| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Security.AccountLockFailures | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | 3 |
| Got | 5 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Security.AccountLockFailures | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 3 |
| Got | 5 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Security.AccountLockFailures | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 3 |
| Got | 5 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Security.AccountLockFailures | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 3 |
| Got | 5 |
| Control | 100001 |
|---|---|
| Title | The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user. |
| Description | Protects against brute-force attacks and unauthorized access attempts by temporarily disabling the affected account, preventing further login attempts until the lockout period expires or is manually reset by an administrator. |
| Severity | Medium |
| Nist Controls | AC-7, |
| Check Text |
From the vSphere Client go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Security.AccountLockFailures value and verify it is set to Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.AccountLockFailures |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.AccountLockFailures | Set-AdvancedSetting -Value 5 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | Welcome Message should not be null |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Welcome Message should not be null |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Welcome Message should not be null |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Annotations.WelcomeMessage | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Welcome Message should not be null |
| Got | Data Not Available |
| Control | 100002 |
|---|---|
| Title | Configure the ESXi host login banner for the DCUI and Host Client. |
| Description | ESXi enables the display of a login message often used to deter intruders by declaring their activities as illegal, and to inform authorized users of their responsibilities and conditions for system use. While not a direct technical security control, this has positive implications for enforcement and prosecution if attackers are caught. This parameter defines the text displayed on both the Host Client login page and DCUI. |
| Severity | High |
| Nist Controls | AC-8, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Annotations.WelcomeMessage value and verify it contains the standard mandatory notice and consent banner.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessageIf the Annotations.WelcomeMessage setting does not contain the standard mandatory notice and consent banner, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Annotations.WelcomeMessage |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Annotations.WelcomeMessage | Set-AdvancedSetting -Value Authorized users only. Actual or attempted unauthorized use of this system is prohibited and may result in criminal, civil, security, or administrative proceedings and/or penalties. Use of this information system indicates consent to monitoring and recording, without notice or permission. Users have no expectation of privacy in any use of this system. Any information stored on, or transiting this system, or obtained by monitoring and/or recording, may be disclosed to law enforcement and/or used in accordance with Federal law, State statute, and organization policy. If you are not an authorized user of this system, exit the system at this time. |
| Command | (Get-View (Get-VMHost -Name esx-01a.corp.local | Get-View).ConfigManager.HostAccessManager).LockdownMode |
|---|---|
| Status | Failed |
| Expected | lockdownNormal |
| Got | lockdownDisabled |
| Command | (Get-View (Get-VMHost -Name esx-02a.corp.local | Get-View).ConfigManager.HostAccessManager).LockdownMode |
| Status | Failed |
| Expected | lockdownNormal |
| Got | lockdownDisabled |
| Command | (Get-View (Get-VMHost -Name esx-03a.corp.local | Get-View).ConfigManager.HostAccessManager).LockdownMode |
| Status | Failed |
| Expected | lockdownNormal |
| Got | lockdownDisabled |
| Command | (Get-View (Get-VMHost -Name esx-04a.corp.local | Get-View).ConfigManager.HostAccessManager).LockdownMode |
| Status | Failed |
| Expected | lockdownNormal |
| Got | lockdownDisabled |
| Control | 100003 |
|---|---|
| Title | The ESXi host must enable lockdown mode. |
| Description | Enabling lockdown mode deactivates direct access to an ESXi host and requires that the host be managed remotely from vCenter Server. This is done to ensure that the roles and access controls implemented in vCenter are always enforced, and users cannot bypass them by logging into a host directly. By forcing all interactions to occur through vCenter Server, the risk of someone attaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note that users listed in the Exception Users list for each host are allowed to override lockdown mode and log in. By default, no users are present on the Exception Users list. There are three settings for lockdown mode: disabled, normal, and strict. Choosing strict means that if the ESXi host loses contact with vCenter Server, it cannot be managed in any way until that connection is restored. If the connection cannot be restored, the host will need to be rebuilt. This level of lockdown mode is typically not necessary for most deployments and can present significant operational challenges. Therefore, we recommend using normal lockdown mode. |
| Severity | Critical |
| Nist Controls | CM-6, |
| Check Text |
For environments that do not use vCenter Server to manage ESXi, this is not applicable.From the vSphere Client go to Hosts and Clusters >> Select the ESXi Host >> Configure >> System >> Security Profile.Scroll down to Lockdown Mode and verify it is set to Enabled (Normal or Strict).orFrom a PowerCLI command prompt while connected to the ESXi host run the following command:Get-VMHost | Select Name,@{N=Lockdown;E={$_.Extensiondata.Config.LockdownMode}}If Lockdown Mode is disabled, this is a finding. (Get-View (Get-VMHost -Name $ESXi | Get-View).ConfigManager.HostAccessManager).LockdownMode |
| Fix Text | (Get-View (Get-VMHost -Name $ESXi | Get-View).ConfigManager.HostAccessManager).ChangeLockdownMode('lockdownNormal') |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name UserVars.HostClientSessionTimeout | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | Should be less than or equals to 900 |
| Got | 900 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name UserVars.HostClientSessionTimeout | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be less than or equals to 900 |
| Got | 900 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name UserVars.HostClientSessionTimeout | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be less than or equals to 900 |
| Got | 900 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name UserVars.HostClientSessionTimeout | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be less than or equals to 900 |
| Got | 900 |
| Control | 100004 |
|---|---|
| Title | The ESXi host client must be configured with an idle session timeout. |
| Description | This practice helps mitigate potential security risks by ensuring that unattended sessions, which could be exploited by unauthorized users or malicious software, are not left open indefinitely. |
| Severity | Medium |
| Nist Controls | CM-6, AC-12, SC-10, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the UserVars.HostClientSessionTimeout value and verify it is set to 900 or less.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name UserVars.HostClientSessionTimeoutIf the UserVars.HostClientSessionTimeout setting is not set to 900 or less, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.HostClientSessionTimeout |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.HostClientSessionTimeout | Set-AdvancedSetting -Value 900 |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.security.fips140.ssh.get.invoke() | Select-Object -ExpandProperty Enabled |
|---|---|
| Status | Passed |
| Expected | true |
| Got | true |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.security.fips140.ssh.get.invoke() | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.security.fips140.ssh.get.invoke() | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.security.fips140.ssh.get.invoke() | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | true |
| Got | true |
| Control | 100005 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions. |
| Description | OpenSSH on the ESXi host ships with a FIPS 140-2/140-3 validated cryptographic module, and it is enabled by default. For backward compatibility reasons, this can be deactivated. Therefore, this setting must be audited and corrected if necessary. |
| Severity | Medium |
| Nist Controls | AC-17(2), SC-8, SC-8(1), SC-13, SC-28(1), |
| Check Text |
From an ESXi shell, run the following command:# esxcli system security fips140 ssh getorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.security.fips140.ssh.get.invoke()Expected result:Enabled: trueIf the FIPS mode is not enabled for SSH, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.security.fips140.ssh.get.Invoke() |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.security.fips140.ssh.set.CreateArgs() $arguments.enable = $true $ESXcli.system.security.fips140.ssh.set.Invoke($arguments) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.log.level | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | info |
| Got | info |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.log.level | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | info |
| Got | info |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.log.level | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | info |
| Got | info |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.log.level | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | info |
| Got | info |
| Control | 100006 |
|---|---|
| Title | The ESXi must produce audit records containing information to establish what type of events occurred. |
| Description | It is important to ensure that sufficient information is present in audit logs for diagnostics and forensics purposes. |
| Severity | Medium |
| Nist Controls | AU-2, AU-3, AU-3(1), AU-4, AU-12, AU-12(1), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Config.HostAgent.log.level value and verify it is set to info.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.levelIf the Config.HostAgent.log.level setting is not set to info, this is a finding.Note: Verbose logging level is acceptable for troubleshooting purposes. Get-VMHost -Name $ESXi | Get-AdvancedSetting Config.HostAgent.log.level |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Config.HostAgent.log.level | Set-AdvancedSetting -Value info |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Security.PasswordQualityControl | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | similar=deny retry=3 min=disabled,disabled,disabled,disabled,15 max=64 |
| Got | retry=3 min=disabled,disabled,disabled,7,7 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Security.PasswordQualityControl | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | similar=deny retry=3 min=disabled,disabled,disabled,disabled,15 max=64 |
| Got | retry=3 min=disabled,disabled,disabled,7,7 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Security.PasswordQualityControl | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | similar=deny retry=3 min=disabled,disabled,disabled,disabled,15 max=64 |
| Got | retry=3 min=disabled,disabled,disabled,7,7 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Security.PasswordQualityControl | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | similar=deny retry=3 min=disabled,disabled,disabled,disabled,15 max=64 |
| Got | retry=3 min=disabled,disabled,disabled,7,7 |
| Control | 100008 |
|---|---|
| Title | The ESXi host must enforce password complexity by configuring a password quality policy. |
| Description | Based on recommendations such as NIST 800-63B Section 5.1.1.2, it is suggested that composition rules, such as mandating mixtures of character classes, should not be enforced on systems as they often fail to enhance password security and discourage the adoption of more secure passphrases. Password strength and complexity rules are applicable to all ESXi users, including the root user. However, when the ESX host is joined to a domain, these rules do not apply to Active Directory (AD) users as password policies for AD users are enforced by the AD system. |
| Severity | Critical |
| Nist Controls | IA-5, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Security.PasswordQualityControl value and verify it is set to similar=deny retry=3 min=disabled,disabled,disabled,disabled,15.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControlIf the Security.PasswordQualityControl setting is set to a value other than similar=deny retry=3 min=disabled,disabled,disabled,disabled,15, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.PasswordQualityControl |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.PasswordQualityControl | Set-AdvancedSetting -Value similar=deny retry=3 min=disabled,disabled,disabled,disabled,15 max=64 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Security.PasswordHistory | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 5 |
| Got | 5 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Security.PasswordHistory | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 5 |
| Got | 5 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Security.PasswordHistory | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 5 |
| Got | 5 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Security.PasswordHistory | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 5 |
| Got | 5 |
| Control | 100009 |
|---|---|
| Title | The ESXi host must prohibit password reuse for a minimum of five generations. |
| Description | Prevent the reuse of previous passwords, thus mitigating potential breaches from old, compromised credentials. |
| Severity | Medium |
| Nist Controls | IA-5, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Security.PasswordHistory value and verify it is set to 5 or greater.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Security.PasswordHistoryIf the Security.PasswordHistory setting is set to a value other than 5 or greater, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.PasswordHistory |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.PasswordHistory | Set-AdvancedSetting -Value 5 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100010 |
|---|---|
| Title | The ESXi host must be configured to disable nonessential capabilities by disabling the Managed Object Browser (MOB). |
| Description | Services which are not in use and are non-essential for operations should be deactivated. |
| Severity | Medium |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Config.HostAgent.plugins.solo.enableMob value and verify it is set to false.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMobIf the Config.HostAgent.plugins.solo.enableMob setting is not set to false, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Config.HostAgent.plugins.solo.enableMob |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value False |
| Command | Get-VMHostAuthentication esx-01a.corp.local | Select-Object -ExpandProperty Domain |
|---|---|
| Status | Passed |
| Expected | should be empty |
| Got | Data Not Available |
| Command | Get-VMHostAuthentication esx-01a.corp.local | Select-Object -ExpandProperty DomainMembershipStatus |
| Status | Failed |
| Expected | Should be in Joined Ok |
| Got | Data Not Available |
| Command | Get-VMHostAuthentication esx-02a.corp.local | Select-Object -ExpandProperty Domain |
| Status | Passed |
| Expected | should be empty |
| Got | Data Not Available |
| Command | Get-VMHostAuthentication esx-02a.corp.local | Select-Object -ExpandProperty DomainMembershipStatus |
| Status | Failed |
| Expected | Should be in Joined Ok |
| Got | Data Not Available |
| Command | Get-VMHostAuthentication esx-03a.corp.local | Select-Object -ExpandProperty Domain |
| Status | Passed |
| Expected | should be empty |
| Got | Data Not Available |
| Command | Get-VMHostAuthentication esx-03a.corp.local | Select-Object -ExpandProperty DomainMembershipStatus |
| Status | Failed |
| Expected | Should be in Joined Ok |
| Got | Data Not Available |
| Command | Get-VMHostAuthentication esx-04a.corp.local | Select-Object -ExpandProperty Domain |
| Status | Passed |
| Expected | should be empty |
| Got | Data Not Available |
| Command | Get-VMHostAuthentication esx-04a.corp.local | Select-Object -ExpandProperty DomainMembershipStatus |
| Status | Failed |
| Expected | Should be in Joined Ok |
| Got | Data Not Available |
| Control | 100011 |
|---|---|
| Title | The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory. |
| Description | Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain multiple local user accounts. Using Active Directory for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced, and reduces the risk of security breaches and unauthorized access. Note: If the Active Directory group ESX Admins (default) exists, all users and groups assigned as members to this group will have full administrative access to all ESXi hosts in the domain. Satisfies: SRG-OS-000109-VMM-000550, SRG-OS-000112-VMM-000560, SRG-OS-000113-VMM-000570, SRG-OS-000123-VMM-000620 If any local user accounts exist, apart from root and local service accounts, you can delete the local user accounts by going to the ESXi host UI Manage > Security & Users > Users. |
| Severity | Medium |
| Nist Controls | |
| Check Text |
For systems that do not use Active Directory and have no local user accounts other than root and/or service accounts, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Authentication Services.Verify the Directory Services Type is set to Active Directory.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-VMHostAuthenticationFor systems that do not use Active Directory and do have local user accounts, other than root and/or service accounts, this is a finding.If the Directory Services Type is not set to Active Directory, this is a finding. Get-VMHost | Get-VMHostAuthentication |
| Fix Text | Data Not Available |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'ignorerhosts'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | yes |
| Got | yes |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'ignorerhosts'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | yes |
| Got | yes |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'ignorerhosts'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | yes |
| Got | yes |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'ignorerhosts'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | yes |
| Got | yes |
| Control | 100012 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must ignore .rhosts files. |
| Description | System services must be hardened and secured when enabled. |
| Severity | Medium |
| Nist Controls | IA-2(1), IA-2(2), AC-4, CM-6, SC-7, SC-7(5), SC-7(21), |
| Check Text |
VCF Compliance Kit:From an ESXi shell, run the following command:# esxcli system ssh server config list -k ignorerhostsorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'ignorerhosts'}If ignorerhosts is not configured to yes, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep ignorerhostsExpected result:ignorerhosts yesIf the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'ignorerhosts'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'ignorerhosts' $arguments.value = 'yes' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | Should be less than 900 |
| Got | 0 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Should not be equals to 0 |
| Got | 0 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be less than 900 |
| Got | 0 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Should not be equals to 0 |
| Got | 0 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be less than 900 |
| Got | 0 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Should not be equals to 0 |
| Got | 0 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be less than 900 |
| Got | 0 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Should not be equals to 0 |
| Got | 0 |
| Control | 100013 |
|---|---|
| Title | The ESXi host must set a timeout to automatically end idle shell sessions after fifteen minutes. |
| Description | If a user forgets to log out of their SSH session, the idle connection will remain open indefinitely, increasing the potential for someone to gain privileged access to the host. |
| Severity | Critical |
| Nist Controls | CM-6, AC-12, SC-10, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the UserVars.ESXiShellInteractiveTimeOut value and verify it is set to Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.ESXiShellInteractiveTimeOut |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 900 |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.settings.encryption.get.invoke() | Select-Object -ExpandProperty RequireSecureBoot |
|---|---|
| Status | Failed |
| Expected | true |
| Got | Data Not Available |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.settings.encryption.get.invoke() | Select-Object -ExpandProperty RequireSecureBoot |
| Status | Failed |
| Expected | true |
| Got | Data Not Available |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.settings.encryption.get.invoke() | Select-Object -ExpandProperty RequireSecureBoot |
| Status | Failed |
| Expected | true |
| Got | Data Not Available |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.settings.encryption.get.invoke() | Select-Object -ExpandProperty RequireSecureBoot |
| Status | Failed |
| Expected | true |
| Got | Data Not Available |
| Control | 100014 |
|---|---|
| Title | The ESXi host must implement Secure Boot enforcement. |
| Description | The TPM-based nature of VMware ESXi Secure Boot Enforcement enhances security beyond standard Secure Boot. It uses a hardware TPM chip to store and verify cryptographic measurements of the entire boot process, from UEFI firmware to the ESXi kernel. This creates a hardware-backed root of trust, making it much harder for attackers to tamper with the boot sequence undetected. Unlike normal Secure Boot, which only checks digital signatures, TPM-based enforcement ensures the integrity of the complete boot chain and enables advanced features like remote attestation for verifying host trustworthiness. This control flips ESXi from merely supporting Secure Boot to requiring it. Without this setting enabled, and configuration encryption, an ESXi host could be subject to offline attacks. An attacker could simply transfer the ESXi install drive to a non-Secure Boot host and boot it up without ESXi complaining. |
| Severity | Critical |
| Nist Controls | CM-6, SI-3 SI-4, CM-7(2), CM-7(5), CM-14, |
| Check Text |
If the ESXi host does not have a compatible TPM, this finding is downgraded to a CAT III.From an ESXi shell, run the following command:# esxcli system settings encryption getorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.settings.encryption.get.invoke() | Select RequireSecureBootExpected result:Require Secure Boot: trueIf Require Secure Boot is not enable, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2$ESXcli.system.settings.encryption.get.Invoke() | Select RequireSecureBoot |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2$arguments = $ESXcli.system.settings.encryption.set.CreateArgs()$arguments.requiresecureboot = $true$ESXcli.system.settings.encryption.set.Invoke($arguments) |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-View).Capability.UefiSecureBoot |
|---|---|
| Status | Failed |
| Expected | true |
| Got | false |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-View).Capability.UefiSecureBoot |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-View).Capability.UefiSecureBoot |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-View).Capability.UefiSecureBoot |
| Status | Failed |
| Expected | true |
| Got | false |
| Control | 100015 |
|---|---|
| Title | The ESXi host must enable Secure Boot. |
| Description | Secure Boot is part of the UEFI firmware standard. With UEFI Secure Boot enabled, a host refuses to load any UEFI driver or app unless the operating system bootloader has a valid digital signature. Secure Boot for ESXi requires support from the firmware and it requires that all ESXi kernel modules, drivers, and VIBs be signed by VMware or a partner subordinate. Secure Boot is enabled in the BIOS of the ESXi physical server and supported by the hypervisor boot loader. |
| Severity | Critical |
| Nist Controls | CM-6, SI-3, SI-4, CM-7(2), CM-7(5), CM-14, |
| Check Text |
From an ESXi shell, run the following command:# /usr/lib/vmware/secureboot/bin/secureBoot.py -sIf Secure Boot is not Enabled, this is a finding. (Get-VMHost -Name $ESXi | Get-View).Capability.UefiSecureBootThis check is available beginning with PowerCLI 13.3. |
| Fix Text | (Enable in hardware firmware settings) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Security.AccountUnlockTime | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | Should be less than or equals to 900 |
| Got | 900 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Security.AccountUnlockTime | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should not be equals to 0 |
| Got | 900 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Security.AccountUnlockTime | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be less than or equals to 900 |
| Got | 900 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Security.AccountUnlockTime | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should not be equals to 0 |
| Got | 900 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Security.AccountUnlockTime | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be less than or equals to 900 |
| Got | 900 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Security.AccountUnlockTime | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should not be equals to 0 |
| Got | 900 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Security.AccountUnlockTime | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be less than or equals to 900 |
| Got | 900 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Security.AccountUnlockTime | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should not be equals to 0 |
| Got | 900 |
| Control | 100016 |
|---|---|
| Title | The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out. |
| Description | Ensures that user accounts on the ESXi host are automatically unlocked after a defined period of inactivity. By enforcing automatic account unlocking, organizations can maintain a balance between security and usability, ensuring that idle accounts are reactivated promptly while minimizing the potential for unauthorized access. |
| Severity | Medium |
| Nist Controls | AC-7, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Security.AccountUnlockTime value and verify it is set to less than 900 and not 0.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTimeIf the Security.AccountUnlockTime setting is less than 900 or 0, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.AccountUnlockTime |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.AccountUnlockTime | Set-AdvancedSetting -Value 900 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacity | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | 100 |
| Got | 4 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacity | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 100 |
| Got | 4 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacity | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 100 |
| Got | 4 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacity | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 100 |
| Got | 4 |
| Control | 100017 |
|---|---|
| Title | The ESXi host must allocate audit record storage capacity to store at least one weeks worth of audit records. |
| Description | If a remote audit record storage facility is available, it is essential to ensure that the local storage capacity is sufficient to hold audit records that may accumulate during anticipated interruptions in the delivery of records to the facility. This ensures that audit records are not lost or overwritten during periods when the remote storage is unavailable, allowing for seamless continuity of the audit trail and compliance requirements. |
| Severity | High |
| Nist Controls | AU-2, AU-4, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Syslog.global.auditRecord.storageCapacity value and verify it is set to 100.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageCapacityIf the Syslog.global.auditRecord.storageCapacity setting is not set to 100, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.auditRecord.storageCapacity |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.auditRecord.storageCapacity | Set-AdvancedSetting -Value 100 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Syslog.global.logHost | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | Data Not Available |
| Got | udp://192.168.1.200 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Syslog.global.logHost | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Data Not Available |
| Got | udp://192.168.1.200 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Syslog.global.logHost | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Data Not Available |
| Got | udp://192.168.1.200 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Syslog.global.logHost | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Data Not Available |
| Got | udp://192.168.1.200 |
| Control | 100018 |
|---|---|
| Title | The ESXi host must off-load logs via syslog. |
| Description | Remote logging to a central log host provides a secure and centralized store for ESXi logs. By gathering host log files onto a central host, you can more easily monitor all hosts using a single tool. Additionally, you can perform aggregate analysis and searching to identify coordinated attacks on multiple hosts. Logging to a secure and centralized log server helps prevent log tampering and ensures a long-term audit record. |
| Severity | Critical |
| Nist Controls | AU-2, AU-3, AU-3(1), AU-4, AU-12, AU-12(1), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Syslog.global.logHost value and verify it is set to a site-specific syslog server.Syslog servers are specified in the following formats:udp:// Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.logHost |
| Fix Text |
Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.logHost | Set-AdvancedSetting -Value |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Policy |
|---|---|
| Status | Passed |
| Expected | on |
| Got | on |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Policy |
| Status | Passed |
| Expected | on |
| Got | on |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Policy |
| Status | Passed |
| Expected | on |
| Got | on |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Policy |
| Status | Passed |
| Expected | on |
| Got | on |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | true |
| Got | true |
| Control | 100019 |
|---|---|
| Title | The ESXi host must synchronize internal information system clocks to an authoritative time source. |
| Description | Cryptography, audit logging, cluster operations, and incident response/forensics heavily rely on synchronized time. To ensure this, NTP and/or PTP services must be set to start with the host and must be running. |
| Severity | Critical |
| Nist Controls | AC-2(2), AC-2(3), AC-3, AU-2, AU-3, AU-5(2), AU-8, AU-11, AU-12(1), AU-12(3), CM-5(1), SC-45, SI-3, SI-4, SI-4(2), SI-4(12), |
| Check Text |
VCF Compliance Kit:From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Time Configuration.Verify NTP or PTP are configured, and one or more authoritative time sources are listed.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:Get-VMHost | Get-VMHostNTPServerIf the NTP service is not configured with authoritative time sources, this is a finding.If PTP is used instead of NTP, this is NOT a finding.vSphere SCG:From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Time Configuration.Verify NTP or PTP are configured, and one or more authoritative time sources are listed.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Services.Verify the NTP or PTP service is running and configured to start and stop with the host.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:Get-VMHost | Get-VMHostNTPServerGet-VMHost | Get-VMHostService | Where {$_.Label -eq NTP Daemon -or $_.Label -eq PTP Daemon}If the NTP service is not configured with authoritative DOD time sources or the service is not configured to start and stop with the host (Policy of on in PowerCLI) or is stopped, this is a finding.If PTP is used instead of NTP, this is NOT a finding. Get-VMHostService -VMHost $ESXi | Where-Object{$_.Key -eq ntpd} |
| Fix Text | Get-VMHostService -VMHost $ESXi -ErrorAction:Stop | Where-Object{$_.Key -eq ntpd} | Set-VMHostService -policy on -Confirm:$false Get-VMHostService -VMHost $ESXi -ErrorAction:Stop | Where-Object{$_.Key -eq ntpd} | Restart-VMHostService -Confirm:$false |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostNTPServer |
|---|---|
| Status | Failed |
| Expected | Should be part of available NTP Server - |
| Got | 192.168.0.253 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostNTPServer |
| Status | Failed |
| Expected | Should be part of available NTP Server - |
| Got | 192.168.0.253 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostNTPServer |
| Status | Failed |
| Expected | Should be part of available NTP Server - |
| Got | 192.168.0.253 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostNTPServer |
| Status | Failed |
| Expected | Should be part of available NTP Server - |
| Got | 192.168.0.253 |
| Control | 100020 |
|---|---|
| Title | The ESXi host must synchronize internal information system clocks to an authoritative time source. |
| Description | Cryptography, audit logging, cluster operations, and incident response/forensics heavily rely on synchronized time. The recommended practice for NTP is to have at least four sources. It is not advisable to have only two sources, as having one source is preferable to having two. Precision Time Protocol (PTP) is an alternative to NTP that offers sub-millisecond time accuracy. PTP has a different architecture compared to NTP and may not provide the same level of resilience in case of primary server failure. It is suggested to configure NTP as a backup source for PTP, ensuring that a time source remains available even if the accuracy is reduced. |
| Severity | Critical |
| Nist Controls | AC-2(2), AC-2(3), AC-3, AU-2, AU-3, AU-5(2), AU-8, AU-11, AU-12(1), AU-12(3), CM-5(1), SC-45, SI-3, SI-4, SI-4(2), SI-4(12), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Services.Verify the NTP or PTP service is configured to start and stop with the host.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:Get-VMHost | Get-VMHostService | Where {$_.Label -eq NTP Daemon -or $_.Label -eq PTP Daemon}If the NTP service is not configured to start and stop with the host (Policy of on in PowerCLI), this is a finding.If PTP is used instead of NTP, this is NOT a finding. Get-VMHostNtpServer -VMHost $ESXi |
| Fix Text | $ntp0 = 0.vmware.pool.ntp.org $ntp1 = 1.vmware.pool.ntp.org $ntp2 = 2.vmware.pool.ntp.org $ntp3 = 3.vmware.pool.ntp.org Add-VMHostNTPServer -NtpServer $ntp0 , $ntp1 , $ntp2 , $ntp3 -VMHost $ESXi -Confirm:$false |
| Command | (Get-EsxCli -VMHost esx-01a.corp.local -V2).software.acceptance.get.Invoke() |
|---|---|
| Status | Passed |
| Expected | The acceptance level should not be CommunitySupported |
| Got | PartnerSupported |
| Command | (Get-EsxCli -VMHost esx-02a.corp.local -V2).software.acceptance.get.Invoke() |
| Status | Passed |
| Expected | The acceptance level should not be CommunitySupported |
| Got | PartnerSupported |
| Command | (Get-EsxCli -VMHost esx-03a.corp.local -V2).software.acceptance.get.Invoke() |
| Status | Passed |
| Expected | The acceptance level should not be CommunitySupported |
| Got | PartnerSupported |
| Command | (Get-EsxCli -VMHost esx-04a.corp.local -V2).software.acceptance.get.Invoke() |
| Status | Passed |
| Expected | The acceptance level should not be CommunitySupported |
| Got | PartnerSupported |
| Control | 100021 |
|---|---|
| Title | The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified. |
| Description | The acceptance level in ESXi controls what can be installed on the system. There are four levels: VMwareCertified, VMwareAccepted, PartnerSupported, and CommunitySupported. It is important to note that CommunitySupported VIBs (vSphere Installation Bundles) have not undergone testing by VMware or a VMware partner, and they do not have a digital signature. It is considered risky to install CommunitySupported VIBs as their reliability and security cannot be guaranteed. |
| Severity | Medium |
| Nist Controls | CM-6, SI-3, SI-4, CM-7(2), CM-7(5), CM-14, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Security Profile.Under Host Image Profile Acceptance Level view the acceptance level.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.software.acceptance.get.Invoke()If the acceptance level is CommunitySupported, this is a finding. (Get-EsxCli -VMHost $ESXi -V2).software.acceptance.get.Invoke() |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.software.acceptance.set.CreateArgs() $arguments.level = PartnerSupported # VMwareCertified, VMwareAccepted, PartnerSupported, CommunitySupported $ESXcli.software.acceptance.set.Invoke($arguments) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostHba | Where {.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty MutualChapEnabled |
|---|---|
| Status | Failed |
| Expected | true |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostHba | Where {.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty ChapType |
| Status | Failed |
| Expected | required |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostHba | Where {.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty MutualChapEnabled |
| Status | Failed |
| Expected | true |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostHba | Where {.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty ChapType |
| Status | Failed |
| Expected | required |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostHba | Where {.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty MutualChapEnabled |
| Status | Failed |
| Expected | true |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostHba | Where {.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty ChapType |
| Status | Failed |
| Expected | required |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostHba | Where {.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty MutualChapEnabled |
| Status | Failed |
| Expected | true |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostHba | Where {.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty ChapType |
| Status | Failed |
| Expected | required |
| Got | Data Not Available |
| Control | 100022 |
|---|---|
| Title | The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic. |
| Description | Mutual CHAP provides an additional layer of protection by requiring both the initiator (client) and the target (server) to verify their identities to each other, thereby ensuring data transmitted between the two is not intercepted or altered by unauthorized entities. |
| Severity | Critical |
| Nist Controls | IA-3, IA-3(1), |
| Check Text |
If iSCSI is not used, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> Storage >> Storage Adapters.Select the iSCSI adapter >> Properties >> Authentication >> Method.View the CHAP configuration and verify CHAP is required for target and host authentication.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-VMHostHba | Where {$_.Type -eq iscsi} | Select AuthenticationProperties -ExpandProperty AuthenticationPropertiesIf iSCSI is used and CHAP is not set to required for both the target and host, this is a finding.If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding. Get-VMHost -Name $ESXi | Get-VMHostHba | Where {$_.Type -eq Iscsi} | Select VMHost, Device, ChapType, @{N=CHAPName;E={$_.AuthenticationProperties.ChapName}} |
| Fix Text |
Get-VMHost -Name $ESXi | Get-VMHostHba | Where {$_.Type -eq Iscsi} | Set-VMHostHba |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100023 |
|---|---|
| Title | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic. |
| Description | While encrypted vMotion is available, vMotion traffic should still be sequestered from other traffic to further protect it from attack. This network must only be accessible to other ESXi hosts, preventing outside access to the network. The vMotion VMkernel port group must be in a dedicated VLAN that can be on a standard or distributed virtual switch as long as the vMotion VLAN is not shared by any other function and is not routed to anything but ESXi hosts. |
| Severity | Medium |
| Nist Controls | |
| Check Text |
For environments that do not use vCenter server to manage ESXi, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> Networking >> VMkernel adapters.Review the VLAN associated with any vMotion VMkernel(s) and verify they are dedicated for that purpose and are logically separated from other functions.If long distance or cross vCenter vMotion is used the vMotion network can be routable but must be accessible to only the intended ESXi hosts.If the vMotion port group is not on an isolated VLAN and/or is routable to systems other than ESXi hosts, this is a finding. |
| Fix Text | Data Not Available |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'ciphers'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr |
| Got | [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'ciphers'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr |
| Got | [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'ciphers'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr |
| Got | [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'ciphers'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr |
| Got | [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr |
| Control | 100025 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must be configured to only use FIPS 140-2 validated ciphers. |
| Description | System services must be hardened and secured when enabled. |
| Severity | Medium |
| Nist Controls | AC-17(2), SC-8, SC-8(1), SC-13, SC-28(1), |
| Check Text |
VCF Compliance Kit:From an ESXi shell, run the following command:# esxcli system ssh server config list -k ciphersorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'ciphers'}Expected result:ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctrIf the output matches the ciphers in the expected result or a subset thereof, this is not a finding.If the ciphers in the output contain any ciphers not listed in the expected result, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep ciphersExpected result:ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctrIf the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'ciphers'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'ciphers' $arguments.value = '[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name DCUI.Access | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | root |
| Got | root |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name DCUI.Access | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | root |
| Got | root |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name DCUI.Access | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | root |
| Got | root |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name DCUI.Access | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | root |
| Got | root |
| Control | 100026 |
|---|---|
| Title | The ESXi host DCUI.Access list must be verified. |
| Description | Ensures that only authorized users have direct console user interface (DCUI) access to the ESXi host when Lockdown Mode is enabled. The root user cannot be removed from the list. To control ESXi Shell and/or SSH access use the Lockdown Mode Exception Users list. |
| Severity | Medium |
| Nist Controls | AC-6, CM-6, |
| Check Text |
For environments that do not use vCenter server to manage ESXi, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the DCUI.Access value and verify only the root user is listed.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name DCUI.Access and verify it is set to root.If the DCUI.Access is not restricted to root, this is a finding.Note: This list is only for local user accounts and should only contain the root user. Get-VMHost -Name $ESXi | Get-AdvancedSetting DCUI.Access |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting DCUI.Access | Set-AdvancedSetting -Value root |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Config.Etc.issue | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | Should be the standard mandatory DOD notice and consent banner |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Config.Etc.issue | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Should be the standard mandatory DOD notice and consent banner |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Config.Etc.issue | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Should be the standard mandatory DOD notice and consent banner |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Config.Etc.issue | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | Should be the standard mandatory DOD notice and consent banner |
| Got | Data Not Available |
| Control | 100027 |
|---|---|
| Title | The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH). |
| Description | ESXi enables a login message display, often used to deter intruders and inform authorized users about system use obligations. This parameter defines the text shown during an SSH connection. It is highly recommended to keep SSH in the stopped state unless troubleshooting. An implementation inconsistency between ESXi and vCenter Server requires that issue in Config.Etc.issue be lowercase, to work in both scenarios. |
| Severity | High |
| Nist Controls | AC-8, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Config.Etc.issue value and verify it contains the standard mandatory DOD notice and consent banner.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issueIf the Config.Etc.issue setting does not contain the standard mandatory DOD notice and consent banner, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Config.Etc.issue |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Config.Etc.issue | Set-AdvancedSetting -Value ****************************************************************************`n* Authorized users only. Actual or attempted unauthorized use of this *`n* system is prohibited and may result in criminal, civil, security, or *`n* administrative proceedings and/or penalties. Use of this information *`n* system indicates consent to monitoring and recording, without notice *`n* or permission. Users have no expectation of privacy. Any information *`n* stored on or transiting this system, or obtained by monitoring and/or *`n* recording, may be disclosed to law enforcement and/or used in accordance *`n* with Federal law, State statute, and organization policy. If you are not *`n* an authorized user of this system, exit the system at this time. *`n****************************************************************************`n |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'banner'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | /etc/issue |
| Got | /etc/issue |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'banner'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | /etc/issue |
| Got | /etc/issue |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'banner'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | /etc/issue |
| Got | /etc/issue |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'banner'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | /etc/issue |
| Got | /etc/issue |
| Control | 100028 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. |
| Description | System services must be hardened and secured when enabled. You must set the host's Config.Etc.Issue advanced parameter as well, to provide text to this banner. |
| Severity | Medium |
| Nist Controls | AC-8, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Config.Etc.issue value and verify it contains the standard mandatory notice and consent banner.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issueIf the Config.Etc.issue setting does not contain the standard mandatory notice and consent banner, this is a finding.STIG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep bannerExpected result:banner /etc/issueIf the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'banner'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'banner' $arguments.value = '/etc/issue' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'SSH'} | Select-Object -ExpandProperty Policy |
|---|---|
| Status | Passed |
| Expected | off |
| Got | off |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'SSH'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'SSH'} | Select-Object -ExpandProperty Policy |
| Status | Passed |
| Expected | off |
| Got | off |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'SSH'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'SSH'} | Select-Object -ExpandProperty Policy |
| Status | Passed |
| Expected | off |
| Got | off |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'SSH'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'SSH'} | Select-Object -ExpandProperty Policy |
| Status | Passed |
| Expected | off |
| Got | off |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'SSH'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100029 |
|---|---|
| Title | The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH). |
| Description | Services which are not in use and are non-essential for operations should be deactivated. |
| Severity | Medium |
| Nist Controls | CM-7, AC-17, AC-17(1), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Services.Under Services, locate the SSH service and verify it is Stopped.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-VMHostService | Where {$_.Label -eq SSH}If the SSH service is Running, this is a finding. Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'TSM-SSH' -and $_.Running -eq 'True'} Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'TSM-SSH' -and $_.Policy -eq 'On'} |
| Fix Text | Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'TSM-SSH'} | Set-VMHostService -Policy Off Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'TSM-SSH'} | Stop-VMHostService |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'ESXi Shell'} | Select-Object -ExpandProperty Policy |
|---|---|
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'ESXi Shell'} | Select-Object -ExpandProperty Running |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'ESXi Shell'} | Select-Object -ExpandProperty Policy |
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'ESXi Shell'} | Select-Object -ExpandProperty Running |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'ESXi Shell'} | Select-Object -ExpandProperty Policy |
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'ESXi Shell'} | Select-Object -ExpandProperty Running |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'ESXi Shell'} | Select-Object -ExpandProperty Policy |
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'ESXi Shell'} | Select-Object -ExpandProperty Running |
| Status | Failed |
| Expected | false |
| Got | true |
| Control | 100030 |
|---|---|
| Title | The ESXi host must be configured to disable nonessential capabilities by disabling the ESXi shell. |
| Description | Services which are not in use and are non-essential for operations should be deactivated. |
| Severity | Medium |
| Nist Controls | CM-6, CM-7, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Services.Under Services, locate the ESXi Shell service and verify it is Stopped.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-VMHostService | Where {$_.Label -eq ESXi Shell}If the ESXi Shell service is Running, this is a finding. Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'TSM' -and $_.Running -eq 'True'} Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'TSM' -and $_.Policy -eq 'On'} |
| Fix Text | Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'TSM'} | Set-VMHostService -Policy Off Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'TSM'} | Stop-VMHostService |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | Less than or equals to 600 |
| Got | 0 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 0 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Less than or equals to 600 |
| Got | 0 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 0 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Less than or equals to 600 |
| Got | 0 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 0 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Less than or equals to 600 |
| Got | 0 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 0 |
| Control | 100031 |
|---|---|
| Title | The ESXi host must automatically stop shell services after ten minutes. |
| Description | The ESXiShellTimeOut defines a window of time after which the ESXi Shell and SSH services will automatically be terminated. |
| Severity | Critical |
| Nist Controls | CM-6, AC-12, SC-10, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the UserVars.ESXiShellTimeOut value and verify it is set to Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.ESXiShellTimeOut |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | Less than or equals to 600 |
| Got | 600 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 0 |
| Got | 600 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Less than or equals to 600 |
| Got | 600 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 0 |
| Got | 600 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Less than or equals to 600 |
| Got | 600 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 0 |
| Got | 600 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Less than or equals to 600 |
| Got | 600 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 0 |
| Got | 600 |
| Control | 100032 |
|---|---|
| Title | The ESXi host must set a timeout to automatically end idle DCUI sessions after ten minutes. |
| Description | DCUI allows direct login to the ESXi host for managing tasks. To prevent unintended DCUI usage from leftover login sessions, It is essential to terminate idle connections. |
| Severity | Medium |
| Nist Controls | CM-6, AC-12, SC-10, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the UserVars.DcuiTimeOut value and verify it is set to less than 600 and not 0.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOutIf the UserVars.DcuiTimeOut setting is set to a value greater than 600 or 0, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.DcuiTimeOut |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostNetworkAdapter -Name vmk0 | Where-Object {.VMotionEnabled -eq 'True' -or .FaultToleranceLoggingEnabled -eq 'True' -or .VsanTrafficEnabled -eq 'True' -or .VSphereReplicationEnabled -eq 'True' -or .VSphereReplicationNFCEnabled -eq 'True' -or .VSphereBackupNFCEnabled -eq 'True'} | Select-Object -ExpandProperty DeviceName |
|---|---|
| Status | Passed |
| Expected | Should be empty |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-01a.corp.local | $portGroup = Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Failed |
| Expected | Data Not Available |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostNetworkAdapter -Name vmk0 | Where-Object {.VMotionEnabled -eq 'True' -or .FaultToleranceLoggingEnabled -eq 'True' -or .VsanTrafficEnabled -eq 'True' -or .VSphereReplicationEnabled -eq 'True' -or .VSphereReplicationNFCEnabled -eq 'True' -or .VSphereBackupNFCEnabled -eq 'True'} | Select-Object -ExpandProperty DeviceName |
| Status | Passed |
| Expected | Should be empty |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-02a.corp.local | $portGroup = Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Failed |
| Expected | Data Not Available |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostNetworkAdapter -Name vmk0 | Where-Object {.VMotionEnabled -eq 'True' -or .FaultToleranceLoggingEnabled -eq 'True' -or .VsanTrafficEnabled -eq 'True' -or .VSphereReplicationEnabled -eq 'True' -or .VSphereReplicationNFCEnabled -eq 'True' -or .VSphereBackupNFCEnabled -eq 'True'} | Select-Object -ExpandProperty DeviceName |
| Status | Passed |
| Expected | Should be empty |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-03a.corp.local | $portGroup = Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Failed |
| Expected | Data Not Available |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostNetworkAdapter -Name vmk0 | Where-Object {.VMotionEnabled -eq 'True' -or .FaultToleranceLoggingEnabled -eq 'True' -or .VsanTrafficEnabled -eq 'True' -or .VSphereReplicationEnabled -eq 'True' -or .VSphereReplicationNFCEnabled -eq 'True' -or .VSphereBackupNFCEnabled -eq 'True'} | Select-Object -ExpandProperty DeviceName |
| Status | Passed |
| Expected | Should be empty |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-04a.corp.local | $portGroup = Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Failed |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100033 |
|---|---|
| Title | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating ESXi management traffic. |
| Description | VMkernel network interfaces that are intended for specialized use can be configured with management capabilities, which may defeat network isolation and security efforts. Ensure that only vmk interfaces intended for management have management services enabled. |
| Severity | Medium |
| Nist Controls | AC-4, CM-6, SC-7, SC-7(5), SC-7(21), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> Networking >> VMkernel adapters.Review each VMkernel adapter that is used for management traffic and view the Enabled services.Review the VLAN associated with each VMkernel that is used for management traffic. Verify with the system administrator that they are dedicated for that purpose and are logically separated from other functions.If any services are enabled on any Management VMkernel adapter, this is a finding.If the network segment is accessible, except to networks where other management-related entities are located such as vCenter, this is a finding.If there are any other systems or devices such as VMs on the ESXi management segment, this is a finding. Get-VMHostNetworkAdapter -VMHost $ESXi -VMKernel | Select VMHost,Name,IP,ManagementTrafficEnabled |
| Fix Text | Get-VMHostNetworkAdapter -VMHost $ESXi -Name $vmkernel_interface | Set-VMHostNetworkAdapter -ManagementTrafficEnabled $false |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100034 |
|---|---|
| Title | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. |
| Description | Virtual machines (VMs) might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized VM users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from any other traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and VMs will limit unauthorized users from viewing the traffic. |
| Severity | High |
| Nist Controls | |
| Check Text |
If IP-based storage is not used, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> Networking >> VMkernel adapters.Review each VMkernel adapter that is used for IP-based storage traffic and view the Enabled services.Review the VLAN associated with each VMkernel that is used for IP-based storage traffic. Verify with the system administrator that they are dedicated for that purpose and are logically separated from other functions.If any services are enabled on an NFS or iSCSI IP-based storage VMkernel adapter, this is a finding.If any services are enabled on a vSAN VMkernel adapter other than vSAN, this is a finding.If any IP-based storage networks are not isolated from other traffic types, this is a finding. |
| Fix Text | Data Not Available |
| Command | $hostView = Get-VMHost -Name esx-01a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
|---|---|
| Status | Failed |
| Expected | da-user on host : esx-01a.corp.local is expected to be in [] |
| Got | da-user |
| Command | $hostView = Get-VMHost -Name esx-01a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | mux_user on host : esx-01a.corp.local is expected to be in [] |
| Got | mux_user |
| Command | $hostView = Get-VMHost -Name esx-01a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | nsx-user on host : esx-01a.corp.local is expected to be in [] |
| Got | nsx-user |
| Command | $hostView = Get-VMHost -Name esx-01a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | svc-vcf-esx-01a on host : esx-01a.corp.local is expected to be in [] |
| Got | svc-vcf-esx-01a |
| Command | $hostView = Get-VMHost -Name esx-02a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | da-user on host : esx-02a.corp.local is expected to be in [] |
| Got | da-user |
| Command | $hostView = Get-VMHost -Name esx-02a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | mux_user on host : esx-02a.corp.local is expected to be in [] |
| Got | mux_user |
| Command | $hostView = Get-VMHost -Name esx-02a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | nsx-user on host : esx-02a.corp.local is expected to be in [] |
| Got | nsx-user |
| Command | $hostView = Get-VMHost -Name esx-02a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | svc-vcf-esx-02a on host : esx-02a.corp.local is expected to be in [] |
| Got | svc-vcf-esx-02a |
| Command | $hostView = Get-VMHost -Name esx-03a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | da-user on host : esx-03a.corp.local is expected to be in [] |
| Got | da-user |
| Command | $hostView = Get-VMHost -Name esx-03a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | mux_user on host : esx-03a.corp.local is expected to be in [] |
| Got | mux_user |
| Command | $hostView = Get-VMHost -Name esx-03a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | nsx-user on host : esx-03a.corp.local is expected to be in [] |
| Got | nsx-user |
| Command | $hostView = Get-VMHost -Name esx-03a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | svc-vcf-esx-03a on host : esx-03a.corp.local is expected to be in [] |
| Got | svc-vcf-esx-03a |
| Command | $hostView = Get-VMHost -Name esx-04a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | da-user on host : esx-04a.corp.local is expected to be in [] |
| Got | da-user |
| Command | $hostView = Get-VMHost -Name esx-04a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | mux_user on host : esx-04a.corp.local is expected to be in [] |
| Got | mux_user |
| Command | $hostView = Get-VMHost -Name esx-04a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | nsx-user on host : esx-04a.corp.local is expected to be in [] |
| Got | nsx-user |
| Command | $hostView = Get-VMHost -Name esx-04a.corp.local | Get-View; (Get-View $hostView.ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Status | Failed |
| Expected | svc-vcf-esx-04a on host : esx-04a.corp.local is expected to be in [] |
| Got | svc-vcf-esx-04a |
| Control | 100035 |
|---|---|
| Title | The ESXi host lockdown mode exception users list must be verified. |
| Description | Users on the Lockdown Mode Exception Users list do not lose their privileges when the host enters lockdown mode, which can potentially defeat the purpose of lockdown mode. You can add users to the exception users list from the vSphere Client. These user accounts do not lose their permissions when the host enters lockdown mode. Only add service accounts such as backup agents. Do not add administrative users or user groups to exception users list. Adding unnecessary users to the exception list defeats the purpose of lockdown mode. |
| Severity | Medium |
| Nist Controls | AC-6, CM-6, |
| Check Text |
For environments that do not use vCenter server to manage ESXi, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Security Profile.Under Lockdown Mode, review the Exception Users list.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following script:$vmhost = Get-VMHost | Get-View$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager$lockdown.QueryLockdownExceptions()If the Exception Users list contains accounts that do not require special permissions, this is a finding.Note: The Exception Users list is empty by default and should remain that way except under site-specific circumstances. (Get-View (Get-VMHost -Name $ESXi | Get-View).ConfigManager.HostAccessManager).QueryLockdownExceptions() |
| Fix Text | (Get-View (Get-VMHost -Name $ESXi | Get-View).ConfigManager.HostAccessManager).UpdateLockdownExceptions($NULL) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'hostbasedauthentication'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'hostbasedauthentication'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'hostbasedauthentication'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'hostbasedauthentication'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Control | 100036 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication. |
| Description | System services must be hardened and secured when enabled. |
| Severity | Medium |
| Nist Controls | IA-2(1), IA-2(2), AC-4, CM-6, SC-7, SC-7(5), SC-7(21), |
| Check Text |
VCF Compliance Kit:From an ESXi shell, run the following command:# esxcli system ssh server config list -k hostbasedauthenticationorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'hostbasedauthentication'}Example result:hostbasedauthentication noIf hostbasedauthentication is not configured to no, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep hostbasedauthenticationExpected result:hostbasedauthentication noIf the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'hostbasedauthentication'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'hostbasedauthentication' $arguments.value = 'no' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'permituserenvironment'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'permituserenvironment'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'permituserenvironment'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'permituserenvironment'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Control | 100038 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must not permit user environment settings. |
| Description | System services must be hardened and secured when enabled. |
| Severity | Medium |
| Nist Controls | CM-6, |
| Check Text |
VCF Compliance Kit:From an ESXi shell, run the following command:# esxcli system ssh server config list -k permituserenvironmentorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'permituserenvironment'}Example result:permituserenvironment noIf permituserenvironment is not configured to no, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep permituserenvironmentExpected result:permituserenvironment noIf the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'permituserenvironment'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'permituserenvironment' $arguments.value = 'no' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'gatewayports'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'gatewayports'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'gatewayports'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'gatewayports'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Control | 100041 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports. |
| Description | System services must be hardened and secured when enabled. |
| Severity | Medium |
| Nist Controls | AC-4, CM-6, SC-7, SC-7(5), SC-7(21), |
| Check Text |
VCF Compliance Kit:From an ESXi shell, run the following command:# esxcli system ssh server config list -k gatewayportsorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'gatewayports'}Example result:gatewayports noIf gatewayports is not configured to no, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep gatewayportsExpected result:gatewayports noIf the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'gatewayports'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'gatewayports' $arguments.value = 'no' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'permittunnel'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'permittunnel'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'permittunnel'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'permittunnel'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Control | 100043 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must not permit tunnels. |
| Description | System services must be hardened and secured when enabled. |
| Severity | Medium |
| Nist Controls | AC-4, CM-6, SC-7, SC-7(5), SC-7(21), |
| Check Text |
VCF Compliance Kit:From an ESXi shell, run the following command:# esxcli system ssh server config list -k permittunnelorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'permittunnel'}Example result:permittunnel noIf permittunnel is not configured to no, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep permittunnelExpected result:permittunnel noIf the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'permittunnel'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'permittunnel' $arguments.value = 'no' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'clientalivecountmax'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 3 |
| Got | 3 |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'clientalivecountmax'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 3 |
| Got | 3 |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'clientalivecountmax'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 3 |
| Got | 3 |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'clientalivecountmax'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 3 |
| Got | 3 |
| Control | 100044 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions. |
| Description | System services must be hardened and secured when enabled. The timeout count, multiplied by the idle timeout interval, is the total number of seconds the session may be idle until it is disconnected. |
| Severity | Medium |
| Nist Controls | CM-6, AC-12, SC-10, |
| Check Text |
VCF Compliance Kit:From an ESXi shell, run the following command:# esxcli system ssh server config list -k clientalivecountmaxorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'clientalivecountmax'}Example result:clientalivecountmax 3If clientalivecountmax is not configured to 3, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep clientalivecountmaxExpected result:clientalivecountmax 3If the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'clientalivecountmax'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'clientalivecountmax' $arguments.value = '3' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'clientaliveinterval'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 200 |
| Got | 200 |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'clientaliveinterval'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 200 |
| Got | 200 |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'clientaliveinterval'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 200 |
| Got | 200 |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'clientaliveinterval'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 200 |
| Got | 200 |
| Control | 100045 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions. |
| Description | System services must be hardened and secured when enabled. The timeout count, multiplied by the idle timeout interval, is the total number of seconds the session may be idle until it is disconnected. |
| Severity | Medium |
| Nist Controls | CM-6, AC-12, SC-10, |
| Check Text |
VCF Compliance Kit:From an ESXi shell, run the following command:# esxcli system ssh server config list -k clientaliveintervalorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'clientaliveinterval'}Example result:clientaliveinterval 200If clientaliveinterval is not configured to 200, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep clientaliveintervalExpected result:clientaliveinterval 200If the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'clientaliveinterval'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'clientaliveinterval' $arguments.value = '200' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'SNMP Server'} | Select-Object -ExpandProperty Policy |
|---|---|
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'SNMP Server'} | Select-Object -ExpandProperty Running |
| Status | Failed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'SNMP Server'} | Select-Object -ExpandProperty Policy |
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'SNMP Server'} | Select-Object -ExpandProperty Running |
| Status | Failed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'SNMP Server'} | Select-Object -ExpandProperty Policy |
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'SNMP Server'} | Select-Object -ExpandProperty Running |
| Status | Failed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'SNMP Server'} | Select-Object -ExpandProperty Policy |
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'SNMP Server'} | Select-Object -ExpandProperty Running |
| Status | Failed |
| Expected | false |
| Got | false |
| Control | 100046 |
|---|---|
| Title | Configure or disable SNMP |
| Description | Services which are not in use and are non-essential for operations should be deactivated. |
| Severity | Critical |
| Nist Controls | CM-6, CM-7, |
| Check Text |
VCF Compliance Kit:From a PowerCLI command prompt while connected to the ESXi host run the following command:Get-VMHost | Get-VMHostService | Where {$_.Label -eq SNMP Server}If the SNMP Server service is running and does not have a Policy of off, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# esxcli system snmp getorFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHostSnmp | Select *If SNMP is not in use and is enabled, this is a finding.If SNMP is enabled and is not using v3 targets with authentication, this is a finding.Note: SNMP v3 targets can only be viewed and configured via the esxcli command. Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'snmpd' -and $_.Running -eq 'True'} Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'snmpd' -and $_.Policy -eq 'On'} |
| Fix Text | Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'snmpd'} | Set-VMHostService -Policy Off Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'snmpd'} | Stop-VMHostService |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Mem.ShareForceSalting | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 2 |
| Got | 2 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Mem.ShareForceSalting | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2 |
| Got | 2 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Mem.ShareForceSalting | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2 |
| Got | 2 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Mem.ShareForceSalting | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2 |
| Got | 2 |
| Control | 100047 |
|---|---|
| Title | The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing. |
| Description | Transparent Page Sharing (TPS) is a method used to reduce the memory usage of virtual machines. However, under specific conditions, it can potentially be exploited to gain unauthorized access to data on neighboring virtual machines. Virtual machines that do not have the sched.mem.pshare.salt option set are unable to share memory with any other virtual machines, providing an additional layer of isolation and security. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Mem.ShareForceSalting value and verify it is set to 2.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSaltingIf the Mem.ShareForceSalting setting is not set to 2, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Mem.ShareForceSalting |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Mem.ShareForceSalting | Set-AdvancedSetting -Value 2 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallDefaultPolicy |
|---|---|
| Status | Passed |
| Expected | Incoming or Outgoing policies should be false |
| Got | IncomingEnabled is False and OutgoingEnabled is False |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallDefaultPolicy |
| Status | Passed |
| Expected | Incoming or Outgoing policies should be false |
| Got | IncomingEnabled is False and OutgoingEnabled is False |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallDefaultPolicy |
| Status | Passed |
| Expected | Incoming or Outgoing policies should be false |
| Got | IncomingEnabled is False and OutgoingEnabled is False |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallDefaultPolicy |
| Status | Passed |
| Expected | Incoming or Outgoing policies should be false |
| Got | IncomingEnabled is False and OutgoingEnabled is False |
| Control | 100048 |
|---|---|
| Title | The ESXi host must configure the firewall to block network traffic by default. |
| Description | Ensures that all incoming and outgoing network traffic is blocked unless explicitly allowed, reducing the attack surface and preventing unauthorized access to the host. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
From an ESXi shell, run the following command:# esxcli network firewall getIf the Default Action does not equal DROP, this is a finding.If Enabled does not equal true, this is a finding.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHostFirewallDefaultPolicyIf the Incoming or Outgoing policies are True, this is a finding. Get-VMHost -Name $ESXi | Get-VMHostFirewallDefaultPolicy |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.network.firewall.set.CreateArgs() $arguments.defaultaction = $FALSE $arguments.enabled = $true $ESXcli.network.firewall.set.Invoke($arguments) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 1 |
| Got | 1 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1 |
| Got | 1 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1 |
| Got | 1 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1 |
| Got | 1 |
| Control | 100049 |
|---|---|
| Title | The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled. |
| Description | BPDUs (Bridge Protocol Data Units) are used to transmit Spanning Tree Protocol (STP) information and detect network loops. BPDU Guard and Portfast are commonly enabled on the physical switch directly connected to the ESXi host to reduce spanning tree convergence delay. However, if a BPDU packet is sent from a virtual machine on the ESXi host to the configured physical switch, it can result in a cascading lockout of all uplink interfaces from the ESXi host. To prevent this type of lockout, BPDU Filter can be enabled on the ESXi host to drop any BPDU packets being sent to the physical switch. It is important to note that Standard and Distributed Virtual Switches do not support STP and do not generate BPDUs. |
| Severity | Medium |
| Nist Controls | CM-6, SC-5, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Net.BlockGuestBPDU value and verify it is set to 1.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDUIf the Net.BlockGuestBPDU setting is not set to 1, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Net.BlockGuestBPDU |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1 |
| Command | Get-VDSwitch -Name sfo-m01-cl01-vds01 | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
|---|---|
| Status | Passed |
| Expected | Should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name Region-A-Segment | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo-m01-cl01-vds-DVUplinks-18 | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
| Status | Failed |
| Expected | should not match to True |
| Got | true |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1 | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2 | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name X-Region-Segment | Get-VDSecurityPolicy | Select-Object -ExpandProperty ForgedTransmits |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Control | 100050 |
|---|---|
| Title | The ESXi host must configure virtual switch security policies to reject forged transmits. |
| Description | If the MAC address of a virtual machine operating system changes, it allows the operating system to send frames with an impersonated source MAC address, potentially enabling malicious attacks on devices within a network by impersonating an authorized network adapter. When the Forged transmits option is set to Accept, ESXi does not compare the source and effective MAC addresses. To protect against MAC impersonation, you can set the Forged transmits option to Reject. In this case, the host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to check for a match. If the addresses do not match, the ESXi host drops the packet. |
| Severity | High |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
Note: This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> Networking >> Virtual Switches.On each standard switch, click the '...' button next to each port group and select Edit Settings.Click the Security tab. Verify that Forged transmits is set to Reject and that Override is not checked.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:Get-VirtualSwitch | Get-SecurityPolicyGet-VirtualPortGroup | Get-SecurityPolicy | Select-Object *If the Forged Transmits policy is set to Accept (or true, via PowerCLI) or the security policy inherited from the virtual switch is overridden, this is a finding. Get-VMHost -Name $ESXi | Get-VirtualSwitch -Standard | Get-SecurityPolicy | select VirtualSwitch,ForgedTransmits Get-VMHost -Name $ESXi | Get-VirtualPortGroup -Standard | Get-SecurityPolicy | select VirtualPortGroup,ForgedTransmits |
| Fix Text | Get-VMHost -Name $ESXi | Get-VirtualSwitch -Standard | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false Get-VMHost -Name $ESXi | Get-VirtualPortGroup -Standard | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true |
| Command | Get-VDSwitch -Name sfo-m01-cl01-vds01 | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
|---|---|
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name Region-A-Segment | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo-m01-cl01-vds-DVUplinks-18 | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1 | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2 | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name X-Region-Segment | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Control | 100051 |
|---|---|
| Title | The ESXi host must configure virtual switch security policies to reject Media Access Control (MAC) address changes. |
| Description | If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address, enabling it to stage malicious attacks on devices within a network by impersonating a network adapter authorized by the receiving network. To prevent virtual machines from changing their effective MAC address, measures should be taken to enforce MAC address stability or restrict the ability to modify MAC addresses. This helps mitigate the risk of MAC impersonation and potential malicious activities. |
| Severity | Critical |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> Networking >> Virtual Switches.On each standard switch, click the '...' button next to each port group and select Edit Settings.Click the Security tab. Verify that MAC Address Changes is set to Reject and that Override is not checked.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:Get-VirtualSwitch | Get-SecurityPolicyGet-VirtualPortGroup | Get-SecurityPolicy | Select-Object *If the MAC Address Changes policy is set to Accept (or true, via PowerCLI) or the security policy inherited from the virtual switch is overridden, this is a finding. Get-VMHost -Name $ESXi | Get-VirtualSwitch -Standard | Get-SecurityPolicy | select VirtualSwitch,MacChanges Get-VMHost -Name $ESXi | Get-VirtualPortGroup -Standard | Get-SecurityPolicy | select VirtualPortGroup,MacChanges |
| Fix Text | Get-VMHost -Name $ESXi | Get-VirtualSwitch -Standard | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false Get-VMHost -Name $ESXi | Get-VirtualPortGroup -Standard | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true |
| Command | Get-VDSwitch -Name sfo-m01-cl01-vds01 | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
|---|---|
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name Region-A-Segment | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo-m01-cl01-vds-DVUplinks-18 | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1 | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2 | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Command | Get-VDPortgroup -Name X-Region-Segment | Get-VDSecurityPolicy | Select-Object -ExpandProperty AllowPromiscuous |
| Status | Passed |
| Expected | should not match to True |
| Got | false |
| Control | 100052 |
|---|---|
| Title | The ESXi host must configure virtual switch security policies to reject promiscuous mode requests. |
| Description | When promiscuous mode is enabled for a port group, all virtual machines connected to that port group have the potential to read all packets transmitted across that port group, regardless of the intended recipient. It is important to consider the potential impact and design considerations before changing the default value of promiscuous mode. |
| Severity | Critical |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> Networking >> Virtual Switches.On each standard switch, click the '...' button next to each port group and select Edit Settings.Click the Security tab. Verify that Promiscuous Mode is set to Reject and that Override is not checked.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:Get-VirtualSwitch | Get-SecurityPolicyGet-VirtualPortGroup | Get-SecurityPolicy | Select-Object *If the Promiscuous Mode policy is set to Accept (or true, via PowerCLI) or the security policy inherited from the virtual switch is overridden, this is a finding. Get-VMHost -Name $ESXi | Get-VirtualSwitch -Standard | Get-SecurityPolicy | select VirtualSwitch,AllowPromiscuous Get-VMHost -Name $ESXi | Get-VirtualPortGroup -Standard | Get-SecurityPolicy | select VirtualPortGroup,AllowPromiscuous |
| Fix Text | Get-VMHost -Name $ESXi | Get-VirtualSwitch -Standard | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false Get-VMHost -Name $ESXi | Get-VirtualPortGroup -Standard | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | should not be empty |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | should not be empty |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | should not be empty |
| Got | Data Not Available |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | should not be empty |
| Got | Data Not Available |
| Control | 100053 |
|---|---|
| Title | The ESXi host must restrict use of the dvFilter network application programming interface (API). |
| Description | If you are not using a product such as VMware NSX that utilizes the dvfilter network API, it is recommended not to configure the host to send network information to an IP address. Enabling the API and referencing an IP address that is compromised could potentially provide unauthorized access to the network of other virtual machines (VMs) on the host. If you are using a product that relies on this API, it is important to verify that the host has been configured correctly to ensure secure network communication. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Net.DVFilterBindIpAddress value and verify the value is blank or the correct IP address of a security appliance if in use.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddressIf the Net.DVFilterBindIpAddress setting is not blank and security appliances are not in use on the host, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Net.DVFilterBindIpAddress |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value |
| Command | $portGroup = Get-VDPortgroup -Name Region-A-Segment; $vlanId = $portGroup.VlanConfiguration.VlanId |
|---|---|
| Status | Passed |
| Expected | should not match to 4095 |
| Got | Data Not Available |
| Command | $portGroup = Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Passed |
| Expected | should not match to 4095 |
| Got | Data Not Available |
| Command | $portGroup = Get-VDPortgroup -Name sfo-m01-cl01-vds-DVUplinks-18; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Passed |
| Expected | should not match to 4095 |
| Got | Data Not Available |
| Command | $portGroup = Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Passed |
| Expected | should not match to 4095 |
| Got | Data Not Available |
| Command | $portGroup = Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Passed |
| Expected | should not match to 4095 |
| Got | 100 |
| Command | $portGroup = Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Passed |
| Expected | should not match to 4095 |
| Got | 110 |
| Command | $portGroup = Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Passed |
| Expected | should not match to 4095 |
| Got | Data Not Available |
| Command | $portGroup = Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Passed |
| Expected | should not match to 4095 |
| Got | Data Not Available |
| Command | $portGroup = Get-VDPortgroup -Name X-Region-Segment; $vlanId = $portGroup.VlanConfiguration.VlanId |
| Status | Passed |
| Expected | should not match to 4095 |
| Got | Data Not Available |
| Control | 100054 |
|---|---|
| Title | The ESXi host must restrict the use of Virtual Guest Tagging (VGT) on standard switches. |
| Description | When a port group is set to VLAN 4095, the vSwitch passes all network frames to the attached virtual machines (VMs) without modifying the VLAN tags. In vSphere, this is referred to as VGT. The VM must process the VLAN information itself via an 802.1Q driver in the operating system. VLAN 4095 must only be implemented if the attached VMs have been specifically authorized and are capable of managing VLAN tags themselves. If VLAN 4095 is enabled inappropriately, it may cause denial of service or allow a VM to interact with traffic on an unauthorized VLAN. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> Networking >> Virtual Switches.For each standard switch, review the VLAN ID on each port group and verify it is not set to 4095.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VirtualPortGroup | Select Name, VLanIDIf any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding. Get-VMHost -Name $ESXi | Get-VirtualPortGroup -Standard | select Name,VlanID |
| Fix Text |
Get-VMHost -Name $ESXi | Get-VirtualPortGroup -Standard -Name $PG| Set-VirtualPortGroup -VlanID |
| Command | (Get-VMHost -Name esx-01a.corp.local).ExtensionData.Config.Product.build |
|---|---|
| Status | Failed |
| Expected | Data Not Available |
| Got | 24022510 |
| Command | (Get-VMHost -Name esx-02a.corp.local).ExtensionData.Config.Product.build |
| Status | Failed |
| Expected | Data Not Available |
| Got | 24022510 |
| Command | (Get-VMHost -Name esx-03a.corp.local).ExtensionData.Config.Product.build |
| Status | Failed |
| Expected | Data Not Available |
| Got | 24022510 |
| Command | (Get-VMHost -Name esx-04a.corp.local).ExtensionData.Config.Product.build |
| Status | Failed |
| Expected | Data Not Available |
| Got | 24022510 |
| Control | 100055 |
|---|---|
| Title | The ESXi host must have all security patches and updates installed. |
| Description | By keeping ESXi patches up to date, vulnerabilities in the hypervisor can be mitigated. It is important to note that educated attackers can exploit known vulnerabilities when attempting to gain unauthorized access or elevate privileges on an ESXi host. When applying updates, it is recommended to update vCenter Server first, if an update is available, and then proceed with updating ESXi. This sequence ensures that the management layer is updated before updating the ESXi hosts. |
| Severity | Critical |
| Nist Controls | SI-2, SI-3, |
| Check Text |
Determine the current version and build:From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Summary. Note the version string next to Hypervisor:.orFrom a Secure Shell (SSH) session connected to the ESXi host, or from the ESXi shell, run the following command:# vmware -vIf the ESXi host does not have the latest patches, this is a finding.If the ESXi host is not on a supported release, this is a finding.The latest ESXi versions and their build numbers can be found here: https://kb.vmware.com/s/article/2143832VMware also publishes Advisories on security patches and offers a way to subscribe to email alerts for them.Go to: https://www.vmware.com/support/policies/security_response Get-VMHost -Name $ESXi | Select-Object Name,Version,Build |
| Fix Text | Data Not Available |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | 0 |
| Got | 1 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 1 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 1 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name UserVars.SuppressShellWarning | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 1 |
| Control | 100056 |
|---|---|
| Title | The ESXi host must not suppress warnings that the local or remote shell sessions are enabled. |
| Description | Warnings indicating that SSH or the ESXi Shell is enabled can be clues that an attack is in progress. It is important to ensure that SSH and the ESXi Shell are deactivated, and that this variable is not set. |
| Severity | Medium |
| Nist Controls | CM-6, CM-6(2), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the UserVars.SuppressShellWarning value and verify it is set to 0.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarningIf the UserVars.SuppressShellWarning setting is not set to 0, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.SuppressShellWarning |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 0 |
| Got | 0 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 0 |
| Got | 0 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 0 |
| Got | 0 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarning | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 0 |
| Got | 0 |
| Control | 100057 |
|---|---|
| Title | The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities. |
| Description | Hyperthreading security warnings signify unaddressed CPU vulnerabilities in the system, and ignoring these could mask potential risks. Ensure that hardware remediations align with your organization's accepted risk, and if suppressing a warning, document the decision and rationale. |
| Severity | Medium |
| Nist Controls | CM-6, CM-6(2), |
| Check Text |
From the vSphere Client go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the UserVars.SuppressHyperthreadWarning value and verify it is set to 0.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressHyperthreadWarningIf the UserVars.SuppressHyperthreadWarning setting is not set to 0, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.SuppressHyperthreadWarning |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting UserVars.SuppressHyperthreadWarning | Set-AdvancedSetting -Value 0 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | true |
| Got | true |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Syslog.global.logCheckSSLCerts | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | true |
| Got | true |
| Control | 100058 |
|---|---|
| Title | The ESXi host must verify certificates for SSL syslog endpoints. |
| Description | TLS certificates help ensure that the endpoint is authentic and trustworthy. |
| Severity | Medium |
| Nist Controls | AU-9(3), |
| Check Text |
If SSL is not used for a syslog target, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Syslog.global.logCheckSSLCerts value and verify it is set to true.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logCheckSSLCertsIf the Syslog.global.logCheckSSLCerts setting is not set to true, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.certificate.checkSSLCerts |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.certificate.checkSSLCerts | Set-AdvancedSetting -Value TRUE |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Mem.MemEagerZero | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | 1 |
| Got | 0 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Mem.MemEagerZero | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 1 |
| Got | 0 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Mem.MemEagerZero | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 1 |
| Got | 0 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Mem.MemEagerZero | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 1 |
| Got | 0 |
| Control | 100059 |
|---|---|
| Title | The ESXi host must enable volatile key destruction. |
| Description | By default, ESXi zeroes out pages allocated for virtual machines (VMs), userspace applications, and kernel threads at the time of allocation. This ensures that no non-zero pages are exposed to VMs or userspace applications. This measure is in place to prevent the exposure of cryptographic keys from VMs or userworlds to other clients. However, if memory is not reused, these keys can remain present in host memory for an extended period. To address this, MemEagerZero can be configured to enforce the zeroing out of userworld and guest memory pages when a userworld process or guest exits. For kernel threads, memory spaces holding keys are zeroed out as soon as the secret is no longer required. |
| Severity | Critical |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Mem.MemEagerZero value and verify it is set to 1.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Mem.MemEagerZeroIf the Mem.MemEagerZero setting is not set to 1, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Mem.MemEagerZero |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Mem.MemEagerZero | Set-AdvancedSetting -Value 1 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.vmacore.soap.sessionTimeout | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 30 |
| Got | 30 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.vmacore.soap.sessionTimeout | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 30 |
| Got | 30 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.vmacore.soap.sessionTimeout | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 30 |
| Got | 30 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.vmacore.soap.sessionTimeout | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 30 |
| Got | 30 |
| Control | 100060 |
|---|---|
| Title | The ESXi host must configure a session timeout for the vSphere API. |
| Description | This practice helps mitigate potential security risks by ensuring that unattended sessions, which could be exploited by unauthorized users or malicious software, are not left open indefinitely. |
| Severity | Medium |
| Nist Controls | CM-6, AC-12, SC-10, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Config.HostAgent.vmacore.soap.sessionTimeout value and verify it is set to 30.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.vmacore.soap.sessionTimeoutIf the Config.HostAgent.vmacore.soap.sessionTimeout setting is not set to 30, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Config.HostAgent.vmacore.soap.sessionTimeout |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Config.HostAgent.vmacore.soap.sessionTimeout | Set-AdvancedSetting -Value 30 |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Security.PasswordMaxDays | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | 90 |
| Got | 99999 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Security.PasswordMaxDays | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 90 |
| Got | 99999 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Security.PasswordMaxDays | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 90 |
| Got | 99999 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Security.PasswordMaxDays | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 90 |
| Got | 99999 |
| Control | 100061 |
|---|---|
| Title | The ESXi host must be configured with an appropriate maximum password age. |
| Description | Modern best practices for passwords, as outlined in NIST 800-63B Section 5.1.1.2 and other relevant guidance, state that enforcing periodic password changes does not enhance security when passwords already possess adequate entropy. |
| Severity | Medium |
| Nist Controls | IA-5, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Security.PasswordMaxDays value and verify it is set to 90.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Security.PasswordMaxDaysIf the Security.PasswordMaxDays setting is not set to 90, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.PasswordMaxDays |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Security.PasswordMaxDays | Set-AdvancedSetting -Value 9999 |
| Command | Get-VMHost -Name $hostName | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Select-Object -ExpandProperty Policy |
|---|---|
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name $hostName | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name $hostName | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Select-Object -ExpandProperty Policy |
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name $hostName | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name $hostName | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Select-Object -ExpandProperty Policy |
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name $hostName | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name $hostName | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Select-Object -ExpandProperty Policy |
| Status | Failed |
| Expected | off |
| Got | on |
| Command | Get-VMHost -Name $hostName | Get-VMHostService | Where {$_.Label -eq "CIM Server"} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100062 |
|---|---|
| Title | The ESXi Common Information Model (CIM) service must be disabled. |
| Description | Services which are not in use and are non-essential for operations should be deactivated. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Services.Under Services, locate the CIM Server service and verify it is Stopped and the Startup Policy is set to Start and stop manually.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-VMHostService | Where {$_.Label -eq CIM Server}If the CIM Server service does not have a Policy of off or is running, this is a finding. Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'sfcbd-watchdog' -and $_.Running -eq 'True'} Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'sfcbd-watchdog' -and $_.Policy -eq 'On'} |
| Fix Text | Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'sfcbd-watchdog'} | Set-VMHostService -Policy Off Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'sfcbd-watchdog'} | Stop-VMHostService |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100063 |
|---|---|
| Title | The ESXi host must use DOD-approved certificates. |
| Description | The default self-signed host certificate issued by the VMware Certificate Authority (VMCA) must be replaced with a DOD-approved certificate when the host will be accessed directly, such as during a virtual machine (VM) console connection. The use of a DOD certificate on the host assures clients the service they are connecting to is legitimate and properly secured. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Certificate.If the issuer is not an approved certificate authority, this is a finding.If the host will never be accessed directly (virtual machine console connections bypass vCenter), this is not a finding. |
| Fix Text | Data Not Available |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'allowtcpforwarding'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'allowtcpforwarding'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'allowtcpforwarding'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'allowtcpforwarding'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Control | 100064 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must disable port forwarding. |
| Description | System services must be hardened and secured when enabled. |
| Severity | Medium |
| Nist Controls | AC-4, CM-6, SC-7, SC-7(5), SC-7(21), |
| Check Text |
VCF Compliance Kit:From an ESXi shell, run the following command:# esxcli system ssh server config list -k allowtcpforwardingorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'allowtcpforwarding'}Example result:allowtcpforwarding noIf allowtcpforwarding is not configured to no, this is a finding.vSphere SCG:From an ESXi shell, run the following command:# /usr/lib/vmware/openssh/bin/sshd -T | grep allowtcpforwardingExpected result:allowtcpforwarding noIf the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'allowtcpforwarding'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'allowtcpforwarding' $arguments.value = 'no' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'slpd'} | Select-Object -ExpandProperty Policy |
|---|---|
| Status | Passed |
| Expected | off |
| Got | off |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'slpd'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'slpd'} | Select-Object -ExpandProperty Policy |
| Status | Passed |
| Expected | off |
| Got | off |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'slpd'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'slpd'} | Select-Object -ExpandProperty Policy |
| Status | Passed |
| Expected | off |
| Got | off |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'slpd'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'slpd'} | Select-Object -ExpandProperty Policy |
| Status | Passed |
| Expected | off |
| Got | off |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'slpd'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100065 |
|---|---|
| Title | The ESXi host OpenSLP service must be disabled. |
| Description | Services which are not in use and are non-essential for operations should be deactivated. |
| Severity | Medium |
| Nist Controls | CM-6, CM-7, |
| Check Text |
From the vSphere Client go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Services.Under Services, locate the slpd service and verify it is Stopped and the Startup Policy is set to Start and stop manually.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-VMHostService | Where {$_.Label -eq slpd}If the slpd service does not have a Policy of off or is running, this is a finding. Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'slpd' -and $_.Running -eq 'True'} Get-VMHostService -VMHost $ESXi | Where-Object {$_.Key -eq 'slpd' -and $_.Policy -eq 'On'} |
| Fix Text | Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'slpd'} | Set-VMHostService -Policy Off Get-VMHostService -VMHost $ESXi | where {$_.Key -eq 'slpd'} | Stop-VMHostService |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageEnable | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageEnable | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageEnable | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageEnable | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Control | 100066 |
|---|---|
| Title | The ESXi host must enable audit logging. |
| Description | ESXi will store audit records locally. |
| Severity | Critical |
| Nist Controls | AU-2, AU-4, |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Syslog.global.auditRecord.storageEnable value and verify it is set to true.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.storageEnableIf the Syslog.global.auditRecord.storageEnable setting is not set to true, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.auditRecord.storageEnable |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.auditRecord.storageEnable | Set-AdvancedSetting -Value TRUE |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.remoteEnable | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.remoteEnable | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.remoteEnable | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Syslog.global.auditRecord.remoteEnable | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Control | 100067 |
|---|---|
| Title | The ESXi host must off-load audit records via syslog. |
| Description | ESXi will transmit audit records to the configured log collector. |
| Severity | Critical |
| Nist Controls | AU-9(2), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Syslog.global.auditRecord.remoteEnable value and verify it is set to true.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Syslog.global.auditRecord.remoteEnableIf the Syslog.global.auditRecord.remoteEnable setting is not set to true, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.auditRecord.remoteEnable |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.auditRecord.remoteEnable | Set-AdvancedSetting -Value TRUE |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Control | 100068 |
|---|---|
| Title | The ESXi host must enable strict x509 verification for SSL syslog endpoints. |
| Description | This x509-strict option performs additional validity checks on CA root certificates during verification. |
| Severity | Critical |
| Nist Controls | AU-9(3), |
| Check Text |
If SSL is not used for the syslog target, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Syslog.global.certificate.strictX509Compliance value and verify it is set to true.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509ComplianceIf the Syslog.global.certificate.strictX509Compliance setting is not set to true, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.certificate.strictX509Compliance |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.certificate.strictX509Compliance | Set-AdvancedSetting -Value TRUE |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Syslog.global.logLevel | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | info |
| Got | error |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Syslog.global.logLevel | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | info |
| Got | error |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Syslog.global.logLevel | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | info |
| Got | error |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Syslog.global.logLevel | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | info |
| Got | error |
| Control | 100069 |
|---|---|
| Title | The ESXi host must forward audit records containing information to establish what type of events occurred. |
| Description | Without sufficient log data, critical indicators of compromise may go unnoticed, leading to increased vulnerability and potential failure to respond effectively to cybersecurity incidents. |
| Severity | Critical |
| Nist Controls | AU-2, AU-3, AU-3(1), AU-4, AU-12, AU-12(1), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Syslog.global.logLevel value and verify it is set to info.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logLevelIf the Syslog.global.logLevel setting is not set to info, this is a finding.Note: Verbose logging level is acceptable for troubleshooting purposes. Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.logLevel |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.logLevel | Set-AdvancedSetting -Value info |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.settings.encryption.get.Invoke() | Select-Object -ExpandProperty Mode |
|---|---|
| Status | Failed |
| Expected | 0 |
| Got | NONE |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.settings.encryption.get.Invoke() | Select-Object -ExpandProperty Mode |
| Status | Failed |
| Expected | 0 |
| Got | NONE |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.settings.encryption.get.Invoke() | Select-Object -ExpandProperty Mode |
| Status | Failed |
| Expected | 0 |
| Got | NONE |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.settings.encryption.get.Invoke() | Select-Object -ExpandProperty Mode |
| Status | Failed |
| Expected | 0 |
| Got | NONE |
| Control | 100070 |
|---|---|
| Title | The ESXi host must not be configured to override virtual machine (VM) configurations. |
| Description | An ESXi host's configuration consists of configuration files for each service that runs on the host. The configuration files typically reside in the /etc/ directory, but they can also reside in other namespaces. The configuration files contain run-time information about the state of the services. Over time, the default values in the configuration files might change, for example, when settings on the ESXi host are changed. A cron job backs up the ESXi configuration files periodically, when ESXi shuts down gracefully or on demand, and creates an archived configuration file in the boot bank. When ESXi reboots, it reads the archived configuration file and recreates the state that ESXi was in when the backup was taken. Before vSphere 7.0 Update 2, the archived ESXi configuration file is not encrypted. In vSphere 7.0 Update 2 and later, the archived configuration file is encrypted. When the ESXi host is configured with a Trusted Platform Module (TPM), the TPM is used to seal the configuration to the host, providing a strong security guarantee and additional protection from offline attacks. Configuration encryption uses the physical TPM when it is available and supported at install or upgrade time. If the TPM was added or enabled later, the ESXi host must be told to reconfigure to use the newly available TPM. Once the TPM configuration encryption is enabled, it cannot be deactivated. |
| Severity | High |
| Nist Controls | |
| Check Text |
From an ESXi shell, run the following command:# stat -c %s /etc/vmware/settingsExpected result:0If the output does not match the expected result, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.settings.encryption.get.Invoke() | Select Mode |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100071 |
|---|---|
| Title | The ESXi host must not be configured to override virtual machine (VM) logger settings. |
| Description | Ensures that all incoming and outgoing network traffic is blocked unless explicitly allowed, reducing the attack surface and helping to prevent unauthorized access to the host. As of vSphere 8.0.2, firewall rules are categorized as 'user' or 'system' owned, where only 'user' owned rules are configurable. Beginning in vSphere 8 Update 2b and PowerCLI 13.2.1 there are additional queryable parameters to automate setting and checking for configurable rules. |
| Severity | High |
| Nist Controls | |
| Check Text |
From an ESXi shell, run the following command:# grep ^vmx.log /etc/vmware/configIf the command produces any output, this is a finding. |
| Fix Text | Data Not Available |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.settings.encryption.get.invoke() | Select-Object -ExpandProperty Mode |
|---|---|
| Status | Failed |
| Expected | TPM |
| Got | NONE |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.settings.encryption.get.invoke() | Select-Object -ExpandProperty Mode |
| Status | Failed |
| Expected | TPM |
| Got | NONE |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.settings.encryption.get.invoke() | Select-Object -ExpandProperty Mode |
| Status | Failed |
| Expected | TPM |
| Got | NONE |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.settings.encryption.get.invoke() | Select-Object -ExpandProperty Mode |
| Status | Failed |
| Expected | TPM |
| Got | NONE |
| Control | 100072 |
|---|---|
| Title | The ESXi host must require TPM-based configuration encryption. |
| Description | An ESXi host's configuration consists of configuration files for each service that runs on the host. The configuration files typically reside in the /etc/ directory, but they can also reside in other namespaces. The configuration files contain run-time information about the state of the services. Over time, the default values in the configuration files might change, for example, when settings on the ESXi host are changed. A cron job backs up the ESXi configuration files periodically, when ESXi shuts down gracefully or on demand, and creates an archived configuration file in the boot bank. When ESXi reboots, it reads the archived configuration file and recreates the state that ESXi was in when the backup was taken. Before vSphere 7.0 Update 2, the archived ESXi configuration file is not encrypted. In vSphere 7.0 Update 2 and later, the archived configuration file is encrypted. When the ESXi host is configured with a Trusted Platform Module (TPM), the TPM is used to seal the configuration to the host, providing a strong security guarantee and additional protection from offline attacks. Configuration encryption uses the physical TPM when it is available and supported at install or upgrade time. If the TPM was added or enabled later, the ESXi host must be told to reconfigure to use the newly available TPM. Once the TPM configuration encryption is enabled, it cannot be disabled. |
| Severity | Medium |
| Nist Controls | CM-6, SI-3 SI-4, CM-7(2), CM-7(5), CM-14, |
| Check Text |
If the ESXi host does not have a compatible TPM, this finding is downgraded to a CAT III.From an ESXi shell, run the following command:# esxcli system settings encryption getorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.settings.encryption.get.invoke() | Select ModeExpected result:Mode: TPMIf the Mode is not set to TPM, this is a finding. $esxcli = Get-EsxCli -v2$esxcli.system.settings.encryption.get.invoke() | Select Mode |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2$arguments = $ESXcli.system.settings.encryption.set.CreateArgs()$arguments.mode = TPM$ESXcli.system.settings.encryption.set.Invoke($arguments) |
| Command | Data Not Available |
|---|---|
| Status | Skipped |
| Expected | FixedCAMConfigOption |
| Got | Active Directory is not enabled on host: esx-01a.corp.local. This control is not applicable. |
| Command | Data Not Available |
| Status | Skipped |
| Expected | FixedCAMConfigOption |
| Got | Active Directory is not enabled on host: esx-02a.corp.local. This control is not applicable. |
| Command | Data Not Available |
| Status | Skipped |
| Expected | FixedCAMConfigOption |
| Got | Active Directory is not enabled on host: esx-03a.corp.local. This control is not applicable. |
| Command | Data Not Available |
| Status | Skipped |
| Expected | FixedCAMConfigOption |
| Got | Active Directory is not enabled on host: esx-04a.corp.local. This control is not applicable. |
| Control | 100074 |
|---|---|
| Title | The ESXi host when using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory. |
| Description | The vSphere Authentication Proxy enables vCenter to connect to and manage AD entities without the need to directly store AD credentials, which reduces the risk of credential exposure or misuse. VMware Cloud Foundation does not use host profiles to join ESXi hosts to Active Directory. |
| Severity | Critical |
| Nist Controls | CM-7, |
| Check Text |
For environments that do not use vCenter server to manage ESXi, this is not applicable.If the organization is not using Host Profiles to join Active Directory, this is not applicable.From the vSphere Client, go to Home >> Policies and Profiles >> Host Profiles.Click a Host Profile >> Configure >> Security and Services >> Security Settings >> Authentication Configuration >> Active Directory Configuration >> Join Domain Method.If the method used to join hosts to a domain is not set to Use vSphere Authentication Proxy to add the host to domain, this is a finding.orFrom a PowerCLI command prompt while connected to vCenter, run the following command:Get-VMHost | Select Name, ` @{N=HostProfile;E={$_ | Get-VMHostProfile}}, ` @{N=JoinADEnabled;E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N=JoinDomainMethod;E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select -ExpandProperty Policy | Where {$_.Id -eq JoinDomainMethodPolicy}).Policyoption.Id}}If JoinADEnabled is True and JoinDomainMethod is not FixedCAMConfigOption, this is a finding. Get-VMHost -Name $ESXi | Get-VMHostAuthentication | Select-Object VMHost,Domain,DomainMembershipStatus |
| Fix Text | Data Not Available |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | should not set to ESX Admins and should be |
| Got | ESX Admins |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | should not set to ESX Admins and should be |
| Got | ESX Admins |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | should not set to ESX Admins and should be |
| Got | ESX Admins |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | should not set to ESX Admins and should be |
| Got | ESX Admins |
| Control | 100075 |
|---|---|
| Title | The ESXi host must not use the default Active Directory ESX Admin group. |
| Description | When adding ESXi hosts to Active Directory, all user/group accounts assigned to the Active Directory group ESX Admins will have full administrative access to the host. If this group is not controlled or known to the system administrators, it may be used for inappropriate access to the host. Therefore, the default group must be changed to a site-specific Active Directory group and membership must be severely restricted. |
| Severity | High |
| Nist Controls | |
| Check Text |
For systems that do not use Active Directory, this is not applicable.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup value and verify it is not set to ESX Admins.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroupIf the Config.HostAgent.plugins.hostsvc.esxAdminsGroup setting is set to ESX Admins, this is a finding. Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup |
| Fix Text | Data Not Available |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.syslog.config.get.Invoke() | Select-Object -ExpandProperty LocalLogOutputIsPersistent |
|---|---|
| Status | Passed |
| Expected | true |
| Got | true |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.syslog.config.get.Invoke() | Select-Object -ExpandProperty LocalLogOutputIsPersistent |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.syslog.config.get.Invoke() | Select-Object -ExpandProperty LocalLogOutputIsPersistent |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.syslog.config.get.Invoke() | Select-Object -ExpandProperty LocalLogOutputIsPersistent |
| Status | Passed |
| Expected | true |
| Got | true |
| Control | 100077 |
|---|---|
| Title | The ESXi host must configure a persistent log location for all locally stored logs. |
| Description | ESXi can be configured to store log files on an in-memory file system. This occurs when the host's /scratch directory is linked to /tmp/scratch. When this is done, only a single day's worth of logs is stored at any time. Additionally, log files will be reinitialized upon each reboot. This presents a security risk as user activity logged on the host is only stored temporarily and will not persist across reboots. It can also complicate auditing and make it harder to monitor events and diagnose issues. Therefore, it is recommended to configure ESXi host logging to a persistent datastore. You can detect if the scratch volume is temporary or persistent by querying the ScratchConfig.CurrentScratchLocation advanced parameter. If, when queried, it returns /tmp/scratch then the volume is temporary and you should remap the audit record storage to a persistent device. Cannot be a vSAN datastore unless Syslog.global.vsanBacking is set, which has caveats & dependencies. If your only local, non-vSAN storage is SD or USB media (which can become unreliable with repeated writes from logs) you might consider leaving the logs in the ramdisk and ensuring that a remote logging host is configured instead. Document the decision and rationale in preparation for future audits. |
| Severity | Critical |
| Nist Controls | AU-2, AU-3, AU-3(1), AU-4, AU-12, AU-12(1), |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Syslog.global.logDir value and verify it is set to a persistent location.If the value of the setting is [] /scratch/logs, verify the advanced setting ScratchConfig.CurrentScratchLocation is not set to /tmp/scratch. This is a nonpersistent location.If Syslog.global.logDir is not configured to a persistent location, this is a finding.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.syslog.config.get.Invoke() | Select LocalLogOutput,LocalLogOutputIsPersistentIf the LocalLogOutputIsPersistent value is not true, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.syslog.config.get.Invoke() | Select LocalLogOutput,LocalLogOutputIsPersistent If your LocalLogOutput is set to a directory in /scratch, and LocalLogOutputIsPersistent is true, that means your boot device is of a type and size that makes /scratch persistent. Verify that your log storage is also on /scratch, , and that /scratch points to a VMFS datastore: Get-VMHost -Name $ESXi | Get-AdvancedSetting ScratchConfig.CurrentScratchLocation Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.logDir |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.logDir | Set-AdvancedSetting -Value /vmfs/volumes/$Datastore/logs |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name VMkernel.Boot.execInstalledOnly | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name VMkernel.Boot.execInstalledOnly | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name VMkernel.Boot.execInstalledOnly | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name VMkernel.Boot.execInstalledOnly | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | true |
| Got | false |
| Control | 100078 |
|---|---|
| Title | The ESXi host must enforce the exclusive running of executables from approved VIBs. |
| Description | ESXi conducts integrity checks of vSphere Installable Bundles or VIBs, governed by the Acceptance Level (see below). Instructing ESXi to only execute binaries that originated from a valid VIB installed on the host makes it harder for attackers to use prebuilt toolkits. |
| Severity | Critical |
| Nist Controls | CM-6, SI-3, SI-4, CM-7(2), CM-7(5), CM-14, |
| Check Text |
If the ESXi host does not have a compatible TPM, this finding is downgraded to a CAT III.From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the VMkernel.Boot.execInstalledOnly value and verify that it is true.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name VMkernel.Boot.execInstalledOnlyIf the VMkernel.Boot.execInstalledOnly setting is not true, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting VMkernel.Boot.execInstalledOnly |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting VMkernel.Boot.execInstalledOnly | Set-AdvancedSetting -Value True |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.settings.kernel.list.invoke() | Where {.Name -eq 'disableHwrng'} | Select-Object -ExpandProperty Configured |
|---|---|
| Status | Passed |
| Expected | FALSE |
| Got | FALSE |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.settings.kernel.list.invoke() | Where {.Name -eq 'entropySources'} | Select-Object -ExpandProperty Configured |
| Status | Passed |
| Expected | 0 |
| Got | 0 |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.settings.kernel.list.invoke() | Where {.Name -eq 'disableHwrng'} | Select-Object -ExpandProperty Configured |
| Status | Passed |
| Expected | FALSE |
| Got | FALSE |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.settings.kernel.list.invoke() | Where {.Name -eq 'entropySources'} | Select-Object -ExpandProperty Configured |
| Status | Passed |
| Expected | 0 |
| Got | 0 |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.settings.kernel.list.invoke() | Where {.Name -eq 'disableHwrng'} | Select-Object -ExpandProperty Configured |
| Status | Passed |
| Expected | FALSE |
| Got | FALSE |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.settings.kernel.list.invoke() | Where {.Name -eq 'entropySources'} | Select-Object -ExpandProperty Configured |
| Status | Passed |
| Expected | 0 |
| Got | 0 |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.settings.kernel.list.invoke() | Where {.Name -eq 'disableHwrng'} | Select-Object -ExpandProperty Configured |
| Status | Passed |
| Expected | FALSE |
| Got | FALSE |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.settings.kernel.list.invoke() | Where {.Name -eq 'entropySources'} | Select-Object -ExpandProperty Configured |
| Status | Passed |
| Expected | 0 |
| Got | 0 |
| Control | 100079 |
|---|---|
| Title | The ESXi host must use sufficient entropy for cryptographic operations. |
| Description | Starting in vSphere 8.0, the ESXi Entropy implementation supports the FIPS 140-3 and EAL4 certifications. Kernel boot options control which entropy sources to activate on an ESXi host. |
| Severity | Medium |
| Nist Controls | SC-8(1), SC-13, SC-28, SC-28(1), |
| Check Text |
From an ESXi shell, run the following commands:# esxcli system settings kernel list -o disableHwrng# esxcli system settings kernel list -o entropySourcesorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.settings.kernel.list.invoke() | Where {$_.Name -eq disableHwrng -or $_.Name -eq entropySources}If disableHwrng is not set to false, this is a finding.If entropySources is not set to 0, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.settings.kernel.list.Invoke() | Where {$_.Name -eq disableHwrng -or $_.Name -eq entropySources} |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.settings.kernel.set.CreateArgs() $arguments.setting = disableHwrng $arguments.value = FALSE $ESXcli.system.settings.kernel.set.invoke($arguments) $arguments.setting = entropySources $arguments.value = 0 $ESXcli.system.settings.kernel.set.invoke($arguments) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.syslog.config.logfilter.get.invoke() | Select-Object -ExpandProperty LogFilteringEnabled |
|---|---|
| Status | Passed |
| Expected | false |
| Got | false |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.syslog.config.logfilter.get.invoke() | Select-Object -ExpandProperty LogFilteringEnabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.syslog.config.logfilter.get.invoke() | Select-Object -ExpandProperty LogFilteringEnabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.syslog.config.logfilter.get.invoke() | Select-Object -ExpandProperty LogFilteringEnabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100080 |
|---|---|
| Title | The ESXi host must not enable log filtering. |
| Description | You can create log filters to reduce the number of repetitive entries, and to deny specific log events entirely. |
| Severity | Medium |
| Nist Controls | AU-3, AU-12, |
| Check Text |
From an ESXi shell, run the following command:# esxcli system syslog config logfilter getorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.syslog.config.logfilter.get.invoke()If LogFilteringEnabled is not set to false, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.syslog.config.logfilter.get.invoke() | Select -ExpandProperty LogFilteringEnabled |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $esxcli.system.syslog.config.logfilter.set.CreateArgs() $arguments.logfilteringenabled = $false $ESXcli.system.syslog.config.logfilter.set.invoke($arguments) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.tls.server.get.invoke() | Select-Object -ExpandProperty Profile |
|---|---|
| Status | Failed |
| Expected | NIST_2024 |
| Got | COMPATIBLE |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.tls.server.get.invoke() | Select-Object -ExpandProperty Profile |
| Status | Failed |
| Expected | NIST_2024 |
| Got | COMPATIBLE |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.tls.server.get.invoke() | Select-Object -ExpandProperty Profile |
| Status | Failed |
| Expected | NIST_2024 |
| Got | COMPATIBLE |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.tls.server.get.invoke() | Select-Object -ExpandProperty Profile |
| Status | Failed |
| Expected | NIST_2024 |
| Got | COMPATIBLE |
| Control | 100081 |
|---|---|
| Title | The ESXi host must use approved encryption to protect the confidentiality of network sessions. |
| Description | In ESXi 8.0.3 and newer, TLS profiles are available to configure client and server TLS settings to use only strong ciphers. You can view the entire cipher list and suites using: $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.tls.server.get.CreateArgs() $arguments.showprofiledefaults = $true $arguments.showcurrentbootprofile = $true $ESXcli.system.tls.server.get.invoke($arguments) The host will require a reboot after setting this parameter (and will display in the vSphere Client with the suffix of (Reboot Required). |
| Severity | Critical |
| Nist Controls | AC-17(2), SC-8, SC-8(1), SC-13, SC-28(1), |
| Check Text |
From an ESXi shell, run the following command:# esxcli system tls server get --show-profile-defaults --show-current-boot-profileorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$arguments = $esxcli.system.tls.server.get.CreateArgs()$arguments.showprofiledefaults = $true$arguments.showcurrentbootprofile = $true$esxcli.system.tls.server.get.invoke($arguments)Example result:Profile: NIST_2024Cipher List: ECDHE+AESGCMCipher Suite: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384Groups: prime256v1:secp384r1:secp521r1Protocol Versions: tls1.2,tls1.3Reboot Required: trueIf the TLS profile is not set to NIST_2024 or is not the current boot profile, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.tls.server.get.invoke() | Select-Object -ExpandProperty Profile |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.tls.server.set.CreateArgs() $arguments.profile = NIST_2024 $ESXcli.system.tls.server.set.invoke($arguments) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.security.keypersistence.get.invoke() | Select-Object -ExpandProperty Enabled |
|---|---|
| Status | Passed |
| Expected | Key persistance should not be enabled |
| Got | false |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.security.keypersistence.get.invoke() | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | Key persistance should not be enabled |
| Got | false |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.security.keypersistence.get.invoke() | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | Key persistance should not be enabled |
| Got | false |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.security.keypersistence.get.invoke() | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | Key persistance should not be enabled |
| Got | false |
| Control | 100082 |
|---|---|
| Title | The ESXi host must disable key persistence |
| Description | Key Persistence is a mechanism that uses a local Trusted Platform Module (TPM) to store Standard Key Provider keys, usually found only in an external Key Management System (KMS). While this setup can improve management of dependencies, using Key Persistence changes the encryption risks. If an attacker steals the host, they will have access to the encryption keys for data on that host, bypassing the access controls of the external KMS. Therefore, Key Persistence should be used only when the physical security of the hosts is assured. If the physical hosts are not secure and an attacker can steal the host, they will also have the means to access and use encrypted workloads. Key Persistence and Native Key Provider are often conflated because both store encryption data on hosts. However, the Native Key Provider does not use Key Persistence, so turning off Key Persistence won't affect it. Like Key Persistence, the Native Key Provider also requires careful consideration of physical security, as outlined in the 'design-8.native-key-provider' and 'design-8.hardware-physical-security' controls. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, |
| Check Text |
If the ESXi host does not have a compatible TPM, this is not applicable.From an ESXi shell, run the following command:# esxcli system security keypersistence getorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.security.keypersistence.get.invoke()If key persistence is enabled, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.security.keypersistence.get.invoke() | Select-Object -ExpandProperty Enabled |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.security.keypersistence.disable.CreateArgs() $arguments.removeallstoredkeys = $true $ESXcli.system.security.keypersistence.disable.Invoke($arguments) |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.account.list.Invoke() | Where-Object {.UserID -eq 'dcui'} | Select-Object -ExpandProperty shellaccess |
|---|---|
| Status | Failed |
| Expected | false |
| Got | true |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.account.list.Invoke() | Where-Object {.UserID -eq 'dcui'} | Select-Object -ExpandProperty shellaccess |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.account.list.Invoke() | Where-Object {.UserID -eq 'dcui'} | Select-Object -ExpandProperty shellaccess |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.account.list.Invoke() | Where-Object {.UserID -eq 'dcui'} | Select-Object -ExpandProperty shellaccess |
| Status | Failed |
| Expected | false |
| Got | true |
| Control | 100083 |
|---|---|
| Title | ESXi host must deny shell access for the dcui account. |
| Description | The dcui user is used for process isolation for the DCUI itself. The account has shell access which can be deactivated to reduce attack surface. |
| Severity | Critical |
| Nist Controls | AC-6, CM-6, CM-7, |
| Check Text |
From an ESXi shell, run the following command:# esxcli system account listorFrom a PowerCLI command prompt while connected to the ESXi host, run the following commands:$esxcli = Get-EsxCli -v2$esxcli.system.account.list.Invoke() | Where-Object {$_.UserID -eq 'dcui'}If shell access is not disabled for the dcui account, this is a finding. $esxcli = Get-EsxCli -v2$esxcli.system.account.list.Invoke() | Where-Object {$_.UserID -eq 'dcui'} |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.account.set.CreateArgs() $arguments.id = dcui $arguments.shellaccess = false $ESXcli.system.account.set.Invoke($arguments) |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-AdvancedSetting -Name Net.BMCNetworkEnable | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | 0 |
| Got | 1 |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-AdvancedSetting -Name Net.BMCNetworkEnable | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 1 |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-AdvancedSetting -Name Net.BMCNetworkEnable | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 1 |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-AdvancedSetting -Name Net.BMCNetworkEnable | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 0 |
| Got | 1 |
| Control | 100084 |
|---|---|
| Title | The ESXi host must not enable virtual hardware management network interfaces. |
| Description | Hardware management controllers often present virtual or USB NICs to the ESXi host. These can be used as backdoors and should be deactivated both in the hardware configuration and in ESXi. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.Select the Net.BMCNetworkEnable value and verify it is set to 0.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-AdvancedSetting -Name Net.BMCNetworkEnableIf the Net.BMCNetworkEnable setting is not set to 0, this is a finding. Get-VMHost -Name $ESXi | Get-AdvancedSetting Net.BMCNetworkEnable |
| Fix Text | Get-VMHost -Name $ESXi | Get-AdvancedSetting Net.BMCNetworkEnable | Set-AdvancedSetting -Value 0 |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'allowstreamlocalforwarding'} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'allowstreamlocalforwarding'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'allowstreamlocalforwarding'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.ssh.server.config.list.invoke() | Where-Object {.Key -eq 'allowstreamlocalforwarding'} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | no |
| Got | no |
| Control | 100086 |
|---|---|
| Title | The ESXi host Secure Shell (SSH) daemon must disable stream local forwarding. |
| Description | System services must be hardened and secured when enabled. |
| Severity | Medium |
| Nist Controls | AC-4, CM-6, SC-7, SC-7(5), SC-7(21), |
| Check Text |
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:$ESXcli = Get-EsxCli -v2$ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'allowstreamlocalforwarding'} | Select-Object -ExpandProperty ValueIf allowstreamlocalforwarding is enabled, this is a finding. $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $ESXcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'allowstreamlocalforwarding'} | Select-Object -ExpandProperty Value |
| Fix Text | $ESXcli = Get-EsxCli -VMHost $ESXi -V2 $arguments = $ESXcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'allowstreamlocalforwarding' $arguments.value = 'no' $ESXcli.system.ssh.server.config.set.Invoke($arguments) |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
|---|---|
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Passed |
| Expected | should not be True |
| Got | false |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-01a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Passed |
| Expected | should not be True |
| Got | false |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-02a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Passed |
| Expected | should not be True |
| Got | false |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-03a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Passed |
| Expected | should not be True |
| Got | false |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Command | (Get-VMHost -Name esx-04a.corp.local | Get-VMHostFirewallException | Where {.Enabled -eq True}).ExtensionData.AllowedHosts.AllIP |
| Status | Failed |
| Expected | should not be True |
| Got | true |
| Control | 100087 |
|---|---|
| Title | Configure the ESXi hosts firewall to only allow traffic from the ESXi management network. |
| Description | This must be done for each user-configurable enabled service. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Firewall.Under the Allowed IP addresses column, review the allowed IPs for each service.Check this for Incoming and Outgoing sections.orFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHost | Get-VMHostFirewallException | Where {($_.Enabled -eq $true) -and ($_.ExtensionData.IpListUserConfigurable -eq $true)} | Select Name,Enabled,@{N=AllIPEnabled;E={$_.ExtensionData.AllowedHosts.AllIP}},@{N=AllIPUserConfigurable;E={$_.ExtensionData.IpListUserConfigurable}}If Allow connections from any IP address is configured on a user-configurable enabled service, this is a finding.Note: In vSphere 8 U2 firewall rules were categorized as user or system owned for both enabling/disabling and configuring the allowed IP addresses. This control is only applicable for rules in which a user can configure the allowed IP addresses. Get-VMHost | Get-VMHostFirewallException | Where {($_.Enabled -eq $true) -and ($_.ExtensionData.IpListUserConfigurable -eq $true)} | Select Name,Enabled,@{N=AllIPEnabled;E={$_.ExtensionData.AllowedHosts.AllIP}},@{N=AllIPUserConfigurable;E={$_.ExtensionData.IpListUserConfigurable}} |
| Fix Text | $esxiHosts = Get-VMHostforeach($esxiHost in $esxiHosts){$esxcli = Get-EsxCli -v2 -VMHost $esxiHost.Name#This disables the allow all rule for the target service.The sshServer service is the target in this example.$arguments = $esxcli.network.firewall.ruleset.set.CreateArgs()$arguments.rulesetid = sshServer$arguments.allowedall = $false $esxcli.network.firewall.ruleset.set.Invoke($arguments)#Next add the allowed IPs for the service. Note that executing the vSphere Web Client service this way may disable access but may be done through vCenter or through the console.$arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $arguments.rulesetid = sshServer$arguments.ipaddress = Site-specific networks$esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments)} |
| Command | Get-VMHost -Name esx-01a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Running |
|---|---|
| Status | Passed |
| Expected | true |
| Got | true |
| Command | Get-VMHost -Name esx-02a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | Get-VMHost -Name esx-03a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | Get-VMHost -Name esx-04a.corp.local | Get-VMHostService | Where {.Label -eq 'NTP Daemon'} | Select-Object -ExpandProperty Running |
| Status | Passed |
| Expected | true |
| Got | true |
| Control | 100088 |
|---|---|
| Title | Start NTP service on the ESXi host. |
| Description | Data Not Available |
| Severity | High |
| Nist Controls | |
| Check Text |
From a PowerCLI command prompt while connected to the ESXi host run the following command:Get-VMHost | Get-VMHostService | Where {$_.Label -eq NTP Daemon}Locate the NTP service and verify the service status. If the NTP service is not running, this is a finding.OrFrom the vSphere Client go to Hosts and Clusters >> Select the ESXi Host >> Configure >> System >> Services.If the NTP service is not running, this is a finding. Get-VMHost | Get-VMHostService | Where {$_.Label -eq NTP Daemon} |
| Fix Text | Data Not Available |
| Command | $esxcli = Get-EsxCli -VMHost esx-01a.corp.local -V2; $esxcli.system.snmp.get.Invoke() | Select-Object -ExpandProperty enable |
|---|---|
| Status | Passed |
| Expected | false |
| Got | false |
| Command | $esxcli = Get-EsxCli -VMHost esx-02a.corp.local -V2; $esxcli.system.snmp.get.Invoke() | Select-Object -ExpandProperty enable |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | $esxcli = Get-EsxCli -VMHost esx-03a.corp.local -V2; $esxcli.system.snmp.get.Invoke() | Select-Object -ExpandProperty enable |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | $esxcli = Get-EsxCli -VMHost esx-04a.corp.local -V2; $esxcli.system.snmp.get.Invoke() | Select-Object -ExpandProperty enable |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100089 |
|---|---|
| Title | The ESXi host must disable Simple Network Management Protocol (SNMP) v1 and v2c. |
| Description | Outdated and unsecure versions of SNMP should be disabled. |
| Severity | High |
| Nist Controls | |
| Check Text |
From an ESXi shell, run the following command:# esxcli system snmp getorFrom a PowerCLI command prompt while connected to the ESXi host, run the following command:Get-VMHostSnmp | Select *If SNMP is not in use and is enabled, this is a finding.If SNMP is enabled and is not using v3 targets with authentication, this is a finding.Note: SNMP v3 targets can only be viewed and configured via the esxcli command. Get-VMHostSnmp | Select * |
| Fix Text | Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value enter site specific servers |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100202 |
|---|---|
| Title | The vCenter Server must lock an account after a specified number of failed login attempts. |
| Description | Repeated failed logins for an account may signal security issues. To limit brute force attempts, lock the account after a certain threshold, balancing between avoiding automatic connection retries and potential denial-of-service attacks. |
| Severity | Medium |
| Nist Controls | AC-7, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy. The following lockout policy should be set as follows:Maximum number of failed login attempts: Get-SsoLockoutPolicy | Select MaxFailedAttempts |
| Fix Text | Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -MaxFailedAttempts 5 |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100205 |
|---|---|
| Title | Configure the vCenter Server login banner text for the vSphere Client. |
| Description | vCenter Server allows a login message, which deters intruders and communicates obligations to authorized users. This configuration establishes the text displayed on the vSphere Client login page. |
| Severity | High |
| Nist Controls | AC-8, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Login MessageIf selection boxes next to Show login message is disabled or if Details of login message is not configured to an approved standard User Agreement, or if the Consent checkbox is disabled, this is a finding. Get-VSSetting -Name vpxd.loginBanner -ExpandProperties |
| Fix Text |
Set-VSSetting -Name vpxd.loginBanner -Value |
| Command | Get-AdvancedSetting -Entity 192.168.40.1 -Name config.log.level | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | info |
| Got | info |
| Control | 100206 |
|---|---|
| Title | The vCenter Server must produce audit records containing information to establish what type of events occurred. |
| Description | It is important to ensure that sufficient information is present in audit logs for diagnostics and forensics purposes. |
| Severity | Medium |
| Nist Controls | AU-2, AU-3, AU-3(1), AU-4, AU-12, AU-12(1), |
| Check Text |
From the vSphere Client, go to Host and Clusters.Select a vCenter Server >> Configure >> Settings >> Advanced Settings.Verify the config.log.level value is set to info.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-AdvancedSetting -Entity Get-AdvancedSetting -Entity $VC -Name config.log.level |
| Fix Text | Get-AdvancedSetting -Entity $VC -Name config.log.level | Set-AdvancedSetting -Value info |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100207 |
|---|---|
| Title | vCenter Server plugins must be verified. |
| Description | The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system. Additionally, vCenter comes with a number of plugins preinstalled that may or may not be necessary for proper operation. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Administration >> Solutions >> Client Plug-Ins.View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, third-party (partner), and/or site-specific approved plug-ins.If any installed/available plug-ins in the viewable list cannot be verified as allowed vSphere Client plug-ins from trusted sources or are not in active use, this is a finding. |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100208 |
|---|---|
| Title | The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users. |
| Description | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Using Active Directory or an identity provider for authentication provides more robust account management capabilities and accountability. Satisfies: SRG-APP-000153, SRG-APP-000163, SRG-APP-000180, SRG-APP-000234 |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Web Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider.If the identity provider type is embedded and there is no identity source of type Active Directory (either Windows Integrated Authentication or LDAP), this is a finding.If the identity provider type is Microsoft ADFS or another supported identity provider, this is NOT a finding. |
| Fix Text | From the vSphere Web Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider. |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100210 |
|---|---|
| Title | The vCenter Server passwords must be at least 15 characters in length. |
| Description | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) suggests that composition rules (requiring mixtures of character classes, for example) should not be imposed on systems because they tend to not improve the security of passwords and discourage the use of more secure passphrases. Many regulatory compliance frameworks do not reflect this guidance, and may override this recommendation. Password strength and complexity rules apply to accounts created in vSphere SSO, including [email protected]. They do not apply to Active Directory users when vCenter Server is joined to a domain, as those password policies are enforced by AD. |
| Severity | High |
| Nist Controls | IA-5, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.View the value of the Minimum Length setting.Minimum Length: 15If the password policy is not configured with a Minimum Length policy of 15 or more, this is a finding. Get-SsoPasswordPolicy |
| Fix Text | Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -MinLength 15 -MaxLength 64 |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100212 |
|---|---|
| Title | The vCenter Server passwords must contain at least one uppercase character. |
| Description | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) suggests that composition rules (requiring mixtures of character classes, for example) should not be imposed on systems because they tend to not improve the security of passwords and discourage the use of more secure passphrases. Many regulatory compliance frameworks do not reflect this guidance, and may override this recommendation. Password strength and complexity rules apply to accounts created in vSphere SSO, including [email protected]. They do not apply to Active Directory users when vCenter Server is joined to a domain, as those password policies are enforced by AD. |
| Severity | High |
| Nist Controls | IA-5, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.View the value of the Character requirements setting.Character requirements: At least 1 uppercase charactersIf the password policy is not configured with Character requirements policy requiring 1 or more uppercase characters, this is a finding. Get-SsoPasswordPolicy |
| Fix Text | Get-SsoPasswordPolicy | Set-SsoPasswordPolicy - MinUppercaseCount 1 |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100213 |
|---|---|
| Title | The vCenter Server passwords must contain at least one lowercase character. |
| Description | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) suggests that composition rules (requiring mixtures of character classes, for example) should not be imposed on systems because they tend to not improve the security of passwords and discourage the use of more secure passphrases. Many regulatory compliance frameworks do not reflect this guidance, and may override this recommendation. Password strength and complexity rules apply to accounts created in vSphere SSO, including [email protected]. They do not apply to Active Directory users when vCenter Server is joined to a domain, as those password policies are enforced by AD. |
| Severity | High |
| Nist Controls | IA-5, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.View the value of the Character requirements setting.Character requirements: At least 1 lowercase charactersIf the password policy is not configured with Character requirements policy requiring 1 or more lowercase characters, this is a finding. Get-SsoPasswordPolicy |
| Fix Text | Get-SsoPasswordPolicy | Set-SsoPasswordPolicy - MinLowercaseCount 1 |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100214 |
|---|---|
| Title | The vCenter Server passwords must contain at least one numeric character. |
| Description | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) suggests that composition rules (requiring mixtures of character classes, for example) should not be imposed on systems because they tend to not improve the security of passwords and discourage the use of more secure passphrases. Many regulatory compliance frameworks do not reflect this guidance, and may override this recommendation. Password strength and complexity rules apply to accounts created in vSphere SSO, including [email protected]. They do not apply to Active Directory users when vCenter Server is joined to a domain, as those password policies are enforced by AD. |
| Severity | High |
| Nist Controls | IA-5, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.View the value of the Character requirements setting.Character requirements: At least 1 numeric charactersIf the password policy is not configured with Character requirements policy requiring 1 or more numeric characters, this is a finding. Get-SsoPasswordPolicy |
| Fix Text | Get-SsoPasswordPolicy | Set-SsoPasswordPolicy - MinNumericCount 1 |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100215 |
|---|---|
| Title | The vCenter Server passwords must contain at least one special character. |
| Description | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) suggests that composition rules (requiring mixtures of character classes, for example) should not be imposed on systems because they tend to not improve the security of passwords and discourage the use of more secure passphrases. Many regulatory compliance frameworks do not reflect this guidance, and may override this recommendation. Password strength and complexity rules apply to accounts created in vSphere SSO, including [email protected]. They do not apply to Active Directory users when vCenter Server is joined to a domain, as those password policies are enforced by AD. |
| Severity | High |
| Nist Controls | IA-5, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.View the value of the Character requirements setting.Character requirements: At least 1 special charactersIf the password policy is not configured with Character requirements policy requiring 1 or more special characters, this is a finding. Get-SsoPasswordPolicy |
| Fix Text | Get-SsoPasswordPolicy | Set-SsoPasswordPolicy - MinSpecialCharCount 1 |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100216 |
|---|---|
| Title | The vCenter Server must enable FIPS-validated cryptography. |
| Description | FIPS cryptography makes a number of changes to the system to remove weaker ciphers. Enabling this will cause vCenter Server to reboot. |
| Severity | Data Not Available |
| Nist Controls | AC-17(2), SC-8, SC-8(1), SC-13, SC-28(1), |
| Check Text |
From the vSphere Web Client, go to Developer Center >> API Explorer.From the Select API drop-down menu, select appliance.Expand system/security/global_fips >> GET.Click Execute and then Copy Response to view the results.Example response:{ enabled: true}orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Invoke-GetSystemGlobalFipsIf global FIPS mode is not enabled, this is a finding. Invoke-GetSystemGlobalFips |
| Fix Text | # $spec = Initialize-SystemSecurityGlobalFipsUpdateSpec -Enabled $true # Invoke-SetSystemGlobalFips -SystemSecurityGlobalFipsUpdateSpec $spec |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100217 |
|---|---|
| Title | The vCenter Server must be configured with an appropriate maximum password age. |
| Description | Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) indicates that with adequate password entropy, security is not improved by arbitrarily requiring users to change their passwords at certain intervals. Many automated security tools and regulatory compliance frameworks do not reflect this guidance, and may override this recommendation. |
| Severity | High |
| Nist Controls | AC-7, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.View the value of the Maximum lifetime setting.Maximum lifetime: Password must be changed every Get-SsoPasswordPolicy | Select PasswordLifetimeDays |
| Fix Text | Get-SsoPasswordPolicy | Set-SsoPasswordPolicy -PasswordLifetimeDays 9999 |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100219 |
|---|---|
| Title | The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity. |
| Description | Idle vSphere Client sessions can be left open indefinitely if a user forgets to log out, thereby increasing the risk of unauthorized privileged access. |
| Severity | Critical |
| Nist Controls | CM-6, AC-12, SC-10, |
| Check Text |
From the vSphere Client, go to Administration >> Deployment >> Client Configuration.View the value of the Session timeout setting.If the Session timeout is not set to Get-VSSessionTimeoutPolicy |
| Fix Text | Set-VSSessionTimeoutPolicy -Timeout 15 |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100220 |
|---|---|
| Title | The vCenter Server user roles must be verified. |
| Description | Users and service accounts must only be assigned privileges they require. Least privilege requires that these privileges must only be assigned if needed to reduce risk of confidentiality, availability, or integrity loss. Satisfies: SRG-APP-000233, SRG-APP-000380 |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Administration >> Access Control >> Roles.View each role and verify the users and/or groups assigned to it by clicking on Usage.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -AutoApplication service account and user required privileges should be documented.If any user or service account has more privileges than required, this is a finding. Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto |
| Fix Text | Data Not Available |
| Command | (Get-VDSwitch -Name sfo-m01-cl01-vds01).ExtensionData.Config.NetworkResourceManagementEnabled |
|---|---|
| Status | Passed |
| Expected | true |
| Got | true |
| Control | 100221 |
|---|---|
| Title | The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). |
| Description | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. |
| Severity | High |
| Nist Controls | |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Configure >> Settings >> Properties.View the Properties pane and verify Network I/O Control is Enabled.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VDSwitch | select Name,@{N=NIOC Enabled;E={$_.ExtensionData.config.NetworkResourceManagementEnabled}}If Network I/O Control is disabled, this is a finding. Get-VDSwitch | select Name,@{N=NIOC Enabled;E={$_.ExtensionData.config.NetworkResourceManagementEnabled}} |
| Fix Text | Data Not Available |
| Command | Get-AlarmDefinition | Where-Object {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "com.vmware.sso.PrincipalManagement"} | Select-Object -ExpandProperty Enabled |
|---|---|
| Status | Failed |
| Expected | true |
| Got | Data Not Available |
| Control | 100222 |
|---|---|
| Title | The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action. |
| Description | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. They may also try to hijack an existing account by changing a password or enabling a previously disabled account. Therefore, all actions performed on accounts in the SSO domain much be alerted on in vCenter at a minimum and ideally on a Security Information and Event Management (SIEM) system as well. To ensure the appropriate personnel are alerted about SSO account actions, create a new vCenter alarm for the com.vmware.sso.PrincipalManagement event ID and configure the alert mechanisms appropriately. Satisfies: SRG-APP-000294, SRG-APP-000292, SRG-APP-000293, SRG-APP-000320 |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Host and Clusters.Select a vCenter Server >> Configure >> Security >> Alarm Definitions.Verify there is an alarm created to alert upon all SSO account actions.The alarm name may vary, but it is suggested to name it SSO account actions - com.vmware.sso.PrincipalManagement.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq com.vmware.sso.PrincipalManagement} | Select Name,Enabled,@{N=EventTypeId;E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}If an alarm is not created to alert on SSO account actions, this is a finding. Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq com.vmware.sso.PrincipalManagement} | Select Name,Enabled,@{N=EventTypeId;E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} |
| Fix Text | Data Not Available |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100223 |
|---|---|
| Title | The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes. |
| Description | By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. |
| Severity | High |
| Nist Controls | AC-7, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.View the value of the Time interval between failures setting.Time interval between failures: Get-SsoLockoutPolicy | Select FailedAttemptIntervalSec |
| Fix Text | Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -FailedAttemptIntervalSec 900 |
| Command | Data Not Available |
|---|---|
| Status | Skipped |
| Expected | Data Not Available |
| Got | No logging servers found...skipping tests |
| Control | 100224 |
|---|---|
| Title | Configure a remote log server for the vCenter Server. |
| Description | Remote logging to a central host enhances vCenter Server's security by storing logs securely. It simplifies monitoring across hosts and supports aggregate analysis for detecting coordinated attacks. Centralized logging prevents tampering and serves as a reliable long-term audit record. |
| Severity | Critical |
| Nist Controls | AU-2, AU-3, AU-3(1), AU-4, AU-12, AU-12(1), |
| Check Text |
Open the Virtual Appliance Management Interface (VAMI) by navigating to https:// (Get-CisService -Name com.vmware.appliance.logging.forwarding).get() |
| Fix Text | Data Not Available |
| Command | Get-AlarmDefinition | Where-Object { $_.Enabled -like "*false*" } |
|---|---|
| Status | Failed |
| Expected | Alerting should be enabled |
| Got | Alerting is disabled for this alarm vSAN health service alarm for Overall Health Summary |
| Command | Get-AlarmDefinition | Where-Object { $_.Enabled -like "*false*" } |
| Status | Failed |
| Expected | Alerting should be enabled |
| Got | Alerting is disabled for this alarm Unmanaged workload detected on SIOC-enabled datastore |
| Control | 100225 |
|---|---|
| Title | The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts. |
| Description | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). Satisfies: SRG-APP-000379, SRG-APP-000510 |
| Severity | High |
| Nist Controls | |
| Check Text |
Review the Central Logging Server being used to verify it is configured to alert the SA and ISSO, at a minimum, on any AO-defined events. Otherwise, this is a finding.If there are no AO-defined events, this is not a finding. Get-VcenterServer -Name |
| Fix Text | Data Not Available |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100226 |
|---|---|
| Title | vCenter Server must have reliable time synchronization sources. |
| Description | Cryptography, audit logging, cluster operations, and incident response/forensics heavily rely on synchronized time. The recommended practice for NTP is to have at least four sources. It is not advisable to have only two sources, as having one source is preferable to having two. |
| Severity | Critical |
| Nist Controls | AC-2(2), AC-2(3), AC-3, AU-2, AU-3, AU-5(2), AU-8, AU-11, AU-12(1), AU-12(3), CM-5(1), SC-45, SI-3, SI-4, SI-4(2), SI-4(12), |
| Check Text |
Open the Virtual Appliance Management Interface (VAMI) by navigating to https:// (Get-CisService -Name com.vmware.appliance.timesync).get() (Get-CisService -Name com.vmware.appliance.ntp).get() |
| Fix Text | (Get-CisService -Name com.vmware.appliance.timesync).set(NTP) (Get-CisService -Name com.vmware.appliance.ntp).set(0.vmware.pool.ntp.org,1.vmware.pool.ntp.org,2.vmware.pool.ntp.org,3.vmware.pool.ntp.org) |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100227 |
|---|---|
| Title | The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority. |
| Description | Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept public key infrastructure (PKI) certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates. The default self-signed, VMware Certificate Authority (VMCA)-issued vCenter reverse proxy certificate must be replaced with a DOD-approved certificate. The use of a DOD certificate on the vCenter reverse proxy and other services assures clients that the service they are connecting to is legitimate and trusted. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.Click View Details and examine the Issuer Information block.If the issuer specified is not a DOD approved certificate authority, this is a finding. Get-VSCertificateAuthority |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100230 |
|---|---|
| Title | The vCenter server must enforce SNMPv3 security features where SNMP is required. |
| Description | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. SNMPv3 can be configured for identification and cryptographically based authentication. SNMPv3 defines a user-based security model (USM) and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. Implement both VACM and USM for full protection. SNMPv3 must be disabled by default and enabled only if used. SNMP v3 provides security feature enhancements to SNMP, including encryption and message authentication. |
| Severity | High |
| Nist Controls | |
| Check Text |
At the command prompt on the vCenter Server Appliance, run the following commands:# appliancesh# snmp.getNote: The appliancesh command is not needed if the default shell has not been changed for root.If Enable is set to False, this is not a finding.If Enable is set to True and Authentication is not set to SHA1, this is a finding.If Enable is set to True and Privacy is not set to AES128, this is a finding.If any Users are configured with a Sec_level that does not equal priv, this is a finding. |
| Fix Text | Data Not Available |
| Command | (Get-View -Id 'OptionManager-VpxSettings').setting | Where-Object {.key -match snmp.receiver.1.enabled} | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | false |
| Got | true |
| Command | (Get-View -Id 'OptionManager-VpxSettings').setting | Where-Object {.key -match snmp.receiver.2.enabled} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-View -Id 'OptionManager-VpxSettings').setting | Where-Object {.key -match snmp.receiver.3.enabled} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-View -Id 'OptionManager-VpxSettings').setting | Where-Object {.key -match snmp.receiver.4.enabled} | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100231 |
|---|---|
| Title | The vCenter server must disable SNMPv1/2 receivers. |
| Description | SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. Therefore, SNMPv1/2 receivers must be disabled, while SNMPv3 is configured in another control. vCenter exposes SNMP v1/2 in the UI and SNMPv3 in the CLI. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Host and Clusters.Select a vCenter Server >> Configure >> Settings >> General.Click Edit.On the SNMP receivers tab, note the presence of any enabled receiver.If there are any enabled receivers, this is a finding. Get-VcenterServer -Name |
| Fix Text |
Set-VcenterSnmp -Name |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100232 |
|---|---|
| Title | The vCenter Server must unlock accounts after a specified timeout period. |
| Description | Repeated failed logins may suggest security threats. Due to the importance of vCenter Server accounts should not automatically unlock when they have been locked due to multiple login failures. Ensure that you have your [email protected] information and that it is valid. |
| Severity | Critical |
| Nist Controls | AC-7, |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Lockout Policy.View the value of the Unlock time setting.Unlock time: Get-SsoLockoutPolicy | Select AutoUnlockIntervalSec |
| Fix Text | Get-SsoLockoutPolicy | Set-SsoLockoutPolicy -AutoUnlockIntervalSec 0 |
| Command | (Get-VDSwitch -Name sfo-m01-cl01-vds01).ExtensionData.Config.HealthCheckConfig | Select-Object -ExpandProperty Enable |
|---|---|
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDSwitch -Name sfo-m01-cl01-vds01).ExtensionData.Config.HealthCheckConfig | Select-Object -ExpandProperty Enable |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100233 |
|---|---|
| Title | The vCenter Server must disable the distributed virtual switch health check. |
| Description | Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that network health check be used for troubleshooting and turned off when troubleshooting is finished. |
| Severity | High |
| Nist Controls | |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Configure >> Settings >> Health Check.View the health check pane and verify the VLAN and MTU and Teaming and failover checks are Disabled.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:$vds = Get-VDSwitch$vds.ExtensionData.Config.HealthCheckConfigIf the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding. $vds = Get-VDSwitch$vds.ExtensionData.Config.HealthCheckConfig |
| Fix Text | If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Configure >> Settings >> Health Check.View the health check pane and verify the VLAN and MTU and Teaming and failover checks are Disabled. |
| Command | Get-VDSwitch -Name sfo-m01-cl01-vds01 | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
|---|---|
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VDPortgroup -Name Region-A-Segment | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1 | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2 | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | Get-VDPortgroup -Name X-Region-Segment | Get-VDSecurityPolicy | Select-Object -ExpandProperty MacChanges |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100235 |
|---|---|
| Title | All distributed switches and their port groups must be configured to reject guest MAC address changes. |
| Description | Allowing virtual machines to change MAC addresses poses security risks, enabling potential network adapter impersonation. Rejecting MAC changes on all distributed switches and port groups prevents this, but may impact certain applications like Microsoft Clustering or MAC address-dependent licensing. Exceptions should be made as necessary. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies.Verify MAC Address Changes is set to Reject.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:Get-VDSwitch | Get-VDSecurityPolicyGet-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicyIf the MAC Address Changes policy is set to accept, this is a finding. Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy |
| Fix Text | Get-VDSwitch -Name $VDS | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false Get-VDPortgroup -Name $VDPG | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false |
| Command | (Get-VDSwitch -Name sfo-m01-cl01-vds01).ExtensionData.Config.IpfixConfig.CollectorIpAddress |
|---|---|
| Status | Failed |
| Expected | Data Not Available |
| Got | Data Not Available |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100237 |
|---|---|
| Title | The vCenter Server must ensure that NetFlow traffic is being sent to authorized collectors. |
| Description | vSphere Distributed Switch can export unencrypted NetFlow data, revealing details about virtual network and traffic patterns. It is essential to verify that NetFlow usage is authorized and correctly configured to prevent information leaks. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
If distributed switches are not used, this is not applicable.To view NetFlow Collector IPs configured on distributed switches:From the vSphere Client, go to Networking.Select a distributed switch >> Configure >> Settings >> NetFlow.View the NetFlow pane and verify any collector IP addresses are valid and in use for troubleshooting.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VDSwitch | select Name,@{N=NetFlowCollectorIPs;E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}}To view if NetFlow is enabled on any distributed port groups:From the vSphere Client, go to Networking.Select a distributed port group >> Manage >> Settings >> Policies.Go to Monitoring and view the NetFlow status.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VDPortgroup | Select Name,VirtualSwitch,@{N=NetFlowEnabled;E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}}If NetFlow is configured and the collector IP is not known and documented, this is a finding. (Get-VDSwitch -Name $VDS).ExtensionData.config.IpfixConfig.CollectorIpAddress | Select-Object -ExpandProperty CollectorIpAddress (Get-VDPortgroup -Name $VDPG).ExtensionData.Config.DefaultPortConfig.IpfixEnabled | Select-Object -ExpandProperty Value |
| Fix Text | $VDPGview = Get-VDPortgroup -Name $VDPG | Get-View $ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec $ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $ConfigSpec.DefaultPortConfig.IpfixEnabled = New-Object VMware.Vim.BoolPolicy $ConfigSpec.DefaultPortConfig.IpfixEnabled.Inherited = $false $ConfigSpec.DefaultPortConfig.IpfixEnabled.Value = $false $ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion $VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec) |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
|---|---|
| Status | Passed |
| Expected | Should not equals to 1 |
| Got | 0 |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not equals to 1 |
| Got | 0 |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not equals to 1 |
| Got | 0 |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not equals to 1 |
| Got | 100 |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not equals to 1 |
| Got | 110 |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not equals to 1 |
| Got | VMware.Vim.NumericRange |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not equals to 1 |
| Got | VMware.Vim.NumericRange |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not equals to 1 |
| Got | 0 |
| Control | 100238 |
|---|---|
| Title | The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN). |
| Description | ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a 1; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a 1 instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those virtual machines will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic. |
| Severity | High |
| Nist Controls | |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies.Review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VDPortgroup | select Name, VlanConfigurationIf any port group is configured with the native VLAN of the ESXi hosts attached physical switch, this is a finding. Get-VDPortgroup | select Name, VlanConfiguration |
| Fix Text | Run the following command to review configured VLAN ID's:Get-VirtualPortGroup -Name portgroup nameIf a VLAN ID is configured incorrectly, run the following command to remediate:Set-VirtualPortGroup -VLanId New VLAN#From the vSphere Client, go to Networking.Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies.Review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId.Start |
|---|---|
| Status | Failed |
| Expected | Should not equals to 0 |
| Got | 0 |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId.End |
| Status | Failed |
| Expected | Should not equals to 4094 |
| Got | 4094 |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId.Start |
| Status | Failed |
| Expected | Should not equals to 0 |
| Got | 0 |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId.End |
| Status | Failed |
| Expected | Should not equals to 4094 |
| Got | 4094 |
| Control | 100239 |
|---|---|
| Title | The vCenter Server must restrict the use of Virtual Guest Tagging (VGT) on Distributed Switches. |
| Description | Setting a port group to VLAN 4095 allows Virtual Guest Tagging (VGT), requiring the VM to process VLAN tags. This should only be enabled for VMs authorized and equipped to manage VLAN tags, as inappropriate use can cause service denial or unauthorized VLAN traffic interaction. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies.Review the port group VLAN Type and VLAN trunk range, if present.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VDPortgroup | Where {$_.ExtensionData.Config.Uplink -ne True} | Select Name,VlanConfigurationIf any port group is configured with VLAN trunking and is not documented as a needed exception (such as NSX appliances), this is a finding.If any port group is authorized to be configured with VLAN trunking but is not configured with the most limited range necessary, this is a finding. Get-VDPortgroup -Name $VDPG | Where {$_.ExtensionData.Config.Uplink -ne True} | Select Name,VlanConfiguration |
| Fix Text |
Get-VDPortgroup $VDPG | Set-VDVlanConfiguration -VlanId |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
|---|---|
| Status | Passed |
| Expected | Should not to be in [1001 1024 3968 4047 4094] |
| Got | 0 |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not to be in [1001 1024 3968 4047 4094] |
| Got | 0 |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not to be in [1001 1024 3968 4047 4094] |
| Got | 0 |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not to be in [1001 1024 3968 4047 4094] |
| Got | 100 |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not to be in [1001 1024 3968 4047 4094] |
| Got | 110 |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not to be in [1001 1024 3968 4047 4094] |
| Got | VMware.Vim.NumericRange |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not to be in [1001 1024 3968 4047 4094] |
| Got | VMware.Vim.NumericRange |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.DefaultPortConfig.Vlan.VlanId |
| Status | Passed |
| Expected | Should not to be in [1001 1024 3968 4047 4094] |
| Got | 0 |
| Control | 100240 |
|---|---|
| Title | The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches. |
| Description | Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001 to 1024 and 4094, while Nexus switches typically reserve 3968 to 4094. Check with the documentation for the organization's specific switch. Using a reserved VLAN might result in a denial of service on the network. |
| Severity | High |
| Nist Controls | |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies.Review the port group VLAN tags and verify that they are not set to a reserved VLAN ID.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VDPortgroup | select Name, VlanConfigurationIf any port group is configured with a reserved VLAN ID, this is a finding. Get-VDPortgroup | select Name, VlanConfiguration |
| Fix Text | Run the following command to review configured VLAN ID's:Get-VirtualPortGroup -Name portgroup nameIf a VLAN ID is configured incorrectly, run the following command to remediate:Set-VirtualPortGroup -VLanId New VLAN#From the vSphere Client, go to Networking.Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Policies.Review the port group VLAN tags and verify that they are not set to a reserved VLAN ID. |
| Command | Get-AdvancedSetting -Entity 192.168.40.1 -Name VirtualCenter.VimPasswordExpirationInDays | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 30 |
| Got | 30 |
| Control | 100241 |
|---|---|
| Title | The vCenter Server must configure the vpxuser password to be rotated on an appropriate interval. |
| Description | Ensures that the vCenter Server is properly rotating the password it automatically sets on the ESXi hosts. |
| Severity | Medium |
| Nist Controls | IA-5, |
| Check Text |
From the vSphere Client, go to Host and Clusters.Select a vCenter Server >> Configure >> Settings >> Advanced Settings.Verify that VirtualCenter.VimPasswordExpirationInDays is set to Get-AdvancedSetting -Entity $VC -Name VirtualCenter.VimPasswordExpirationInDays |
| Fix Text | Get-AdvancedSetting -Entity $VC -Name VirtualCenter.VimPasswordExpirationInDays | Set-AdvancedSetting -Value 30 |
| Command | Get-AdvancedSetting -Entity 192.168.40.1 -Name config.vpxd.hostPasswordLength | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | Should be empty or equals to 32 |
| Got | Data Not Available |
| Control | 100242 |
|---|---|
| Title | The vCenter Server must configure the vpxuser password to meet length policy. |
| Description | The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password attacks more difficult. The vpxuser password is added by vCenter, meaning no manual intervention is normally required. The vpxuser password length must never be modified to less than the default length of 32 characters. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Host and Clusters.Select a vCenter Server >> Configure >> Settings >> Advanced Settings.Verify that config.vpxd.hostPasswordLength is set to 32.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-AdvancedSetting -Entity Get-AdvancedSetting -Entity |
| Fix Text | From the vSphere Client, go to Host and Clusters.Select a vCenter Server >> Configure >> Settings >> Advanced Settings.Verify that config.vpxd.hostPasswordLength is set to 32 |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100244 |
|---|---|
| Title | The vCenter Server must use unique service accounts when applications connect to vCenter. |
| Description | To not violate nonrepudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they must use unique service accounts. |
| Severity | High |
| Nist Controls | |
| Check Text |
Verify each external application that connects to vCenter has a unique service account dedicated to that application.For example, there should be separate accounts for Log Insight, Operations Manager, or anything else that requires an account to access vCenter.If any application shares a service account that is used to connect to vCenter, this is a finding. |
| Fix Text | Discuss with the customer and verify that service accounts are unique and not shared. |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100245 |
|---|---|
| Title | The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic. |
| Description | Virtual machines might share virtual switches and virtual local area networks (VLAN) with the IP-based storage configurations. IP-based storage includes vSAN, Internet Small Computer System Interface (iSCSI), and Network File System (NFS). This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and virtual machines will limit unauthorized users from viewing the traffic. |
| Severity | High |
| Nist Controls | |
| Check Text |
If IP-based storage is not used, this is not applicable.IP-based storage (iSCSI, NFS, vSAN) VMkernel port groups must be in a dedicated VLAN that can be on a standard or distributed virtual switch that is logically separated from other traffic types.The check for this will be unique per environment.To check a standard switch, do the following:From the vSphere Client, select the ESXi host and go to Configure >> Networking >> Virtual switches. Select a standard switch.For each storage port group (iSCSI, NFS, vSAN), select the port group and note the VLAN ID associated with each port group.Verify it is dedicated to that purpose and is logically separated from other traffic types.To check a distributed switch, do the following,From the vSphere Client, go to Networking.Select and expand a distributed switch.For each storage port group (iSCSI, NFS, vSAN), select the port group and navigate to the Summary tab.Note the VLAN ID associated with each port group and verify it is dedicated to that purpose and is logically separated from other traffic types.If any IP-based storage networks are not isolated from other traffic types, this is a finding. |
| Fix Text | Discuss with customer how IP-based storage networks are configured. |
| Command | Get-AdvancedSetting -Entity 192.168.40.1 -Name vpxd.event.syslog.enabled | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | true |
| Got | true |
| Control | 100246 |
|---|---|
| Title | Enable remote logging of vCenter Server events. |
| Description | Remote logging to a central host enhances vCenter Server's security by storing logs securely. It simplifies monitoring across hosts and supports aggregate analysis for detecting coordinated attacks. Centralized logging prevents tampering and serves as a reliable long-term audit record. |
| Severity | Medium |
| Nist Controls | AU-2, AU-3, AU-3(1), AU-4, AU-12, AU-12(1), |
| Check Text |
From the vSphere Client, go to Host and Clusters.Select a vCenter Server >> Configure >> Settings >> Advanced Settings.Verify that vpxd.event.syslog.enabled value is set to true.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-AdvancedSetting -Entity Get-AdvancedSetting -Entity $VC -Name vpxd.event.syslog.enabled |
| Fix Text | Get-AdvancedSetting -Entity $VC -Name vpxd.event.syslog.enabled | Set-AdvancedSetting -Value true |
| Command | Get-Cluster | Where-Object {$_.VsanEnabled} | Get-Datastore | Where-Object {$_.type -match "vsan"} | Select-Object -ExpandProperty Name |
|---|---|
| Status | Passed |
| Expected | Datastore name should not be 'vsanDatastore' |
| Got | VSAN Datastores are - sfo-m01-cl01-ds-vsan01 |
| Control | 100248 |
|---|---|
| Title | The vCenter Server must configure the vSAN Datastore name to a unique name. |
| Description | A vSAN Datastore name by default is vsanDatastore. If more than one vSAN cluster is present in vCenter, both datastores will have the same name by default, potentially leading to confusion and manually misplaced workloads. |
| Severity | High |
| Nist Controls | |
| Check Text |
If no clusters are enabled for vSAN, this is not applicable.From the vSphere Client, go to Host and Clusters.Select a vSAN Enabled Cluster >> Datastores.Review the datastores and identify any datastores with vSAN as the datastore type.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){Write-Host vSAN Enabled Cluster foundGet-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match vsan}}else{Write-Host vSAN is not enabled, this finding is not applicable.}If vSAN is enabled and a datastore is named vsanDatastore, this is a finding. If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){Write-Host vSAN Enabled Cluster foundGet-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match vsan}}else{Write-Host vSAN is not enabled, this finding is not applicable.} |
| Fix Text | From the vSphere Client, go to Host and Clusters.Select a vSAN Enabled Cluster >> Datastores.Review the datastores and identify any datastores with vSAN as the datastore type. |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
|---|---|
| Status | Failed |
| Expected | VSPHERE.LOCAL\svc-sddc-l-01a-vc-l-01a is expected to be in [] |
| Got | VSPHERE.LOCAL\svc-sddc-l-01a-vc-l-01a |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\svc-nsx-lb-b-vc-l-01b is expected to be in [] |
| Got | VSPHERE.LOCAL\svc-nsx-lb-b-vc-l-01b |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\svc-sddc-l-01a-vc-l-01b is expected to be in [] |
| Got | VSPHERE.LOCAL\svc-sddc-l-01a-vc-l-01b |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\svc-nsx-lb-a-vc-l-01a is expected to be in [] |
| Got | VSPHERE.LOCAL\svc-nsx-lb-a-vc-l-01a |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\Administrator is expected to be in [] |
| Got | VSPHERE.LOCAL\Administrator |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\SDDCAdmins is expected to be in [] |
| Got | VSPHERE.LOCAL\SDDCAdmins |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\Administrators is expected to be in [] |
| Got | VSPHERE.LOCAL\Administrators |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\Administrators is expected to be in [] |
| Got | VSPHERE.LOCAL\Administrators |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\vCLSAdmin is expected to be in [] |
| Got | VSPHERE.LOCAL\vCLSAdmin |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\Administrators is expected to be in [] |
| Got | VSPHERE.LOCAL\Administrators |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\vCLSAdmin is expected to be in [] |
| Got | VSPHERE.LOCAL\vCLSAdmin |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\Administrators is expected to be in [] |
| Got | VSPHERE.LOCAL\Administrators |
| Command | Get-VIPermission | Where-Object {($_.Role -eq "Admin" -or $_.Role -eq "NoTrustedAdmin" -or $_.Role -eq "vCLSAdmin" -or $_.Role -eq "vSphereKubernetesManager") -and $_.Principal -notmatch "vpxd-"} | Select-Object -ExpandProperty Principal |
| Status | Failed |
| Expected | VSPHERE.LOCAL\vCLSAdmin is expected to be in [] |
| Got | VSPHERE.LOCAL\vCLSAdmin |
| Control | 100250 |
|---|---|
| Title | The vCenter Server must restrict access to the default roles with cryptographic permissions. |
| Description | In vSphere, a number of default roles contain permission to perform cryptographic operations such as Key Management Server (KMS) functions and encrypting and decrypting virtual machine disks. These roles must be reserved for cryptographic administrators where virtual machine encryption and/or vSAN encryption is in use. A new built-in role called No Cryptography Administrator exists to provide all administrative permissions except cryptographic operations. Permissions must be restricted such that normal vSphere administrators are assigned the No Cryptography Administrator role or more restrictive. These default roles must be tightly controlled and must not be applied to administrators who will not be doing cryptographic work. Catastrophic data loss can result from poorly administered cryptography. |
| Severity | High |
| Nist Controls | |
| Check Text |
By default, there are four roles that contain cryptographic related permissions: Administrator, No Trusted Infrastructure Administrator, vCLSAdmin, and vSphere Kubernetes Manager.From the vSphere Client, go to Administration >> Access Control >> Roles.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VIPermission | Where {$_.Role -eq Admin -or $_.Role -eq NoTrustedAdmin -or $_.Role -eq vCLSAdmin -or $_.Role -eq vSphereKubernetesManager} | Select Role,Principal,Entity,Propagate,IsGroup | FT -AutoIf there are any users or groups assigned to the default roles with cryptographic permissions and are not explicitly designated to perform cryptographic operations, this is a finding.The built-in solution users assigned to the administrator role are NOT a finding. Get-VIPermission | Where {$_.Role -eq Admin -or $_.Role -eq NoTrustedAdmin -or $_.Role -eq vCLSAdmin -or $_.Role -eq vSphereKubernetesManager} | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto |
| Fix Text | Data Not Available |
| Command | Get-VIRole | Where-Object {$_.PrivilegeList -match "Crypto*" -or $_.PrivilegeList -match "Global.Diagnostics" -or $_.PrivilegeList -match "Host.Inventory.Add*" -or $_.PrivilegeList -match "Host.Local operations.Manage user groups"} | Select-Object -ExpandProperty Name |
|---|---|
| Status | Failed |
| Expected | vCLSAdmin is expected to be in [] |
| Got | vCLSAdmin |
| Command | Get-VIRole | Where-Object {$_.PrivilegeList -match "Crypto*" -or $_.PrivilegeList -match "Global.Diagnostics" -or $_.PrivilegeList -match "Host.Inventory.Add*" -or $_.PrivilegeList -match "Host.Local operations.Manage user groups"} | Select-Object -ExpandProperty Name |
| Status | Failed |
| Expected | NoTrustedAdmin is expected to be in [] |
| Got | NoTrustedAdmin |
| Command | Get-VIRole | Where-Object {$_.PrivilegeList -match "Crypto*" -or $_.PrivilegeList -match "Global.Diagnostics" -or $_.PrivilegeList -match "Host.Inventory.Add*" -or $_.PrivilegeList -match "Host.Local operations.Manage user groups"} | Select-Object -ExpandProperty Name |
| Status | Failed |
| Expected | Admin is expected to be in [] |
| Got | Admin |
| Command | Get-VIRole | Where-Object {$_.PrivilegeList -match "Crypto*" -or $_.PrivilegeList -match "Global.Diagnostics" -or $_.PrivilegeList -match "Host.Inventory.Add*" -or $_.PrivilegeList -match "Host.Local operations.Manage user groups"} | Select-Object -ExpandProperty Name |
| Status | Failed |
| Expected | vSphereKubernetesManager is expected to be in [] |
| Got | vSphereKubernetesManager |
| Command | Get-VIRole | Where-Object {$_.PrivilegeList -match "Crypto*" -or $_.PrivilegeList -match "Global.Diagnostics" -or $_.PrivilegeList -match "Host.Inventory.Add*" -or $_.PrivilegeList -match "Host.Local operations.Manage user groups"} | Select-Object -ExpandProperty Name |
| Status | Failed |
| Expected | VMOperatorController is expected to be in [] |
| Got | VMOperatorController |
| Command | Get-VIRole | Where-Object {$_.PrivilegeList -match "Crypto*" -or $_.PrivilegeList -match "Global.Diagnostics" -or $_.PrivilegeList -match "Host.Inventory.Add*" -or $_.PrivilegeList -match "Host.Local operations.Manage user groups"} | Select-Object -ExpandProperty Name |
| Status | Failed |
| Expected | vRealize Suite Lifecycle Manager to vSphere Integration is expected to be in [] |
| Got | vRealize Suite Lifecycle Manager to vSphere Integration |
| Control | 100251 |
|---|---|
| Title | The vCenter Server must restrict access to cryptographic permissions. |
| Description | These permissions must be reserved for cryptographic administrators where virtual machine encryption and/or vSAN encryption is in use. Catastrophic data loss can result from poorly administered cryptography. |
| Severity | High |
| Nist Controls | |
| Check Text |
By default, there are four roles that contain cryptographic related permissions: Administrator, No Trusted Infrastructure Administrator, vCLSAdmin, and vSphere Kubernetes Manager.From the vSphere Client, go to Administration >> Access Control >> Roles.Highlight each role and click the 'Privileges button in the right pane.Verify that only the Administrator, No Trusted Infrastructure Administrator, vCLSAdmin, and vSphere Kubernetes Manager and any site-specific cryptographic roles have the following permissions:Cryptographic Operations privilegesGlobal.DiagnosticsHost.Inventory.Add host to clusterHost.Inventory.Add standalone hostHost.Local operations.Manage user groupsorFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:$roles = Get-VIRoleForEach($role in $roles){ $privileges = $role.PrivilegeList If($privileges -match Crypto* -or $privileges -match Global.Diagnostics -or $privileges -match Host.Inventory.Add* -or $privileges -match Host.Local operations.Manage user groups){ Write-Host $role has Cryptographic privileges }}If any role other than the four default roles contain the permissions listed above and is not authorized to perform cryptographic related operations, this is a finding. $roles = Get-VIRoleForEach($role in $roles){ $privileges = $role.PrivilegeList If($privileges -match Crypto* -or $privileges -match Global.Diagnostics -or $privileges -match Host.Inventory.Add* -or $privileges -match Host.Local operations.Manage user groups){ Write-Host $role has Cryptographic privileges }} |
| Fix Text | From the vSphere Client, go to Administration >> Access Control >> Roles.Highlight each role and click the 'Privileges button in the right pane.Verify that only the Administrator, No Trusted Infrastructure Administrator, vCLSAdmin, and vSphere Kubernetes Manager and any site-specific cryptographic roles have the following permissions:Cryptographic Operations privilegesGlobal.DiagnosticsHost.Inventory.Add host to clusterHost.Inventory.Add standalone hostHost.Local operations.Manage user groups |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100252 |
|---|---|
| Title | The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets. |
| Description | When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, the potential exists for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk. |
| Severity | High |
| Nist Controls | |
| Check Text |
If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable.From the vSphere Client, go to Host and Clusters.Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target Service.For each iSCSI target, review the value in the Authentication column.If the Authentication method is not set to CHAP_Mutual for any iSCSI target, this is a finding. |
| Fix Text | If no clusters are enabled for vSAN or if vSAN is enabled but iSCSI is not enabled, this is not applicable.From the vSphere Client, go to Host and Clusters >> Select a vSAN Enabled Cluster >> Configure >> vSAN >> iSCSI Target ServiceIn the vSAN iSCSI target service tile, click Enable.Activate the service from the toggle switch.From the Authentication drop-down menu, select Mutual CHAPConfigure the incoming and outgoing users and secrets appropriately and click Apply. |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100253 |
|---|---|
| Title | The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s). |
| Description | The KEK for a vSAN encrypted datastore is generated by the Key Management Server (KMS) and serves as a wrapper and lock around the Disk Encryption Key (DEK). The DEK is generated by the host and is used to encrypt and decrypt the datastore. A shallow rekey is a procedure in which the KMS issues a new KEK to the ESXi host, which rewraps the DEK but does not change the DEK or any data on disk. This operation must be done on a regular, site-defined interval and can be viewed as similar in criticality to changing an administrative password. If the KMS is compromised, a standing operational procedure to rekey will put a time limit on the usefulness of any stolen KMS data. |
| Severity | High |
| Nist Controls | |
| Check Text |
If vSAN is not in use, this is not applicable.Interview the system administrator (SA) to determine that a procedure has been put in place to perform a shallow rekey of all vSAN encrypted datastores at regular, site-defined intervals.VMware recommends a 60-day rekey task, but this interval must be defined by the SA and the information system security officer (ISSO).If vSAN encryption is not in use, this is not a finding.If vSAN encryption is in use and a regular rekey procedure is not in place, this is a finding. |
| Fix Text | Interview the SA to determine whether a procedure exists to perform a shallow re-key of all vSAN encrypted datastores at regular, site-defined intervals. This interval must be defined by the SA and the ISSO. If vSAN encryption is not in use, this is not applicable.If vSAN encryption is in use and a regular rekey procedure is not in place, this is a finding. |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100254 |
|---|---|
| Title | The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source. |
| Description | LDAP is an industry standard protocol for querying directory services such as Active Directory. This protocol can operate in clear text or over a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encrypted tunnel. To protect confidentiality of LDAP communications, secure LDAP (LDAPS) must be explicitly configured when adding an LDAP identity source in vSphere Single Sign-On (SSO). When configuring an identity source and supplying an SSL certificate, vCenter will enforce LDAPS. The server URLs do not need to be explicitly provided if an SSL certificate is uploaded. |
| Severity | High |
| Nist Controls | |
| Check Text |
If LDAP is not used as an identity provider, this is not applicable.From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider.Click the Identity Sources tab.For each identity source of type Active Directory over LDAP, if the Server URL does not indicate ldaps://, this is a finding. Get-VcenterServer -Name |
| Fix Text |
Set-VcenterLdap -Name |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100255 |
|---|---|
| Title | The vCenter Server must limit membership to the SystemConfiguration.BashShellAdministrators Single Sign-On (SSO) group. |
| Description | vCenter SSO integrates with PAM in the underlying Photon operating system so members of the SystemConfiguration.BashShellAdministrators SSO group can log on to the operating system without needing a separate account. However, even though unique SSO users log on, they are transparently using a group account named sso-user as far as Photon auditing is concerned. While the audit trail can still be traced back to the individual SSO user, it is a more involved process. To force accountability and nonrepudiation, the SSO group SystemConfiguration.BashShellAdministrators must be severely restricted. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.Click the next page arrow until the SystemConfiguration.BashShellAdministrators group appears.Click SystemConfiguration.BashShellAdministrators.Review the members of the group and ensure that only authorized accounts are present.Note: By default the Administrator and a unique service account similar to vmware-applmgmtservice-714684a4-342f-4eff-a232-cdc21def00c2 will be in the group and should not be removed.If there are any accounts present as members of SystemConfiguration.BashShellAdministrators that are not authorized, this is a finding. |
| Fix Text | From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.Click the next page arrow until the SystemConfiguration.BashShellAdministrators group appears.Click SystemConfiguration.BashShellAdministrators.Review the members of the group and ensure that only authorized accounts are present. |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100256 |
|---|---|
| Title | The vCenter Server must limit membership to the TrustedAdmins Single Sign-On (SSO) group. |
| Description | The vSphere TrustedAdmins group grants additional rights to administer the vSphere Trust Authority feature. To force accountability and nonrepudiation, the SSO group TrustedAdmins must be severely restricted. |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.Click the next page arrow until the TrustedAdmins group appears.Click TrustedAdmins.Review the members of the group and ensure that only authorized accounts are present.Note: These accounts act as root on the Photon operating system and have the ability to severely damage vCenter, inadvertently or otherwise.If there are any accounts present as members of TrustedAdmins that are not authorized, this is a finding. |
| Fix Text | From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.Click the next page arrow until the TrustedAdmins group appears.Click TrustedAdmins.Review the members of the group and ensure that only authorized accounts are present. |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100257 |
|---|---|
| Title | Configure File-Based Backup and Recovery to a secure location unless alternate backup methods are in use. |
| Description | File-Based Backup and Recovery, which allows vCenter Server and configuration recovery via the vCenter Server installer, plays a crucial role in safeguarding your environment. It should be appropriately configured. Because this backup method contains information about privileged access to the vSphere cluster it should always be stored securely. |
| Severity | Critical |
| Nist Controls | CP-9, CM-2(3), |
| Check Text |
Option 1:If vCenter is backed up in a traditional manner, at the storage array level, interview the SA to determine configuration and schedule.Option 2:For vCenter native backup functionality, open the Virtual Appliance Management Interface (VAMI) by navigating to https:// |
| Fix Text | Data Not Available |
| Command | Get-AdvancedSetting -Entity 192.168.40.1 -Name event.maxAge | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | Should be greater than or equals to 30 |
| Got | 30 |
| Command | Get-AdvancedSetting -Entity 192.168.40.1 -Name task.maxAge | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | Should be greater than or equals to 30 |
| Got | 30 |
| Control | 100258 |
|---|---|
| Title | The vCenter server must have task and event retention set to an apppropriate interval. |
| Description | vCenter Server retains task and event data, which ages out to save storage space. The age is configurable. This only impacts local storage of event data on the vCenter Server Appliance. |
| Severity | Medium |
| Nist Controls | AU-2, AU-3, AU-3(1), AU-4, AU-12, AU-12(1), |
| Check Text |
From the vSphere Client, go to Host and Clusters.Select a vCenter Server >> Configure >> Settings >> General.Click to expand the Database section.Note the Task retention and Event retention values.If either value is configured to less than Get-VcenterServer -Name |
| Fix Text |
Set-VcenterTaskRetention -Name |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100259 |
|---|---|
| Title | The vCenter server Native Key Provider must be backed up with a strong password. |
| Description | The vCenter Native Key Provider feature was introduced in 7.0 U2 and acts as a key provider for encryption based capabilities such as encrypted virtual machines without requiring an external KMS solution. When enabling this feature a backup must be taken which is a PKCS#12 formatted file and if no password is provided during the backup process this presents the opportunity for this to be used maliciously and compromise the environment. |
| Severity | High |
| Nist Controls | |
| Check Text |
If the vCenter Native Key Provider feature is not in use, this is not applicable.Interview the system administrator and determine if a password was provided for any backups taken of the Native Key Provider.If backups exist for the Native Key Provider that are not password protected, this is a finding. |
| Fix Text | Data Not Available |
| Command | Data Not Available |
|---|---|
| Status | Not Reviewed |
| Expected | Data Not Available |
| Got | Exception occurred while executing this control, Check logs for more details! |
| Control | 100260 |
|---|---|
| Title | The vCenter server must require authentication for published content libraries. |
| Description | In the vSphere Client, you can create a local or a subscribed content library. By using content libraries, you can store and manage content in one vCenter Server instance. Alternatively, you can distribute content across vCenter Server instances to increase consistency and facilitate the deployment workloads at scale. When publishing a content library it can be protected by requiring authentication for subscribers. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Content Libraries.Review the Password Protected column.If a content library is published and is not password protected, this is a finding. Get-ContentLibrary -Name |
| Fix Text |
Set-ContentLibrary -Name |
| Command | Data Not Available |
|---|---|
| Status | Skipped |
| Expected | Data Not Available |
| Got | No content libraries found |
| Control | 100261 |
|---|---|
| Title | The vCenter server must enable the OVF security policy for content libraries. |
| Description | In the vSphere Client, you can create a local or a subscribed content library. By using content libraries, you can store and manage content in one vCenter Server instance. Alternatively, you can distribute content across vCenter Server instances to increase consistency and facilitate the deployment workloads at scale. You can protect the OVF items by applying default OVF security policy to a content library. The OVF security policy enforces strict validation on OVF items when you deploy or update the item, import items, or synchronize OVF and OVA templates. To make sure that the OVF and OVA templates are signed by a trusted certificate, you can add the OVF signing certificate from a trusted CA. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Content Libraries.Review the Security Policy column.If a content library does not have the OVF default policy enabled, this is a finding. Get-ContentLibrary -Name |
| Fix Text |
Set-ContentLibrary -Name |
| Command | (Get-VDSwitch -Name sfo-m01-cl01-vds01).ExtensionData.config.LinkDiscoveryProtocolConfig | Select-Object -ExpandProperty Operation |
|---|---|
| Status | Failed |
| Expected | Disabled |
| Got | both |
| Control | 100263 |
|---|---|
| Title | The vCenter Server must deactivate CDP/LLDP on distributed switches unless used intentionally. |
| Description | vSphere Distributed Virtual Switch can engage in CDP or LLDP, potentially sharing sensitive unencrypted information, like IP addresses and system names, on the network. As it can aid adversaries in understanding or impersonating your environment, However, it is also extremely helpful for legitimate use cases. It is recommended to keep it deactivated unless necessary for troubleshooting or configuration validation. |
| Severity | High |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Configure >> Settings >> Properties.Review the Discovery Protocol configuration.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VDSwitch | Select Name,LinkDiscoveryProtocolOperationIf any distributed switch does not have Discovery Protocols disabled, this is a finding. (Get-VDSwitch -Name $VDS).ExtensionData.config.LinkDiscoveryProtocolConfig | Select-Object -ExpandProperty Operation |
| Fix Text | $VDview = Get-VDSwitch -Name $VDS | Get-View $ConfigSpec = New-Object VMware.Vim.VMwareDVSConfigSpec $ConfigSpec.LinkDiscoveryProtocolConfig = New-Object VMware.Vim.LinkDiscoveryProtocolConfig $ConfigSpec.LinkDiscoveryProtocolConfig.Protocol = 'cdp' $ConfigSpec.LinkDiscoveryProtocolConfig.Operation = 'none' $ConfigSpec.ConfigVersion = $VDview.Config.ConfigVersion $VDview.ReconfigureDvs_Task($ConfigSpec) |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100264 |
|---|---|
| Title | The vCenter Server must remove unauthorized port mirroring sessions on distributed switches. |
| Description | vSphere Distributed Switch can mirror traffic between ports, enabling traffic observation. To maintain security, any unauthorized port mirroring sessions on distributed switches must be promptly removed. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Configure >> Settings >> Port Mirroring.Review any configured Port Mirroring sessions.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VDSwitch | select Name,@{N=Port Mirroring Sessions;E={$_.ExtensionData.Config.VspanSession.Name}}If there are any unauthorized port mirroring sessions configured, this is a finding. (Get-VDSwitch -Name $VDS).ExtensionData.config.VspanSession |
| Fix Text | Data Not Available |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.VlanOverrideAllowed |
|---|---|
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.UplinkTeamingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.SecurityPolicyOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.IpfixOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.MacManagementOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.ShapingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.VendorConfigOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.LivePortMovingAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.NetworkResourcePoolOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.TrafficFilterOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.VlanOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.UplinkTeamingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.SecurityPolicyOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.IpfixOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.MacManagementOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.ShapingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.VendorConfigOverrideAllowed |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.LivePortMovingAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.NetworkResourcePoolOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.TrafficFilterOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.VlanOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.UplinkTeamingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.SecurityPolicyOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.IpfixOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.MacManagementOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.ShapingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.VendorConfigOverrideAllowed |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.LivePortMovingAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.NetworkResourcePoolOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.TrafficFilterOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.VlanOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.UplinkTeamingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.SecurityPolicyOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.IpfixOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.MacManagementOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.ShapingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.VendorConfigOverrideAllowed |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.LivePortMovingAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.NetworkResourcePoolOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.TrafficFilterOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.VlanOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.UplinkTeamingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.SecurityPolicyOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.IpfixOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.MacManagementOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.ShapingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.VendorConfigOverrideAllowed |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.LivePortMovingAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.NetworkResourcePoolOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.TrafficFilterOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.VlanOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.UplinkTeamingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.SecurityPolicyOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.IpfixOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.MacManagementOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.ShapingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.VendorConfigOverrideAllowed |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.LivePortMovingAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.NetworkResourcePoolOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.TrafficFilterOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.VlanOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.UplinkTeamingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.SecurityPolicyOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.IpfixOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.MacManagementOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.ShapingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.VendorConfigOverrideAllowed |
| Status | Failed |
| Expected | false |
| Got | true |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.LivePortMovingAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.NetworkResourcePoolOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.TrafficFilterOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.VlanOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.UplinkTeamingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.SecurityPolicyOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.IpfixOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.MacManagementOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.ShapingOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.VendorConfigOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.LivePortMovingAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.NetworkResourcePoolOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.TrafficFilterOverrideAllowed |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100265 |
|---|---|
| Title | The vCenter Server must not override port group settings at the port level on distributed switches, except for block ports. |
| Description | While port-level configuration overrides may be needed for unique VM setups, they must be closely monitored to prevent unauthorized use. Unmonitored overrides could allow broader access if a less secure Distributed Switch configuration is exploited. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties.Review the Override port policies.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:(Get-VDPortgroup).ExtensionData.Config.PolicyIf there are any distributed port groups that allow overridden port policies, this is a finding.Note: This does not apply to the Block Ports or Configure reset at disconnect policies. (Get-VDPortgroup -Name $VDPG).ExtensionData.Config.Policy |
| Fix Text | $VDPGview = Get-VDPortgroup -Name $VDPG | Get-View $ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec $ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $ConfigSpec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $ConfigSpec.Policy.UplinkTeamingOverrideAllowed = $false $ConfigSpec.Policy.BlockOverrideAllowed = $true $ConfigSpec.Policy.LivePortMovingAllowed = $false $ConfigSpec.Policy.VlanOverrideAllowed = $false $ConfigSpec.Policy.SecurityPolicyOverrideAllowed = $false $ConfigSpec.Policy.VendorConfigOverrideAllowed = $false $ConfigSpec.Policy.ShapingOverrideAllowed = $false $ConfigSpec.Policy.IpfixOverrideAllowed = $false $ConfigSpec.Policy.TrafficFilterOverrideAllowed = $false $ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion $VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec) |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.Policy.PortConfigResetAtDisconnect |
|---|---|
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.Policy.PortConfigResetAtDisconnect |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.Policy.PortConfigResetAtDisconnect |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.Policy.PortConfigResetAtDisconnect |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.Policy.PortConfigResetAtDisconnect |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.Policy.PortConfigResetAtDisconnect |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.Policy.PortConfigResetAtDisconnect |
| Status | Failed |
| Expected | true |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.Policy.PortConfigResetAtDisconnect |
| Status | Passed |
| Expected | true |
| Got | true |
| Control | 100266 |
|---|---|
| Title | The vCenter Server must reset port configuration when virtual machines are disconnected. |
| Description | When a virtual machine is disconnected from the virtual switch port it is desirable to reset the port configuration, so that another virtual machine that attaches has a port in a known state. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
If distributed switches are not used, this is not applicable.From the vSphere Client, go to Networking.Select a distributed switch >> Select a distributed port group >> Configure >> Settings >> Properties.Review the Configure reset at disconnect setting.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:(Get-VDPortgroup).ExtensionData.Config.Policy.PortConfigResetAtDisconnectIf there are any distributed port groups with Configure reset at disconnect configured to disabled or False, this is a finding. (Get-VDPortgroup -Name $VDPG).ExtensionData.Config.Policy | Select-Object -ExpandProperty PortConfigResetAtDisconnect |
| Fix Text | $VDPGview = Get-VDPortgroup -Name $VDPG | Get-View $ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec $ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $ConfigSpec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy $ConfigSpec.Policy.PortConfigResetAtDisconnect = $true $ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion $VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec) |
| Command | Get-AdvancedSetting -Entity 192.168.40.1 -Name etc.issue | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | should not be Empty and should also not contain the default value. |
| Got | VMware vCenter Server 8.0.3.00100 Type: vCenter Server with an embedded Platform Services Controller |
| Control | 100269 |
|---|---|
| Title | Configure the vCenter Server login banner text for access via SSH. |
| Description | vCenter Server allows a login message, which deters intruders and communicates obligations to authorized users. This configuration establishes the text displayed when a client connects via SSH. The default text leaks information to attackers about system configuration and should be changed. |
| Severity | High |
| Nist Controls | AC-8, |
| Check Text |
vCenter Server allows a login message, which deters intruders and communicates obligations to authorized users. This configuration establishes the text displayed when a client connects via SSH. The default text leaks information to attackers about system configuration and should be changed.From a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-AdvancedSetting -Entity $VC -Name etc.issueIf it is configured with authorized login banner, this is a finding. Get-AdvancedSetting -Entity $VC -Name etc.issue |
| Fix Text | Get-AdvancedSetting -Entity $VC -Name etc.issue | Set-AdvancedSetting -Value ****************************************************************************`n* Authorized users only. Actual or attempted unauthorized use of this *`n* system is prohibited and may result in criminal, civil, security, or *`n* administrative proceedings and/or penalties. Use of this information *`n* system indicates consent to monitoring and recording, without notice *`n* or permission. Users have no expectation of privacy. Any information *`n* stored on or transiting this system, or obtained by monitoring and/or *`n* recording, may be disclosed to law enforcement and/or used in accordance *`n* with Federal law, State statute, and organization policy. If you are not *`n* an authorized user of this system, exit the system at this time. *`n****************************************************************************`n |
| Command | (Get-VDPortgroup -Name Region-A-Segment).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled |
|---|---|
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name SDDC-DPortGroup-VM-Mgmt).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-mgmt).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vmotion).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name sfo01-m01-cl01-vds01-pg-vsan).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-1).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name VCF-edge_WLD-Edge-Cluster_PG-sfo-m01-cl01-vds01-External-2).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Command | (Get-VDPortgroup -Name X-Region-Segment).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled |
| Status | Passed |
| Expected | false |
| Got | false |
| Control | 100270 |
|---|---|
| Title | All distributed switch port groups must deactivate MAC Learning unless used intentionally. |
| Description | MAC Learning enables a distributed switch to provide network connectivity to systems where more than one MAC address is used on a vNIC. This can be useful in special cases like nested virtualization (running ESXi inside ESXi, for example). MAC learning also supports unknown unicast flooding. Normally, when a packet that is received by a port has an unknown destination MAC address, the packet is dropped. With unknown unicast flooding enabled, the port floods unknown unicast traffic to every port on the switch that has MAC learning and unknown unicast flooding enabled. This property is enabled by default, but only if MAC learning is enabled. It is recommended to disable MAC Learning unless it is in use intentionally for a known workload that requires it. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
(Get-VDPortgroup -Name $VDPG).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled (Get-VDPortgroup -Name $VDPG).ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy | Select-Object -ExpandProperty Enabled |
| Fix Text | $VDPGview = Get-VDPortgroup -Name $VDPG | Get-View $ConfigSpec = New-Object VMware.Vim.DVPortgroupConfigSpec $ConfigSpec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $ConfigSpec.DefaultPortConfig.MacManagementPolicy = New-Object VMware.Vim.DVSMacManagementPolicy $ConfigSpec.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy = New-Object VMware.Vim.DVSMacLearningPolicy $ConfigSpec.DefaultPortConfig.MacManagementPolicy.MacLearningPolicy.Enabled = $false $ConfigSpec.ConfigVersion = $VDPGview.Config.ConfigVersion $VDPGview.ReconfigureDVPortgroup_Task($ConfigSpec) |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100271 |
|---|---|
| Title | vCenter is a version that has not reached End of General Support status. |
| Description | Ensure that vCenter Server is of a version that has not reached End of General Support status. |
| Severity | Medium |
| Nist Controls | SI-2 SI-3, |
| Check Text |
Ensure that vCenter Server is of a version that has not reached End of General Support status. Get-VcenterServer -Name |
| Fix Text | Data Not Available |
| Command | (Get-CisService -Name "com.vmware.appliance.local_accounts.policy").get() | Select-Object -ExpandProperty max_days |
|---|---|
| Status | Passed |
| Expected | 90 |
| Got | 90 |
| Control | 100272 |
|---|---|
| Title | The vCenter Server root account password expiration must be configured appropriately. |
| Description | Modern best practices for passwords (NIST 800-63B Section 5.1.1.2, among other guidance) indicates that with adequate password entropy, security is not improved by arbitrarily requiring users to change their passwords at certain intervals. Many automated security tools and regulatory compliance frameworks do not reflect this guidance, and may override this recommendation. |
| Severity | Critical |
| Nist Controls | IA-5, |
| Check Text |
Open the Virtual Appliance Management Interface (VAMI) by navigating to https:// (Get-CisService -Name com.vmware.appliance.local_accounts.policy).get() |
| Fix Text | (Get-CisService -Name com.vmware.appliance.local_accounts.policy).set(@{max_days=9999; min_days=1; warn_days=7}) |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100273 |
|---|---|
| Title | The vCenter Server must configure the firewall to only allow traffic from authorized networks. |
| Description | Ensures that all incoming and outgoing network traffic is blocked unless explicitly allowed, reducing the attack surface and helping to prevent unauthorized access to the system. Note that outgoing/egress traffic is not blocked, nor are related/established connections, so vCenter Server will still be able to communicate with systems where it initiates the connection. Perimeter firewalls should be used to curtail those types of connections. |
| Severity | Critical |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
Ensures that all incoming and outgoing network traffic is blocked unless explicitly allowed, reducing the attack surface and helping to prevent unauthorized access to the system. Note that outgoing/egress traffic is not blocked, nor are related/established connections, so vCenter Server will still be able to communicate with systems where it initiates the connection. Perimeter firewalls should be used to curtail those types of connections. |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100274 |
|---|---|
| Title | To be up-to-date the system should be patched and important security updates installed in a timely manner. |
| Description | By keeping vCenter Server patches up to date, vulnerabilities can be mitigated. It is important to note that educated attackers can exploit known vulnerabilities when attempting to gain unauthorized access or elevate privileges. When applying updates, it is recommended to update vCenter Server first, if an update is available, and then proceed with updating ESXi. This sequence ensures that the management layer is updated before updating the ESXi hosts. |
| Severity | Critical |
| Nist Controls | SI-2, SI-3, |
| Check Text |
By keeping vCenter Server patches up to date, vulnerabilities can be mitigated. It is important to note that educated attackers can exploit known vulnerabilities when attempting to gain unauthorized access or elevate privileges. |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100275 |
|---|---|
| Title | Configure the maximum password length policy. |
| Description | Data Not Available |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.View the value of the Maximum length setting and verify if it is set to Get-SsoPasswordPolicy |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100276 |
|---|---|
| Title | Configure the minimum number of alphabetic characters policy. |
| Description | Data Not Available |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.View the value of the Character requirements setting.Character requirements: At least Get-SsoPasswordPolicy |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100277 |
|---|---|
| Title | Configure the maximum number of identical adjacent characters policy. |
| Description | Data Not Available |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Local Accounts >> Password Policy.View the value of the Character requirements setting.Character requirements: Get-SsoPasswordPolicy |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100278 |
|---|---|
| Title | The vCenter Server must use approved encryption to protect the confidentiality of network sessions. |
| Description | Data Not Available |
| Severity | High |
| Nist Controls | |
| Check Text |
From the vSphere Client, go to Developer Center >> API Explorer.Select appliance from the Select API drop down list then scroll down to the tls/profiles/global section.Expand the GET call and click Execute and review the response for the configured global TLS profile.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Invoke-GetTlsProfilesGlobalIf the global TLS profile is not NIST_2024, this is a finding. Invoke-GetTlsProfilesGlobal |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100280 |
|---|---|
| Title | The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA). |
| Description | Integrated Windows Authentication (IWA) is a feature in vCenter Server that allows users to authenticate to the vCenter Server using their Windows domain credentials. This means that users do not need to enter a username and password to access the vCenter Server, as their Windows domain credentials are used to authenticate them. IWA uses the Kerberos protocol to authenticate users and provides a secure and convenient way for users to access the vCenter Server. When IWA is enabled, users can access the vCenter Server without being prompted to enter a username and password, as long as they are logged in to their Windows domain with valid credentials. |
| Severity | High |
| Nist Controls | |
| Check Text |
If IWA is used for vCenter authentication, this is not applicable.From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Users.Change the domain to vsphere.local and review the K/M and krbtgt/VSPHERE.LOCAL accounts.If the K/M and krbtgt/VSPHERE.LOCAL accounts are not disabled, this is a finding. Get-VcenterServer -Name |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100281 |
|---|---|
| Title | The vCenter Server must separate authentication and authorization for administrators. |
| Description | Combining authentication and authorization, as done in services like Active Directory, risks infrastructure breaches if compromised. Hence, vCenter Server should segregate these for administrators. Consider local SSO groups for authorization to better manage risk where feasible. |
| Severity | Critical |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
From the vSphere Client, go to Administration >> Access Control >> Roles.View the Administrator role and any other role providing administrative access to vCenter to verify the users and/or groups assigned to it by clicking on Usage.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -AutoIf any user or group is directly assigned a role with administrative access to vCenter that is from an identity provider, this is a finding.Note: Users and/or groups assigned to roles should be from the VSPHERE.LOCAL identity source. Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto |
| Fix Text | Data Not Available |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name isolation.tools.copy.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Control | 100401 |
|---|---|
| Title | Virtual machines must have console copy operations deactivated. |
| Description | Deactivating console copy operations on virtual machines prevents data copying between the VM and the local client, regardless of whether the user is accessing through Web Console, VMRC, or another method. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text | Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.copy.disable |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.copy.disable | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Control | 100402 |
|---|---|
| Title | Virtual machines must have console drag and drop operations deactivated. |
| Description | Deactivating drag and drop operations in a virtual machine's console stops users from transferring data between the VM and the local client, regardless of the console type, enhancing data security. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text | Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.dnd.disable |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.dnd.disable | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name isolation.tools.paste.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Control | 100403 |
|---|---|
| Title | Virtual machines must have console paste operations deactivated. |
| Description | By disabling console paste operations on virtual machines, data transfer from the local client to the VM is blocked, whether the user is using Web Console, VMRC, or another console. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters.Verify the isolation.tools.paste.disable value is set to true.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name isolation.tools.paste.disableIf the virtual machine advanced setting isolation.tools.paste.disable is not set to true, this is a finding.If the virtual machine advanced setting isolation.tools.paste.disable does not exist, this is not a finding. Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.paste.disable |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.paste.disable | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Control | 100404 |
|---|---|
| Title | Virtual machines must have virtual disk shrinking operations deactivated. |
| Description | Disabling virtual disk shrinking on virtual machines helps avoid disk unavailability issues. The ability to perform this operation is typically limited for non-administrative users in the guest environment. |
| Severity | Medium |
| Nist Controls | SC-5, |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters.Verify the isolation.tools.diskShrink.disable value is set to true.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name isolation.tools.diskShrink.disableIf the virtual machine advanced setting isolation.tools.diskShrink.disable is not set to true, this is a finding.If the virtual machine advanced setting isolation.tools.diskShrink.disable does not exist, this is not a finding. Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.diskShrink.disable |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | true |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Control | 100405 |
|---|---|
| Title | Virtual machines must have virtual disk wiping operations deactivated. |
| Description | Disabling virtual disk wiping on virtual machines helps avoid disk unavailability issues. The ability to perform this operation is typically limited for non-administrative users in the guest environment. |
| Severity | Medium |
| Nist Controls | SC-5, |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters.Verify the isolation.tools.diskWiper.disable value is set to true.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name isolation.tools.diskWiper.disableIf the virtual machine advanced setting isolation.tools.diskWiper.disable is not set to true, this is a finding.If the virtual machine advanced setting isolation.tools.diskWiper.disable does not exist, this is not a finding. Get-VM -Name $VM | Get-AdvancedSetting isolation.tools.diskWiper.disable |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
|---|---|
| Status | Failed |
| Expected | 1 |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1 |
| Got | 1 |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1 |
| Got | 1 |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1 |
| Got | 1 |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1 |
| Got | 1 |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1 |
| Got | 1 |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 1 |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 1 |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 1 |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 1 |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name RemoteDisplay.maxConnections | Select-Object -ExpandProperty Value |
| Status | Failed |
| Expected | 1 |
| Got | Data Not Available |
| Control | 100406 |
|---|---|
| Title | Virtual machines must limit console sharing. |
| Description | Limiting VM console sharing to one user prevents multiple observers, enhancing security. However, this might inadvertently create a potential pathway for service denial. |
| Severity | Critical |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters.Verify the RemoteDisplay.maxConnections value is set to 1.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name RemoteDisplay.maxConnectionsIf the virtual machine advanced setting RemoteDisplay.maxConnections does not exist or is not set to 1, this is a finding. Get-VM -Name $VM | Get-AdvancedSetting RemoteDisplay.maxConnections |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting RemoteDisplay.maxConnections | Set-AdvancedSetting -Value 1 |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name tools.setinfo.sizeLimit | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 1048576 or Undefined |
| Got | Data Not Available |
| Control | 100407 |
|---|---|
| Title | Virtual machines must limit informational messages from the virtual machine to the VMX file. |
| Description | Limiting VM informational messages to the VMX file prevents it from exceeding its default size of 1MB. This control prevents potential denial of service situations that could arise if the datastore becomes full. |
| Severity | Medium |
| Nist Controls | SC-5, |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters.Verify the tools.setinfo.sizeLimit value is set to 1048576.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name tools.setinfo.sizeLimitIf the virtual machine advanced setting tools.setinfo.sizeLimit is not set to 1048576, this is a finding.If the virtual machine advanced setting tools.setinfo.sizeLimit does not exist, this is not a finding. Get-VM -Name $VM | Get-AdvancedSetting tools.setInfo.sizeLimit |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name tools.setInfo.sizeLimit | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name isolation.device.connectable.disable | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Control | 100408 |
|---|---|
| Title | Virtual machines must prevent unauthorized removal, connection and modification of devices. |
| Description | Preventing unauthorized device modifications in virtual machines blocks non-admin users or processes from connecting, disconnecting, or adjusting device settings. This measure curbs unauthorized access and operation disruption, reducing denial of service risks, as well as some avenues for exfiltrating data. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), , SC-7(21), |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters.Verify the isolation.device.connectable.disable value is set to true.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name isolation.device.connectable.disableIf the virtual machine advanced setting isolation.device.connectable.disable is not set to true, this is a finding.If the virtual machine advanced setting isolation.device.connectable.disable does not exist, this is not a finding. Get-VM -Name $VM | Get-AdvancedSetting isolation.device.connectable.disable |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name isolation.device.connectable.disable | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Control | 100409 |
|---|---|
| Title | Virtual machines must not be able to obtain host information from the hypervisor. |
| Description | Preventing VMs from obtaining host information from the hypervisor mitigates risk of advanced attacks, as it denies adversaries crucial details about the physical host. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters.Verify the tools.guestlib.enableHostInfo value is set to false.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name tools.guestlib.enableHostInfoIf the virtual machine advanced setting tools.guestlib.enableHostInfo is not set to false, this is a finding.If the virtual machine advanced setting tools.guestlib.enableHostInfo does not exist, this is not a finding. Get-VM -Name $VM | Get-AdvancedSetting tools.guestlib.enableHostInfo |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting tools.guestlib.enableHostInfo | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name sched.mem.pshare.salt | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Control | 100410 |
|---|---|
| Title | Virtual machines must restrict sharing of memory pages between VMs. |
| Description | Transparent Page Sharing (TPS) reduces VM memory footprint but could enable unauthorized data access in some very limited conditions. To bolster security, VMs should be configured with the sched.mem.pshare.salt option, preventing memory sharing with other VMs. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text | Get-VM -Name $VM | Get-AdvancedSetting sched.mem.pshare.salt |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name sched.mem.pshare.salt | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | TRUE or Undefined |
| Got | Data Not Available |
| Control | 100412 |
|---|---|
| Title | Virtual machines must be configured to lock when the last console connection is closed. |
| Description | Locking virtual machines when the last console connection closes can prevent potential unauthorized access from attackers exploiting logged-in console sessions. |
| Severity | Critical |
| Nist Controls | AC-11, AC-11(1), |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> VMware Remote Console Options.Verify the option Lock the guest operating system when the last remote user disconnects is checked.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name tools.guest.desktop.autolockIf the virtual machine advanced setting tools.guest.desktop.autolock is not set to true, this is a finding.If the virtual machine advanced setting tools.guest.desktop.autolock does not exist, this is not a finding.If the VM is not Windows-based VMs with VMware tools installed., this is not a finding. Get-VM -Name $VM | Get-AdvancedSetting tools.guest.desktop.autolock |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name tools.guest.desktop.autolock | Remove-AdvancedSetting |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name mks.enable3d | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | FALSE or Undefined |
| Got | Data Not Available |
| Control | 100413 |
|---|---|
| Title | Virtual machines must have 3D graphics features deactivated when not required. |
| Description | Turning off 3D graphics features on virtual machines that don't need them reduces potential attack vectors, enhancing overall system security. |
| Severity | Medium |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings.Expand the Video card and verify the Enable 3D Support checkbox is unchecked.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name mks.enable3dIf the virtual machine advanced setting mks.enable3d exists and is not set to false, this is a finding.If the virtual machine advanced setting mks.enable3d does not exist, this is not a finding. Get-VM -Name $VM | Get-AdvancedSetting mks.enable3d |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting mks.enable3d | Set-AdvancedSetting -Value FALSE |
| Command | (Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845').ExtensionData.Config.MigrateEncryption |
|---|---|
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'nsx-edge-l-01a').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'nsx-edge-l-02a').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'nsx-l-01a').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'nsx-l-02a').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'nsx-l-03a').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'sddc-l-01a').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'vc-l-01a').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Command | (Get-VM -Name 'vrlcm-l-01a').ExtensionData.Config.MigrateEncryption |
| Status | Passed |
| Expected | Should be in - opportunistic required |
| Got | opportunistic |
| Control | 100414 |
|---|---|
| Title | Virtual machines must require encryption for vMotion. |
| Description | Requiring encryption for vMotion in virtual machines guarantees secure data transfer. The default 'opportunistic' encryption likely results in encryption due to widespread AES-NI support in vSphere-compatible hardware. However, enforcing 'required' encryption prevents any unencrypted operations. |
| Severity | High |
| Nist Controls | AC-17(2), SC-8, SC-8(1), SC-13, SC-28(1), |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM | Where {($_.ExtensionData.Config.MigrateEncryption -eq disabled)}If the Encrypted vMotion setting does not have a value of Opportunistic or Required, this is a finding. (Get-VM -Name $VM).ExtensionData.Config.MigrateEncryption |
| Fix Text | $VMview = Get-VM -Name $VM | Get-View $ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec $ConfigSpec.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes $ConfigSpec.MigrateEncryption = required $VMview.ReconfigVM_Task($ConfigSpec) |
| Command | (Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845').ExtensionData.Config.FtEncryptionMode |
|---|---|
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'nsx-edge-l-01a').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'nsx-edge-l-02a').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'nsx-l-01a').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'nsx-l-02a').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'nsx-l-03a').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'sddc-l-01a').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'vc-l-01a').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Command | (Get-VM -Name 'vrlcm-l-01a').ExtensionData.Config.FtEncryptionMode |
| Status | Passed |
| Expected | Should be in - ftEncryptionOpportunistic ftEncryptionRequired |
| Got | ftEncryptionOpportunistic |
| Control | 100415 |
|---|---|
| Title | Virtual machines must require encryption for Fault Tolerance. |
| Description | Requiring encryption for Fault Tolerance in VMs ensures secure data transmission. While the default 'opportunistic' encryption likely results in encryption due to ubiquitous AES-NI support in vSphere-compatible hardware, enforcing 'required' encryption guarantees no unencrypted operations. |
| Severity | High |
| Nist Controls | AC-17(2), SC-8, SC-8(1), SC-13, SC-28(1), |
| Check Text |
If the Virtual Machine does not have Fault Tolerance enabled, this is not applicable.For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM | Where {($_.ExtensionData.Config.FtEncryptionMode -ne ftEncryptionOpportunistic) -and ($_.ExtensionData.Config.FtEncryptionMode -ne ftEncryptionRequired)}If the Encrypted FT setting does not have a value of Opportunistic or Required, this is a finding. (Get-VM -Name $VM).ExtensionData.Config.FtEncryptionMode |
| Fix Text | $VMview = Get-VM -Name $VM | Get-View $ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec $ConfigSpec.FtEncryptionMode = New-object VMware.Vim.VirtualMachineConfigSpecEncryptedFtModes $ConfigSpec.FtEncryptionMode = ftEncryptionRequired $VMview.ReconfigVM_Task($ConfigSpec) |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
|---|---|
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-AdvancedSetting -Name log.rotateSize | Select-Object -ExpandProperty Value |
| Status | Passed |
| Expected | 2048000 or empty |
| Got | Data Not Available |
| Control | 100416 |
|---|---|
| Title | Virtual machines must limit the size of diagnostic logs. |
| Description | Limiting the size of diagnostic logs on VMs prevents excessive space consumption, particularly on long-running VMs. As per VMware guidelines, the recommended minimum limit is 2MB. |
| Severity | Medium |
| Nist Controls | SC-5, |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> Advanced Parameters.Verify the log.rotateSize value is set to 2048000.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-AdvancedSetting -Name log.rotateSizeIf the virtual machine advanced setting log.rotateSize is not set to 2048000, this is a finding.If the virtual machine advanced setting log.rotateSize does NOT exist, this is NOT a finding. Get-VM -Name $VM | Get-AdvancedSetting log.rotateSize |
| Fix Text | Get-VM -Name $VM | Get-AdvancedSetting -Name log.rotateSize | Remove-AdvancedSetting |
| Command | (Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845').ExtensionData.Config.Flags.EnableLogging |
|---|---|
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'nsx-edge-l-01a').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'nsx-edge-l-02a').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'nsx-l-01a').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'nsx-l-02a').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'nsx-l-03a').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'sddc-l-01a').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'vc-l-01a').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Command | (Get-VM -Name 'vrlcm-l-01a').ExtensionData.Config.Flags.EnableLogging |
| Status | Passed |
| Expected | true |
| Got | true |
| Control | 100418 |
|---|---|
| Title | Virtual machines must enable diagnostic logging. |
| Description | Diagnostic logging for virtual machines helps with forensics and troubleshooting. |
| Severity | Medium |
| Nist Controls | AU-2, AU-3, AU-3(1), AU-4, AU-12, AU-12(1), |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced.Ensure that the checkbox next to Enable logging is checked.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM | Where {$_.ExtensionData.Config.Flags.EnableLogging -ne True}If logging is not enabled, this is a finding. Get-VM -Name $VM | Where {$_.ExtensionData.Config.Flags.EnableLogging -ne True} |
| Fix Text | $VMview = Get-VM -Name $VM | Get-View $ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec $ConfigSpec.Flags = New-Object VMware.Vim.VirtualMachineFlagInfo $ConfigSpec.Flags.EnableLogging = $true $VMview.ReconfigVM_Task($ConfigSpec) |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
|---|---|
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'nsx-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'nsx-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'nsx-l-02a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'nsx-l-02a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'nsx-l-03a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'nsx-l-03a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'sddc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'sddc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'sddc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'sddc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'sddc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'sddc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vc-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-HardDisk | Select-Object -ExpandProperty Persistence |
| Status | Passed |
| Expected | Attached disks in vm should not be in independent nonpersistent mode |
| Got | Persistent |
| Control | 100419 |
|---|---|
| Title | Virtual machines (VMs) must not use independent, non-persistent disks. |
| Description | The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode; additionally, ensure activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked. There can be valid use cases for these types of disks, such as with an application presentation solution where read-only disks are desired, and such cases should be identified and documented. |
| Severity | High |
| Nist Controls | |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings.Review the attached hard disks and verify they are not configured as independent nonpersistent disks.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-HardDisk | Select Parent, Name, Filename, DiskType, Persistence | FT -AutoSizeIf the virtual machine has attached disks that are in independent nonpersistent mode and are not documented, this is a finding. Get-VM VM Name | Get-HardDisk | Select Parent, Name, Filename, DiskType, Persistence | FT -AutoSize |
| Fix Text | From the vSphere Client, right-click the Virtual Machine and go to Edit Settings.Review the attached hard disks and verify they are not configured as independent nonpersistent disks. |
| Command | (Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-FloppyDrive).Count |
|---|---|
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'nsx-edge-l-01a' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'nsx-edge-l-02a' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'nsx-l-01a' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'nsx-l-02a' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'nsx-l-03a' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'sddc-l-01a' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'vc-l-01a' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Command | (Get-VM -Name 'vrlcm-l-01a' | Get-FloppyDrive).Count |
| Status | Passed |
| Expected | Virtual machine should not have a floppy drive connected |
| Got | 0 |
| Control | 100420 |
|---|---|
| Title | Virtual machines (VMs) must remove unneeded floppy devices. |
| Description | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
Floppy drives are no longer visible through the vSphere Client and must be done via the Application Programming Interface (API) or PowerCLI.From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionStateIf a virtual machine has a floppy drive connected, this is a finding. $VMview = Get-VM -Name $VM | Get-View $UnnecessaryHardware = VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom $VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object { $devname = $_.GetType().Name Write-Host $VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing. -ForegroundColor Yellow } |
| Fix Text | Data Not Available |
| Command | (Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-CDDrive).ExtensionData.connectable.connected |
|---|---|
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-edge-l-01a' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | Data Not Available |
| Command | (Get-VM -Name 'nsx-edge-l-02a' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | Data Not Available |
| Command | (Get-VM -Name 'nsx-l-01a' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | Data Not Available |
| Command | (Get-VM -Name 'nsx-l-02a' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | Data Not Available |
| Command | (Get-VM -Name 'nsx-l-03a' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | Data Not Available |
| Command | (Get-VM -Name 'sddc-l-01a' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | false |
| Command | (Get-VM -Name 'vc-l-01a' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | false |
| Command | (Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | Data Not Available |
| Command | (Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | Data Not Available |
| Command | (Get-VM -Name 'vrlcm-l-01a' | Get-CDDrive).ExtensionData.connectable.connected |
| Status | Passed |
| Expected | Virtual machine should not have a CD/DVD drive connected |
| Got | false |
| Control | 100421 |
|---|---|
| Title | Virtual machines (VMs) must remove unneeded CD/DVD devices. |
| Description | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings.Review the VMs hardware and verify no CD/DVD drives are connected.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent,NameIf a virtual machine has a CD/DVD drive connected other than temporarily, this is a finding. $VMview = Get-VM -Name $VM | Get-View $UnnecessaryHardware = VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom $VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object { $devname = $_.GetType().Name Write-Host $VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing. -ForegroundColor Yellow } |
| Fix Text | Data Not Available |
| Command | (Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
|---|---|
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'nsx-edge-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'nsx-edge-l-02a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'nsx-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'nsx-l-02a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'nsx-l-03a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'sddc-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'vc-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Command | (Get-VM -Name 'vrlcm-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Failed |
| Expected | Virtual machine should not have a Parallel device connected |
| Got | true |
| Control | 100422 |
|---|---|
| Title | Virtual machines (VMs) must remove unneeded parallel devices. |
| Description | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
Parallel devices are no longer visible through the vSphere Client and must be done via the Application Programming Interface (API) or PowerCLI.From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match parallel}If a virtual machine has a parallel device present, this is a finding. $VMview = Get-VM -Name $VM | Get-View $UnnecessaryHardware = VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom $VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object { $devname = $_.GetType().Name Write-Host $VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing. -ForegroundColor Yellow } |
| Fix Text | Data Not Available |
| Command | (Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
|---|---|
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-edge-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-edge-l-02a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-l-02a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-l-03a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'sddc-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'vc-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Command | (Get-VM -Name 'vrlcm-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a Serial device connected |
| Got | false |
| Control | 100423 |
|---|---|
| Title | Virtual machines (VMs) must remove unneeded serial devices. |
| Description | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings.Review the VMs hardware and verify no serial devices exist.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match serial}If a virtual machine has a serial device present, this is a finding. $VMview = Get-VM -Name $VM | Get-View $UnnecessaryHardware = VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom $VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object { $devname = $_.GetType().Name Write-Host $VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing. -ForegroundColor Yellow } |
| Fix Text | Data Not Available |
| Command | (Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
|---|---|
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-edge-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-edge-l-02a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-l-02a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'nsx-l-03a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'sddc-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'vc-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Command | (Get-VM -Name 'vrlcm-l-01a').ExtensionData.Config.Hardware.Device | Select-Object -ExpandProperty DeviceInfo | Select-Object -ExpandProperty Label |
| Status | Passed |
| Expected | Virtual machine should not have a USB device connected |
| Got | false |
| Control | 100424 |
|---|---|
| Title | Virtual machines (VMs) must remove unneeded USB devices. |
| Description | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during software installation. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
For each virtual machine do the following:From the vSphere Client, right-click the Virtual Machine and go to Edit Settings.Review the VMs hardware and verify no USB devices exist.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands:Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match usb}Get-VM | Get-UsbDeviceIf a virtual machine has any USB devices or USB controllers present, this is a finding.If USB smart card readers are used to pass smart cards through the VM console to a VM, the use of a USB controller and USB devices for that purpose is not a finding. $VMview = Get-VM -Name $VM | Get-View $UnnecessaryHardware = VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom $VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object { $devname = $_.GetType().Name Write-Host $VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing. -ForegroundColor Yellow } |
| Fix Text | Data Not Available |
| Command | Get-VM -Name 'HST-PRODUCTION-1.0.0-24821845' | Get-PassthroughDevice |
|---|---|
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-01a' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-edge-l-02a' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-01a' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-02a' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'nsx-l-03a' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'sddc-l-01a' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'vc-l-01a' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-323e2842-8485-0ef0-ac5d-80c73f207a82' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'vCLS-93232842-0f25-b32c-ab6f-a2ccc1bb08e7' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Command | Get-VM -Name 'vrlcm-l-01a' | Get-PassthroughDevice |
| Status | Passed |
| Expected | Virtual machine should not have a Passthrough device |
| Got | Data Not Available |
| Control | 100425 |
|---|---|
| Title | Virtual machines (VMs) must disable DirectPath I/O devices when not required. |
| Description | VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a powerful feature for legitimate applications such as virtualized storage appliances, backup appliances, dedicated graphics, etc., but it also allows a potential attacker highly privileged access to underlying hardware and the PCI bus. |
| Severity | Critical |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
For each virtual machine do the following:From the vSphere Client, view the Summary tab.Review the PCI devices section and verify none exist.orFrom a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:Get-VM VM Name | Get-PassthroughDeviceIf the virtual machine has passthrough devices present, and the specific device returned is not approved, this is a finding. $VMview = Get-VM -Name $VM | Get-View $UnnecessaryHardware = VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom $VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object { $devname = $_.GetType().Name Write-Host $VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing. -ForegroundColor Yellow } |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100443 |
|---|---|
| Title | Remove unnecessary virtual hardware devices from the VM. |
| Description | Ensure that no device is connected to a virtual machine if it is not required. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. USB devices, sound cards, and other unnecessary hardware may be introduced with migrations from VMware Workstation, Fusion, or through other tools. Any enabled or connected device represents a potential attack channel, through the possibility of device drivers that contain vulnerabilities, by granting the ability to introduce software or exfiltrate data to or from a protected environment. Note: Removing the CD-ROM device may impact VMware Tools installation and maintenance. |
| Severity | High |
| Nist Controls | |
| Check Text |
$VMview = Get-VM -Name $VM | Get-View$UnnecessaryHardware = VirtualUSBController|VirtualUSBXHCIController|VirtualParallelPort|VirtualFloppy|VirtualSerialPort|VirtualHdAudioCard|VirtualAHCIController|VirtualEnsoniq1371|VirtualCdrom$VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $UnnecessaryHardware} | Foreach-Object {$devname = $_.GetType().NameWrite-Host $VM`: [WARNING] VM has a $devname device. Please evaluate and consider removing. -ForegroundColor Yellow} |
| Fix Text | Data Not Available |
| Command | (Get-vsanClusterConfiguration -Cluster sfo-m01-cl01).EncryptionEnabled |
|---|---|
| Status | Failed |
| Expected | true |
| Got | false |
| Control | 100801 |
|---|---|
| Title | vSAN must protect data at rest. |
| Description | vSAN Data-at-Rest encryption helps maintain the confidentiality of sensitive data while it resides on storage devices and reduce the risk of unauthorized access or exposure in the event of physical theft or loss. This configuration parameter can be altered while the cluster is operational. Enabling data-at-rest protections will reformat disk groups (for vSAN OSA) and rewrite stored objects (for vSAN ESA), which may take considerable time, but it will be done in the background. Workloads do not need to be powered off. vSAN ESA 8.0.2 introduced the ability to enable data-at-rest protections on an existing vSAN ESA datastore; vSAN ESA 8.0.3 introduced the ability to disable it again. It is recommended that you run the latest version of vSAN if using ESA. Applications handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Data encryption is a common technique used in environments that require additional levels of security. It consists of a process to ensure that data can only be consumed by systems that have appropriate levels of access. Approved systems must have and use the appropriate cryptographic keys to encrypt and decrypt the data. Systems that do not have the keys will not be able to consume the data in any meaningful way, as it will remain encrypted in accordance with the commonly used Advanced Encryption Standard (AES) from the National Institute of Standards and Technology, or NIST. vSAN supports Data-At-Rest Encryption and Data-in-Transit Encryption and uses an AES 256 cipher. Data is encrypted after all other processing, such as deduplication, is performed. Data at rest encryption protects data on storage devices in case a device is removed from the cluster. |
| Severity | Critical |
| Nist Controls | SC-13, SC-28, SC-28(1), |
| Check Text |
If no clusters are enabled for vSAN, this is not applicable.From the vSphere Client, go to Host and Clusters.Select the vCenter Server >> Select the cluster >> Configure >> vSAN >> Services >> Data Services.Review the Data-at-rest encryption status.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following command:Get-Cluster | Where-Object {$_.VsanEnabled -eq $true} | Get-VsanClusterConfiguration | Select-Object Name,EncryptionEnabledIf Data-At-Rest encryption is not enabled, this is a finding. Get-Cluster | Where-Object {$_.VsanEnabled -eq $true} | Get-VsanClusterConfiguration | Select-Object Name,EncryptionEnabled |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100802 |
|---|---|
| Title | The vCenter Server must enable data in transit encryption for vSAN. |
| Description | vSAN Data-in-Transit encryption helps ensure that sensitive data remains confidential while traversing the network, reducing the risk of unauthorized access or interception. This configuration parameter can be altered while the cluster is operational. |
| Severity | Critical |
| Nist Controls | AC-17(2), SC-8, SC-8(1), SC-13, SC-28(1), |
| Check Text |
If no clusters are enabled for vSAN, this is not applicable.From the vSphere Client, go to Host and Clusters.Select the vCenter Server >> Select the cluster >> Configure >> vSAN >> Services >> Data Services.Review the Data-in-transit encryption status.orFrom a PowerCLI command prompt while connected to the vCenter server, run the following commands:$vsanclusterconf = Get-VsanView -Id VsanVcClusterConfigSystem-vsan-cluster-config-system$vsanclusterconf.VsanClusterGetConfig((Get-Cluster -Name $vsanclusterconf = Get-VsanView -Id VsanVcClusterConfigSystem-vsan-cluster-config-system $vsanclusterconf.VsanClusterGetConfig((Get-Cluster -Name |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100805 |
|---|---|
| Title | NFS file shares on vSAN File Services must be configured to restrict access. |
| Description | When configuring an NFS file share the Customize net access option should be selected with a restrictive set of permissions configured. |
| Severity | Critical |
| Nist Controls | AC-4, AC-4(4), AC-5, AC-6, CM-6, CM-7, SC-7, SC-7(5), SC-7(21), |
| Check Text |
When configuring an NFS file share the Customize net access option should be selected with a restrictive set of permissions configured. |
| Fix Text | Data Not Available |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100806 |
|---|---|
| Title | SMB file shares on vSAN File Services must accept only encrypted SMB authentication communications. |
| Description | When configuring an SMB file share the Protocol Encryption option must be enabled. |
| Severity | Critical |
| Nist Controls | AC-17(2), SC-8, SC-8(1), SC-13, SC-28(1), |
| Check Text |
When configuring an SMB file share the Protocol Encryption option must be enabled. Get-VSANFileShare -Name |
| Fix Text |
Set-VSANFileShare -Name |
| Command | (Get-vsanClusterConfiguration -Cluster sfo-m01-cl01).VsanOperationReservationState |
|---|---|
| Status | Failed |
| Expected | Enabled |
| Got | 2 |
| Control | 100808 |
|---|---|
| Title | vSAN must reserve space to complete internal maintenance operations. |
| Description | vSAN Operations Reserve capacity setting helps ensure that vSAN always has sufficient free space to maintain the availability and reliability of the vSAN datastore and prevent potential data loss or service disruptions due to insufficient capacity during operations like policy changes. This configuration parameter can be altered while the cluster is operational. vSAN Host Reserve can also be enabled, but use of Auto-Policy Management will be constrained on small vSAN clusters. Please see the post Understanding ?Reserved Capacity? Concepts in vSAN (https://blogs.vmware.com/cloud-foundation/2022/02/18/understanding-reserved-capacity-concepts-in-vsan/) for more information. |
| Severity | Critical |
| Nist Controls | |
| Check Text |
Get-VSANCluster -Name Get-VSANCluster -Name |
| Fix Text |
Set-VSANCluster -Name |
| Command | This check is a manual or policy based check and must be reviewed manually. |
|---|---|
| Status | Manual |
| Expected | Data Not Available |
| Got | Data Not Available |
| Control | 100809 |
|---|---|
| Title | The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server. |
| Description | The vSAN Health Check is able to download the HCL from VMware to check compliance against the underlying vSAN Cluster hosts. To ensure the vCenter server is not directly downloading content from the internet, this functionality must be disabled. If this feature is necessary, an external proxy server must be configured. |
| Severity | Medium |
| Nist Controls | |
| Check Text |
If no clusters are enabled for vSAN, this is not applicable.From the vSphere Client, go to Host and Clusters.Select the vCenter Server >> Configure >> vSAN >> Internet Connectivity.If the HCL internet download is not required, verify Status is Disabled.If the Status is Enabled, this is a finding.If the HCL internet download is required, verify Status is Enabled and a proxy host is configured.If Status is Enabled and a proxy is not configured, this is a finding. |
| Fix Text | Data Not Available |