The vCenter Server must disable the distributed virtual switch health check.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-258934 | VCSA-80-000267 | SV-258934r934460_rule | Medium |
| Description |
|---|
| Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that network health check be used for troubleshooting and turned off when troubleshooting is finished. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2023-10-11 |
Details
| Check Text ( C-62674r934458_chk ) |
|---|
| If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Health Check. View the health check pane and verify the "VLAN and MTU" and "Teaming and failover" checks are "Disabled". or From a PowerCLI command prompt while connected to the vCenter server, run the following commands: $vds = Get-VDSwitch $vds.ExtensionData.Config.HealthCheckConfig If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding. |
| Fix Text (F-62583r934459_fix) |
|---|
| From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Health Check. Click "Edit". Disable the "VLAN and MTU" and "Teaming and failover" checks. Click "OK". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))} |