| Command | Data Not Available |
|---|---|
| Status | Skipped |
| Expected | Data Not Available |
| Got | SFTP Backups not in use...skipping |
| Control | 100901 |
|---|---|
| Title | The SDDC Manager must be capable of reverting to the last known good configuration in the event of failed installations and upgrades. |
| Description | You must back up SDDC Manager regularly to avoid downtime and data loss in case of a system failure. You can back up and restore SDDC Manager with an image-based or a file-based solution. File-based backup is recommended for customers who are comfortable with configuring backups by using APIs, and are not using composable servers or stretched clusters. For image-based backups of SDDC Manager, use a solution compatible with VMware vSphere Storage APIs - Data Protection. For file-based backups, configure an external SFTP server as a target backup location and configure a backup schedule. |
| Severity | High |
| Nist Controls | |
| Check Text |
For image based backups:Interview the SA and determine if regular image based backups are being taken of the SDDC Manager appliance.For file based backups:Check that an external SFTP server is registered with SDDC Manager.From the SDDC Manager UI under Administration >> Backup >> Site Settings and verify an external SFTP server is configured.Check that a backup schedule has been configured. From the SDDC Manager UI, navigate to Administration >> Backup >> SDDC Manager Configurations and review the backup configuration.or From a command prompt, run the following command:$ curl 'https://sddc-manager.sfo01.rainpole.local/v1/system/backup-configuration' -i -X GET -H 'Authorization: Bearer etYWRta....'Note: The SDDC Manager URL and bearer token must be replaced in the example. If file based backups are used and an external SFTP server is not configured, this is a finding. If file based backups are used and an automatic backup schedule is not configured, this is a finding. If image based backups are used and not being performed on a regular basis, this is a finding. |
| Fix Text | Data Not Available |
| Command | The NTP server should be a part of the given NTP servers |
|---|---|
| Status | Failed |
| Expected | NTP servers should be in [] |
| Got | 192.168.0.253 |
| Control | 100902 |
|---|---|
| Title | The SDDC Manager must sync internal clocks with an authoritative time source. |
| Description | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. To meet this requirement, the organization will define an authoritative time source and have each system compare its internal clock at least every 24 hours. From the SDDC Manager UI, navigate to Administration >> Network Settings >> NTP Configuration to configure NTP server. |
| Severity | High |
| Nist Controls | |
| Check Text |
View the current NTP server configuration.From the SDDC Manager UI, navigate to Administration >> Network Settings >> NTP Configuration and review the NTP servers listed.or From a command prompt, run the following command: $ curl 'https://sddc-manager.sfo01.rainpole.local/v1/system/ntp-configuration' -i -X GET -H 'Authorization: Bearer etYWRta....' Note: The SDDC Manager URL and bearer token must be replaced in the example. If the NTP servers listed are not a site specific authoritative time source, this is a finding. Get-SddcManager -Name |
| Fix Text | Data Not Available |
| Command | Checking the fqdn of SDDC for id 5912d6b1-71e8-4ec7-9a09-97867965f71d |
|---|---|
| Status | Failed |
| Expected | sgn-hm2-sddc.sgn.broadcom.net |
| Got | sddc-l-01a.corp.local |
| Command | Checking the version of SDDC for id 5912d6b1-71e8-4ec7-9a09-97867965f71d |
| Status | Failed |
| Expected | Data Not Available |
| Got | 5.2.0.0-24108943 |
| Control | 100903 |
|---|---|
| Title | The SDDC Manager must have all security patches and updates installed. |
| Description | Install all security patches and updates. To apply patches and updates to SDDC Manager, follow the guidance in the VMware Cloud Foundation Lifecycle Management document. |
| Severity | High |
| Nist Controls | |
| Check Text |
SDDC Manager and Cloud Foundation updates are generally released as a group update to the bill of materials for a given VCF release. The SDDC manager orchestrates the installation of update to the management and workload domain components such as vSphere and NSX. Check for and download available updates by using either the online or offline process. Online: From the SDDC Manager UI, navigate to Lifecycle Management >> Bundle Management. Download available bundles shown if any. Offline: Follow the process at the URL below to download bundles offline. https://docs.vmware.com/en/VMware-Cloud-Foundation/5.0/vcf-lifecycle/GUID-8FA44ACE-8F04-47DA-845E-E0863094F7B0.htmlTo review update applicability: From the SDDC Manager UI, navigate to Inventory >> Workload Domains. Select each management or workload domain and go to the Updates/Patches tab and review the Available Updates section. If SDDC Manager does not have the latest patches/updates installed, this is a finding. If SDDC Manager is not on a supported release, this is a finding. Get-SddcManager -Name |
| Fix Text | Data Not Available |
| Command | Checking the certificates's issuedBy for resource vc-l-01a.corp.local |
|---|---|
| Status | Passed |
| Expected | Certificate should not be self signed |
| Got | OU=VMware Engineering, O=vc-l-01a.corp.local, ST=California, C=US, DC=local, DC=vsphere, CN=CA |
| Command | Checking the certificates's issuedBy for resource sddc-l-01a.corp.local |
| Status | Passed |
| Expected | Certificate should not be self signed |
| Got | OU=VMware Engineering, O=vc-l-01a.corp.local, ST=California, C=US, DC=local, DC=vsphere, CN=CA |
| Command | Checking the certificates's issuedBy for resource nsx-l-01a.corp.local |
| Status | Passed |
| Expected | Certificate should not be self signed |
| Got | OU=VMware Engineering, O=vc-l-01a.corp.local, ST=California, C=US, DC=local, DC=vsphere, CN=CA |
| Command | Checking the certificates's issuedBy for resource nsx-l-02a.corp.local |
| Status | Passed |
| Expected | Certificate should not be self signed |
| Got | OU=VMware Engineering, O=vc-l-01a.corp.local, ST=California, C=US, DC=local, DC=vsphere, CN=CA |
| Command | Checking the certificates's issuedBy for resource nsx-l-03a.corp.local |
| Status | Passed |
| Expected | Certificate should not be self signed |
| Got | OU=VMware Engineering, O=vc-l-01a.corp.local, ST=California, C=US, DC=local, DC=vsphere, CN=CA |
| Command | Checking the certificates's issuedBy for resource nsx-lb-a.corp.local |
| Status | Passed |
| Expected | Certificate should not be self signed |
| Got | OU=VMware Engineering, O=vc-l-01a.corp.local, ST=California, C=US, DC=local, DC=vsphere, CN=CA |
| Command | Checking the certificates's issuedBy for resource vrlcm-l-01a.corp.local |
| Status | Passed |
| Expected | Certificate should not be self signed |
| Got | OU=VMware Engineering, O=vc-l-01a.corp.local, ST=California, C=US, DC=local, DC=vsphere, CN=CA |
| Control | 100904 |
|---|---|
| Title | The SDDC Manager must use DOD- or CNSS-approved PKI Class 3 or Class 4 certificates. |
| Description | The use of a trusted certificate on the SDDC Manager appliance assures clients that the service they are connecting to is legitimate and trusted. To update the SDDC Manager certificate, refer the following URL: Install Certificates with External or Third-Party Certificate Authorities. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the SDDC Manager UI, navigate to Inventory >> Workload Domains. Select the management workload domain.Go to the certificates tab and expand the sddcmanager resource type and view the issuedBy field of the current certificate.If the issuer specified is not an authorized certificate authority, this is a finding. Get-SddcManager -Server |
| Fix Text | Data Not Available |
| Command | Verify NO Internet Connectivity |
|---|---|
| Status | Failed |
| Expected | Ping 1.1.1.1 should fail |
| Got | Ping successful. Internet connectivity exists. |
| Control | 100905 |
|---|---|
| Title | The SDDC Manager must not be exposed directly to the internet. |
| Description | Allowing external access to the SDDC Manager appliance can expose the server to denial of service attacks or other penetration attempts. System Administrator (SA) should work with the network or boundary team to ensure proper firewall rules are configured or other mechanisms are in place to protect the SDDC Manager appliance. |
| Severity | High |
| Nist Controls | |
| Check Text |
Interview the system administrator to determine if the SDDC Manager is accessible from outside of the organization.If the SDDC Manager appliance is accessible from the internet or from outside of the organizations boundary, this is a finding. |
| Fix Text | Data Not Available |
| Command | This is a manual or policy based check and must be manually reviewed. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100906 |
|---|---|
| Title | The SDDC Manager must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| Description | Users and groups must be assigned only privileges they require. To reduce risk of confidentiality, availability, or integrity loss, least privilege requires that these privileges must be assigned only if needed. From the SDDC Manager UI, under Administration > Single Sign On > Users and groups, review the users and groups assigned a role in SDDC Manager and verify that an appropriate role is assigned. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the SDDC Manager UI, navigate to Administration >> Single Sign On.Review the Users and Groups assigned a role in SDDC Manager and verify the appropriate role is assigned.If any users or groups are assigned a role that includes more access than needed, this is a finding. |
| Fix Text | Data Not Available |
| Command | Checking the username of vmwareAccount |
|---|---|
| Status | Passed |
| Expected | Should be null because the provided myVmwareAccount is not provided |
| Got | null |
| Control | 100907 |
|---|---|
| Title | The SDDC Manager must use an account dedicated for downloading updates and patches. |
| Description | When access is allowed to download updates online, using a dedicated My VMware account ensures consistent access to updates and security patches in the event of system administrator turnover or account access issues. To configure a dedicated account that is not associated with a particular system administrator, from the SDDC Manager UI, go to Administration > Depot Settings. |
| Severity | High |
| Nist Controls | |
| Check Text |
If SDDC Manager is not pulling updates online, this is not applicable.From the SDDC Manager UI, navigate to Administration >> Depot Settings.If the account used to authenticate with VMware is not a dedicated account, this is a finding. |
| Fix Text | Data Not Available |
| Command | Checking the Security Fips enabled |
|---|---|
| Status | Failed |
| Expected | Should be true |
| Got | false |
| Control | 100908 |
|---|---|
| Title | The SDDC Manager must be deployed with FIPS mode enabled. |
| Description | FIPS mode must be activated during bring-up and cannot be activated post bring-up. Refer to the VCF deployment guide for details on activating FIPS mode on SDDC Manager. Caution This option is only available for new VMware Cloud Foundation installations and the setting you apply during bring-up are used for future upgrades. You cannot change the FIPS security mode setting after bring-up. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
From the SDDC Manager UI, navigate to Developer Center >> API Explorer. Find the FIPS mode details section and expand the GET section and click Execute. or From a command prompt, run the following command: $ curl 'https://sddc-manager.sfo01.rainpole.local/v1/system/security/fips' -i -X GET -H 'Authorization: Bearer etYWRta....' Note: The SDDC Manager URL and bearer token must be replaced in the example. Review the response to verify FIPS mode is enabled.If FIPS mode is not enabled, this is a finding. Get-SddcManager -Name |
| Fix Text | Data Not Available |
| Command | Checking the frequencyInDays in autoRotatePolicy for resource type ESXI for user root |
|---|---|
| Status | Failed |
| Expected | Data Not Available |
| Got | autoRotatePolicy is not available for this user |
| Command | Checking the frequencyInDays in autoRotatePolicy for resource type ESXI for user svc-vcf-esx-01a |
| Status | Failed |
| Expected | Data Not Available |
| Got | autoRotatePolicy is not available for this user |
| Command | Checking the frequencyInDays in autoRotatePolicy for resource type ESXI for user root |
| Status | Failed |
| Expected | Data Not Available |
| Got | autoRotatePolicy is not available for this user |
| Command | Checking the frequencyInDays in autoRotatePolicy for resource type ESXI for user svc-vcf-esx-02a |
| Status | Failed |
| Expected | Data Not Available |
| Got | autoRotatePolicy is not available for this user |
| Command | Checking the frequencyInDays in autoRotatePolicy for resource type ESXI for user root |
| Status | Failed |
| Expected | Data Not Available |
| Got | autoRotatePolicy is not available for this user |
| Command | Checking the frequencyInDays in autoRotatePolicy for resource type ESXI for user svc-vcf-esx-03a |
| Status | Failed |
| Expected | Data Not Available |
| Got | autoRotatePolicy is not available for this user |
| Command | Checking the frequencyInDays in autoRotatePolicy for resource type ESXI for user root |
| Status | Failed |
| Expected | Data Not Available |
| Got | autoRotatePolicy is not available for this user |
| Command | Checking the frequencyInDays in autoRotatePolicy for resource type ESXI for user svc-vcf-esx-04a |
| Status | Failed |
| Expected | Data Not Available |
| Got | autoRotatePolicy is not available for this user |
| Control | 100909 |
|---|---|
| Title | The SDDC Manager must schedule automatic password rotation. |
| Description | As a security measure, you can rotate passwords for the logical and physical accounts on all racks in your system. The process of password rotation generates randomized passwords for the selected accounts. You can rotate passwords manually or set up auto-rotation for accounts managed by SDDC Manager. By default, auto-rotation is enabled for vCenter Server. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the SDDC Manager UI, navigate to Administration >> Security >> Password Management.Review the rotation schedules for vCenter, PSC, NSX, and Backup.If a rotation schedule is disabled for these groups of passwords, this is a finding.Note: Automatic password rotation is not currently supported for ESXi. Get-SddcManager -Name |
| Fix Text | Data Not Available |
| Command | Checking the Configured |
|---|---|
| Status | Passed |
| Expected | Should be true |
| Got | true |
| Control | 100910 |
|---|---|
| Title | The SDDC Manager must configure the API admin account. |
| Description | A local account is used to access VMware Cloud Foundation APIs when the management vCenter Server is down. If you upgraded from a previous release or didn't configure the account when deploying using the API this accounts password is unset. If left unset this would make managing and accessing the environment in some scenarios difficult to recover from and should be set. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the SDDC Manager UI, navigate to Developer Center >> API Explorer.Find the APIs for managing users section and expand the GET section for /v1/users/local/admin and click Execute.orFrom a command prompt, run the following command:$ curl 'https://sddc-manager.sfo01.rainpole.local/v1/users/local/admin' -i -X GET -H 'Authorization: Bearer etYWRta....'Note: The SDDC Manager URL and bearer token must be replaced in the example.Review the response and verify isConfigured is set to true.If the admin@local account is not configured, this is a finding. |
| Fix Text | Data Not Available |
| Command | Checking the status of Basic Auth Details |
|---|---|
| Status | Passed |
| Expected | DISABLED |
| Got | DISABLED |
| Control | 100911 |
|---|---|
| Title | The SDDC Manager must disable basic authentication. |
| Description | Basic authentication is passed over the network in clear text as a base64 encoded string that is easily reversible and is not considered secure. Even though it is over HTTPS/TLS which offers more protection to eavesdropping it should not be used. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
From a command prompt, run the following command:$ curl 'https://sddc-manager.sfo01.rainpole.local/v1/sddc-manager' -i -X GET -H 'Authorization: Bearer etYWRta....'Note: The SDDC Manager URL and bearer token must be replaced in the example.Review the response and verify in the basicAuthDetails section that status is set to DISABLED.If basic authentication is enabled, this is a finding. Get-SddcManager -Server |
| Fix Text |
Set-SddcManager -Server |