor}{/align} {bgcolor:black} {/color}{bgcolor:dark-grey}{color:black}{/color}{/bgcolor} " @Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Set-AdvancedSetting -Value $value <script end>
Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i "^Ciphers" /etc/ssh/sshd_config If there is no output or the output is not exactly "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc", this is a finding.
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. Add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and verify it is set to the default level of info. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level If the Config.HostAgent.log.level setting is not set to info, this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.log.level value and configure it to info. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value "info"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Verify the Directory Services Type is set to Active Directory. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.
From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click Properties. Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
From the vSphere Client go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify if "JoinADEnabled" is "True" then "JoinDomainMethod" should be "FixedCAMConfigOption". For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding.
When using host profiles do the following: From the vSphere Client, go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain". Provide the IP address of the vSphere Authentication Proxy server. To join a host to Active Directory manually without host profiles do the following: From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain".
From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value. Verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.
From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value. Configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. View the Smart Card Authentication status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authenticate to an Active Directory Domain. For systems that have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. For systems that do not use smart cards with Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding.
The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: -Active Directory domain that supports smart card authentication, smart card readers, and smart cards. -ESXi joined to an Active Directory domain. -Trusted certificates for root and intermediary certificate authorities. From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. Edit the "Smart Card Authentication" configuration to add trusted certificate authority certificates. Select "Enable Smart Card Authentication". Click OK. For more information see the vSphere 6.0 documentation on VMware's website.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut If the UserVars.ESXiShellInteractiveTimeOut setting is not set to 600, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellInteractiveTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 600
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut If the UserVars.ESXiShellTimeOut setting is not set to 600, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.ESXiShellTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.DcuiTimeOut value and verify it is set to 600 (10 Minutes). or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut If the UserVars.DcuiTimeOut setting is not set to 600, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the UserVars.DcuiTimeOut value and configure it to 600. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600
From the vSphere Client select the ESXi Host and go to Configuration >> Time Configuration. Select Properties >> Options and view the configured NTP servers and service startup policy. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostNTPServer Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Time Configuration. Select Properties >> Options and configure the NTP service to start and stop with the host and with authoritative DoD time sources. or From a PowerCLI command prompt while connected to the ESXi host run the following command: $NTPServers = "ntpserver1","ntpserver2" Get-VMHost | Add-VMHostNTPServer $NTPServers Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.get() If the acceptance level is CommunitySupported, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" edit the acceptance level to be either VMwareCertified, VMwareAccepted, or PartnerSupported. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.Set("PartnerSupported") Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit and view the "SSH" service and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} If the ESXi SSH service is running, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under Services select Edit then select the SSH service and click options. Change the service to "Start and stop manually" and stop the service and click OK. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService
From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.
From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
From the vSphere Client go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify if "JoinADEnabled" is "True" then "JoinDomainMethod" should be "FixedCAMConfigOption". For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding.
When using host profiles do the following: From the vSphere Client, go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain". Provide the IP address of the vSphere Authentication Proxy server. To join a host to Active Directory manually without host profiles do the following: From the vSphere Client, select the ESXi Host and go to Configuration >> Authentication Services. Click Properties. Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain".
From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.
From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. View the "Smart Card Authentication" status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authenticate to an Active Directory Domain. For systems that have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. For systems that do not use smart cards with Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding.
The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: -Active Directory domain that supports smart card authentication, smart card readers, and smart cards. -ESXi joined to an Active Directory domain. -Trusted certificates for root and intermediary certificate authorities. From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. Edit the "Smart Card Authentication" configuration to add trusted certificate authority certificates. Select "Enable Smart Card Authentication". Click OK. For more information see the vSphere 6.0 documentation on VMware's website.
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" view the acceptance level. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.get() If the acceptance level is CommunitySupported, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Security Profile. Under "Host Image Profile Acceptance Level" edit the acceptance level to be either VMwareCertified, VMwareAccepted, or PartnerSupported. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli $esxcli.software.acceptance.Set("PartnerSupported") Note: VMwareCertified or VMwareAccepted may be substituted for PartnerSupported, depending upon local requirements.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
From the vSphere Client, select the ESXi Host. Go to Configuration >> Authentication Services. Verify the "Directory Services Type" is set to "Active Directory". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Directory Services Type" is not set to "Active Directory", this is a finding.
From the vSphere Client, select the ESXi Host. Go to Configuration >> Authentication Services. Click "Properties". Change the "Directory Service Type" to "Active Directory". Enter the domain to join. Check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain "domain name" -User "username" -Password "password"
From the vSphere Client, go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Verify the method used to join hosts to a domain is set to "Use vSphere Authentication Proxy to add the host to domain". or From a PowerCLI command prompt while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} Verify if "JoinADEnabled" is "True" then "JoinDomainMethod" should be "FixedCAMConfigOption". For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If "vSphere Authentication Proxy" is not used to join hosts to an Active Directory domain, this is a finding.
When using host profiles do the following: From the vSphere Client, go to Home >> Host Profiles. Select a Host Profile to edit. View the settings under Authentication Configuration >> Active Directory Configuration >> JoinDomain Method. Set the method used to join hosts to a domain to "Use vSphere Authentication Proxy to add the host to domain". Provide the IP address of the vSphere Authentication Proxy server. To join a host to Active Directory manually without host profiles do the following: From the vSphere Client, select the ESXi Host. Go to Configuration >> Authentication Services. Click Properties. Change the "Directory Service Type" to Active Directory. Enter the domain to join, check "Use vSphere Authentication Proxy". Enter the proxy server address. Click "Join Domain".
From the vSphere Client, select the ESXi Host. Go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Verify it is not set to "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" keyword is set to "ESX Admins", this is a finding.
From the vSphere Client, select the ESXi Host and go to Configuration >> Advanced Settings. Select the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" value. Configure it to an Active Directory group other than "ESX Admins". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value <AD Group>
From the vSphere Web Client, select the ESXi Host. Go to Manage >> Authentication Services. View the "Smart Card Authentication" status. If "Enable Smart Card Authentication" is checked, the system requires smart cards to authenticate to an Active Directory Domain. For systems that have no local user accounts, other than root, dcui, and/or vpxuser, this is Not Applicable. For environments that do not use vCenter server to manage ESXi, this is Not Applicable. For systems that do not use smart cards with Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding.
The following are pre-requisites to configuration smart card authentication for the ESXi DCUI: -Active Directory domain that supports smart card authentication, smart card readers, and smart cards. -ESXi joined to an Active Directory domain. -Trusted certificates for root and intermediary certificate authorities. From the vSphere Web Client, select the ESXi Host and go to Manage >> Authentication Services. Edit the "Smart Card Authentication" configuration to add trusted certificate authority certificates. Select "Enable Smart Card Authentication". Click OK. For more information see the vSphere 6.0 documentation on VMware's website.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and verify it is set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl If the Security.PasswordQualityControl setting is not set to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15", this is a finding.
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Security.PasswordQualityControl value and configure it to "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15". or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
If IP-based storage is not used, this is not applicable. IP-Based storage (iSCSI, NFS, VSAN) VMkernel port groups must be in a dedicated VLAN that can be on a common standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Client select the ESXi host and go to Configuration >> Networking and review the VLANs associated with any IP-Based storage VMkernels and verify they are dedicated for that purpose and are logically separated from other functions. If any IP-Based storage networks are not isolated from other traffic types, this is a finding.
Configuration of an IP-Based VMkernel will be unique to each environment but for example to modify the IP address and VLAN information to the correct network on a standard switch for an iSCSI VMkernel do the following: From the vSphere Client select the ESXi host and go to Configuration > Networking > On the vSwitch that contains the iSCSI VMkernel select Properties. Select the iSCSI VMkernel and click Edit > On the General tab uncheck everything and set the appropriate VLAN ID > Go to the IP Settings tab > Enter the appropriate IP address and subnet information and click OK.
If no clusters are enabled for VSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a Cluster >> Manage >> Settings >> Virtual SAN >> Health. Review the "Health Service Status" and verify that it is set to "Enabled". If VSAN is enabled and there is no VSAN health check installed or the VSAN health check is disabled, this is a finding.
If VSAN Health Check is not installed (6.0 GA only): Download the VSAN Health Check Plugin and install to the vCenter Server. Then restart the vCenter Server services. DRS must be configured for fully automated on the cluster. Then each ESXi host must have the VSAN Health Check VIB installed on the ESXi hosts. If VSAN Health Check is installed: From the vSphere Web Client go to Host and Clusters >> Select a VSAN enabled "Cluster" >> Manage >> Settings >> Virtual SAN >> Health >> "Health Service Status" and click "Edit Settings". Select the check box for "Turn On Periodical Health Check" and configure the time interval as necessary.
If no clusters are enabled for VSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a VSAN Enabled Cluster >> Manage >> Settings >> General >> Internet Connectivity >> Edit If the HCL internet download is not required then ensure that "Enable Internet access for this cluster" is disabled. If this "Enable Internet access for this cluster" is enabled this is a finding. If the HCL internet download is required then ensure that "Enable Internet access for this cluster" is enabled and that a proxy host is configured. If "Enable Internet access for this cluster" is disabled or a proxy is not configured this is a finding.
If no clusters are enabled for VSAN, this is not applicable. If VSAN Health Check is not installed (6.0 GA only): Download the VSAN Health Check Plugin and install to the vCenter Server. Then restart the vCenter Server services. DRS must be configured for fully automated on the cluster. Then each ESXi host must have the VSAN Health Check VIB installed on the ESXi hosts. If VSAN Health Check is installed: From the vSphere Web Client go to Host and Clusters > Select a VSAN Enabled Cluster > Manage > Settings > General > Internet Connectivity > Edit If the HCL internet download is not required then ensure that "Enable Internet access for this cluster" is disabled. If the HCL internet download is required then ensure that "Enable Internet access for this cluster" is enabled and that a proxy host is appropriately configured.
If no clusters are enabled for VSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a Cluster >> Related Objects >> Datastores. Review the datastores. Identify any datastores with "vsan" as the datastore type. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){ Write-Host "VSAN Enabled Cluster found" Get-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match "vsan"} } else{ Write-Host "VSAN is not enabled, this finding is not applicable" } If VSAN is Enabled and the datastore is named "vsanDatastore" this is a finding.
From the vSphere Web Client go to Host and Clusters > Select a Cluster > Related Objects > Datastores. Right click on the datastore named "vsanDatastore" and select "Rename". Rename the datastore based on operational naming standards. or From a PowerCLI command prompt while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){ Write-Host "VSAN Enabled Cluster found" $Clusters = Get-Cluster | where {$_.VsanEnabled} Foreach ($clus in $clusters){ $clus | Get-Datastore | where {$_.type -match "vsan"} | Set-Datastore -Name $(($clus.name) + "_VSAN_Datastore") } } else{ Write-Host "VSAN is not enabled, this finding is not applicable" }