acceptedVMware ESX 3 PolicyThe VMware ESX 3 Policy Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 22 Jul 20161I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>A 3rd party firewall is configured on ESX Server.<GroupDescription></GroupDescription>ESX0330A third party firewall is configured on ESX Server.<VulnDiscussion>Third party software and services should not be installed in the service console. The service console is not intended to support the operation of additional software or services beyond what is included in the default ESX installation. VMware does not support the addition of third party applications that have not been explicitly approved. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls></IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Remove third party firewalls from the ESX Server service console.Ask the IAO/SA if any third party firewalls are installed on the ESX Server service console. If the answer is yes, inquire as to what is installed. If it is anything other than IPtables, this is a finding.Hash signatures for /etc file not reviewed.<GroupDescription></GroupDescription>ESX0380Hash signatures for the /etc files are not reviewed monthly.<VulnDiscussion>Several files within ESX Server should be checked for file system integrity periodically. These files have been deemed critical by VMware in maintaining file system integrity. System administrators must ensure these files have the correct permissions and have not been modified. To ensure integrity, system administrators will use a FIPS 140-2 hash algorithm to create signatures of these files and store them offline. Comparing these hash values periodically will verify the integrity of the files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls></IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Review the hash signatures for the /etc files monthly.Ask the IAO/SA how often the hash signatures are reviewed. If they are not reviewed at least monthly, this is a finding.
File Location Permission
/etc/fstab 640
/etc/group 644
/etc/host.conf 640
/etc/hosts 640
/etc/hosts.allow 640
/etc/hosts.deny 640
/etc/logrotate.conf 640
/etc/logrotate.d/ 700
/etc/modules.conf 640
/etc/motd 640
/etc/ntp 755
/etc/ntp.conf 644
/etc/pam.d/system-auth 644
/etc/profile 644
/etc/shadow 400
/etc/securetty 600
/etc/ssh/sshd_config 600
/etc/snmp 755
/etc/sudoers 440
/etc/vmware 755
ESX Server log files are not reviewed daily<GroupDescription></GroupDescription>ESX0420ESX Server log files are not reviewed daily. <VulnDiscussion>Logs form a recorded history or audit trail of the ESX Server system events, making it easier for system administrators to track down intermittent problems, review past events, and piece together information if an investigation is required. Without this recorded history, potential attacks and suspicious activity will go unnoticed.
ESX Server log files that are critical to record include VMkernel, VMkernel warnings, VMkernel summary, ESX Server host agent, virtual machines, VI Client agent,Web Access, service console, and authentication. The VMkernel logs record activities related to the virtual machines and the ESX Server. The VMkernel warning log file records activities with the virtual machines. The VMkernel summary is used to determine uptime and availability statistics for the ESX Server. The ESX Server host agent log contains information on the agent that manages and configures the ESX Server host. This log may assist in diagnosing connection problems. The virtual machine log files contain information when a virtual machine crashes or shutdowns abnormally. The VI Client agent is installed on each managed ESX Server and this log records all the activities of the agent. Web Access records information on web-based access to the ESX Server. This is important to view since web-based access to the ESX Server should be disabled. The service console messages contain all general log messages used to troubleshoot virtual machines or the ESX Server. The authentication log contains records of connections that require authentication.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls>ECAT-1, ECAT-2</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Review ESX Server log files daily.Ask the IAO/SA how often they review the ESX Server log files listed below:
VMkernel
/var/log/vmkernel,
VMkernel warnings:
/var/log/vmkwarning,
VMkernel summary:
/var/log/vmksummary.txt,
ESX Server host agent log:
/var/log/vmware/hostd.log,
Individual virtual machine logs:
<path to virtual machine on ESX, Server>/vmware.log
VI Client agent log:
/var/log/vmware/vpx/vpxa.log,
Web access:
/var/log/vmware/webAccess,
Service console:
/var/log/messages,
Authentication log:
/var/log/secure.
Caveat: If the log files are being written to a syslog server, work with the system administrator to verify they are being reviewed there.
If the IAO/SA does not review them daily, this is a finding.
No subscription to VMware vendor website<GroupDescription></GroupDescription>ESX0460The IAO/SA does not subscribe to vendor security patches and update notifications.<VulnDiscussion>Organizations need to stay current with all applicable ESX Server software updates that are released from VMware. In order to be aware of updates as they are released, virtualization server administrators will subscribe to ESX Server vendor security notices, updates, and patches to ensure that all new vulnerabilities are known. New ESX Server patches and updates should be reviewed in a test environment for the ESX Server before moving them into a production environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Subscribe to vendor security and patch notifications.Ask the IAO/SA to provide actual update notification to verify that they are on the subscription list. The email subscription for VMware is security-announce@lists.vmware.com. If no emails or documentation can be provided, this is a finding.Backup and recovery procedures don't exist<GroupDescription></GroupDescription>ESX0520There are no procedures for the backup and recovery of the ESX Server, management servers, and virtual machines.<VulnDiscussion>Backup and recovery procedures are critical to the availability and protection of the virtual infrastructure. Availability of the system will be hindered if the system is compromised, shutdown, or not available. Backup and recovery of the virtual environment includes the ESX Servers, management servers, and virtual machines. The ESX Server has three major components required for backup and recovery. These components are virtual disks, virtual machine configuration files, and the configuration of the ESX Server itself. Due to the array of products and options available to backup the virtualization infrastructure, procedures will need to be developed to provide guidance to system administrators. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls>DCSD-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Develop backup and recovery procedures for the virtual infrastructure.Request a copy of the backup and recovery procedures for the ESX Servers, management applications, and virtual machines. If no procedures can be produced or they are incomplete, this is a finding.Disaster recovery plan is not complete<GroupDescription></GroupDescription>ESX0540Disaster recovery plan does not include ESX Servers, VirtualCenter servers, virtual machines, and necessary peripherals associated with the system.<VulnDiscussion>Disaster and recovery plans should be drafted and exercised in accordance with the MAC level of the system/Enclave as defined by the DoDI 85002. Disaster plans provide for the resumption of mission or business essential functions. A disaster plan must exist that provides for the resumption of mission or business essential functions within the specified period of time depending on MAC level. (Disaster recovery procedures include business recovery plans, system contingency plans, facility disaster recovery plans, and plan acceptance).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls>CODP-1, CODP-2, CODP-3</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Add the virtual infrastructure to the disaster recovery plan.Request a copy of the disaster recovery plan from the IAO/SA. Review the plan to verify that the ESX Server, management applications, virtual machines, and all necessary system peripherals are included in the plan. If the plan does not include the virtual infrastructure or is incomplete, this is a finding.VirtualCenter groups are not documented<GroupDescription></GroupDescription>ESX0760Users assigned to VirtualCenter groups are not documented.<VulnDiscussion>Ensuring privileged group membership is controlled requires updates to group documentation, and periodic reviews to determine that unauthorized users are not members. If an unauthorized user is able to gain membership to the Database Administrator group, Virtual Machine Administrator group, or the Resource Administrator group, etc., that user would be able to display, add, or change permissions to objects that could impact the confidentiality, integrity, or availability of an entire virtualization structure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Document all the users assigned to all VirtualCenter groups.Request a copy of the VirtualCenter group documentation listing the users in the following groups:
Database Administrators,
Virtual Machine Administrators,
Resource Pool Administrators,
ESX Administrators,
Virtual Machine Power Users, and
All Custom Roles
If documentation can not be produced, this is a finding. Compare the documentation to the actual users assigned in the groups. If there are discrepancies, this is a finding.
Users are not documented correctly<GroupDescription></GroupDescription>ESX0770Users in the VirtualCenter Server Windows Administrators group are not documented.<VulnDiscussion>Users who are members of the Windows administrators group on the VirtualCenter server are granted the same access rights as any user assigned to the VirtualCenter administrator role. These users need to be documented to ensure only authorized users are members of this group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Document all users in the Windows Administrators group.Request a copy of the document specifying users assigned to the Windows Administrators group on the VirtualCenter Server. If no documentation exists, this is a finding. Compare the documented users to those listed in the group on the server. If any discrepancies exist, this is a finding.VirtualCenter Server groups are not reviewed<GroupDescription></GroupDescription>ESX0780VirtualCenter Server groups are not reviewed monthly<VulnDiscussion>Reviewing the VirtualCenter groups will ensure that no unauthorized users have been granted access to objects. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls>ECAT-1, ECAT-2</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Review the VirtualCenter groups monthly.Ask the IAO/SA how often the following groups are reviewed on the VirtualCenter Server:
Windows Administrators group,
Database Administrators,
Virtual Machine Administrators,
Resource Pool Administrators,
ESX Administrators,
Virtual Machine Power Users, and
All Custom Roles.
If these groups are not reviewed at least monthly, this is a finding.
No documented configuration management process<GroupDescription></GroupDescription>ESX0790No documented configuration management process exists for VirtualCenter changes.<VulnDiscussion>VirtualCenter objects might have multiple permissions for users and or groups. Permissions are applied hierarchically downward on these objects. For each permission the administrator must decide if the permission applies only to that immediate object, or downward to all sub objects. Permissions may be overridden by setting different permissions on a lower object. These situations can create confusion and permissions that were thought to be limited might actually be elevated. Furthermore, all changes take affect immediately not requiring users to log off and log back in. Configuration management is critical for all modifications since the new change may override previously configured permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls></IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Document a configuration management process for all VirtualCenter modifications.Request a copy of the configuration management process document. If the document is incomplete or does not exist, this is a finding.No VirtualCenter baseline configuration document<GroupDescription></GroupDescription>ESX0800There is no VirtualCenter baseline configuration document for users, groups, permissions, and roles.<VulnDiscussion>When pairing users or groups with permissions to an object, a role is defined for users and groups. There are two default roles defined in VirtualCenter called System roles and Sample roles. System roles are permanent and the permissions associated with these roles cannot be changed. Sample roles are provided for convenience as guidelines and suggestions. These roles may be modified or removed. VirtualCenter situations may arise where a user is a member of multiple groups with different permissions or user permissions are explicitly defined when the user is a member of different groups.
These situations can create confusion and permissions that were thought to be limited might actually be elevated. Furthermore, all changes take affect immediately not requiring users to log off and log back in. Therefore, all users, groups, permissions, and roles will be documented and approved to ensure proper permissions are granted only to authorized users.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Create a baseline configuration document for all VirtualCenter users, groups, permissions, and roles.Request a copy of the baseline configuration document for all VirtualCenter users, groups, permissions, and roles. If the document is incomplete or does not exist, this is a finding.VirtualCenter logs are reviewed daily<GroupDescription></GroupDescription>ESX0820VirtualCenter logs are reviewed daily.<VulnDiscussion>It is necessary to review VirtualCenter logs for suspicious activity, problems, attacks, or system warnings will go undetected. These logs provide visibility into the activities and events of the VirtualCenter. These logs enable system administrators and auditors the ability to recreate past events, monitor the system, and ensure security policies are being enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls></IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Review the VirtualCenter logs daily.Ask the IAO/SA how often they review the VirtualCenter logs. VirtualCenter logs include System Logs and Events. If the logs are not reviewed daily, this is a finding. Virtual infrastructure documents not up-to-date<GroupDescription></GroupDescription>ESX0860There is no up-to-date documentation of the virtualization infrastructure.<VulnDiscussion>With the creation of virtual machines, the actual virtual network topology becomes increasingly complex. The topology changes when a virtual machine is created, added to a virtual switch or port group, moved to another virtualization server, etc. With the dynamic nature of the virtualization environment, administrators of the virtualization environment will maintain up to date documentation for all virtual machines, virtual switches, IP addresses, MAC addresses, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls>DCHW-1, DCSW-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Develop up-to-date documentation for the virtualization infrastructure.Request a copy of all the virtualization infrastructure documentation. Documentation must include all ESX Servers, virtual machines, IP addresses, MAC addresses, virtual switches, operating systems, and any virtual applications. If the documentation does include all of these components, this is a finding.VMware-converter utility not used for VMDK<GroupDescription></GroupDescription>ESX0930The VMware-converter utility is not used for VMDK imports or exports.<VulnDiscussion>There will be situations that require the import or export of VMDK files on the VMFS partition. Importing and exporting disk files can also be done through the Virtual Infrastructure Client or service console by copying the files from VMFS mount and pasting them to a partition running ext3 file system. Utilizing the VMware-converter utility is required since the VMFS file system utilizes such large files. There are third-party converters available that may work with VMware virtual machines, however, none have been thoroughly tested or approved by VMware. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Machine Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Use the VMware-converter for all import and export of VMDK files to VMFS partitions.Ask the IAO/SA how they import and export VMDK files. If they are using the VMware-converter utility, this is not a finding. If they are using a third party converter, ensure that the converter is supported by the vendor. This might require going to the vendor’s website and verifying the version used is supported. If it is not, this is a finding. No policy exists to assign virtual machines<GroupDescription></GroupDescription>ESX0950No policy exists to assign virtual machines to personnel.<VulnDiscussion>In traditional computing environments, servers were usually assigned to various personnel for administration. For instance, the data server is administered by the database administrator; the domain controller is maintained by the network administrator, etc. Other methods include assigning the MAC address to specific personnel or identifying machines by Ethernet location or port number. All these approaches are impractical in the virtual machine environment.
In the virtual environment, virtual machines may be moved or have MAC addresses that may change. These scenarios make it difficult to establish who owns the virtual machine running on a particular host. Therefore, a policy will need to be implemented to identify and assign virtual machines to the appropriate personnel.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Machine Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Develop a policy for assigning virtual machines to the appropriate personnel.Request a copy of the policy that is used to assign virtual machines to personnel. If no policy or procedure exists, this is a finding.VI Console is used to administer virtual machines<GroupDescription></GroupDescription>ESX0960VI Console is used to administer virtual machines.<VulnDiscussion>The VI Console allows a user to connect to the console of a virtual machine, similar to seeing what a physical server monitor would show. However, the VI Console also provides power management and removable device connectivity controls, which could potentially allow a malicious user to bring down a virtual machine. In addition, it also has a performance impact on the service console, especially if many VI Console sessions are open simultaneously. To prevent performance issues and potential unauthorized users from accessing the VI Console, users should use remote management services, such as terminal services and ssh, to interact with virtual machines.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Machine Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Use third party tools to administer virtual machines.Ask the IAO/SA what tools are used to administer virtual machines remotely. If the response includes the VI console, this is a finding.
IAO/SA doesn't document and approve renames<GroupDescription></GroupDescription>ESX1020The IAO/SA does not document and approve virtual machine renames.<VulnDiscussion>It may become necessary to rename a virtual machine at some point during the course of testing to production. To rename a virtual machine, the virtual machine must be powered down before proceeding with the renaming feature. It is also good practice to backup virtual machines before renaming any virtual machine. The configuration files for VMware are typically located on the service console in /root/VMware/ directory, and the virtual disks will be in the /vmfs/ directory. Renaming virtual machines may cause communication issues on the network with other servers, users, etc. To prevent communication disruptions to the network or virtual machine, all virtual machine renames will be documented and approved by the change control board.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Machine Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Develop approval documentation for all virtual machine renames.Request a copy of the virtual machine rename approval documentation from the IAO/SA. If no documentation can be produced, this is a finding.No policy exists to restrict copying and sharing<GroupDescription></GroupDescription>ESX1040No policy exists to restrict copying and sharing virtual machines over networks and removable media.<VulnDiscussion>As virtual machines replace real hardware they can undermine the security architecture of many organizations which often assume predictable and controlled change number of hosts, host configurations, host locations etc. Some useful mechanisms that virtual machines provide are copying or sharing virtual machine hard disks. Copying or sharing virtual machine hard disks can be done over networks and removable media. Typically, test and development virtual machines will be moved and updated more frequently than production virtual machines. There will be a policy in place to restrict the copying and sharing of production virtual machines over networks and removable media to ensure that administrators do not give unauthorized users access to the virtual machine files.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Machine Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Develop a policy that prohibits virtual machine sharing and copying over networks and removable media.Request a copy of the policy restricting virtual machine sharing and copying over networks and removable media. If no policy exists, this is a finding.
Caveat: This is not applicable to snapshot backups, disaster recovery virtual machines, test and development virtual machines, and clustered virtual machines.
Virtual machine moved to removable media not doc<GroupDescription></GroupDescription>ESX1060Virtual machine moved to removable media are not documented.<VulnDiscussion>From a theft perspective, virtual machines are easy to copy and move to a person’s USB drive, portable hard drive, etc. An insider could potentially move the organization’s entire data center on any type of removable media that had sufficient space. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Machine Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Document all virtual machine moves to removable media.Ask the IAO/SA if virtual machines have been copied to removable media (DVD, CD-ROM, USB drives). If so, request the documentation for all virtual machine moves to removable media. If no documentation exists, this is a finding.Virtual machines are removed without documentation<GroupDescription></GroupDescription>ESX1070Virtual machines are removed from the site without approval documentation.<VulnDiscussion>From a theft perspective, virtual machines are easy to copy and move to a person’s USB drive, portable hard drive, etc. An insider could potentially move the organization’s entire data center on any type of removable media that had sufficient space. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Machine Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Create documentation to use for virtual machines taken off site.Request the approval documentation from the IAO/SA that the site uses for all virtual machines taken off site. If no documentation exists, this is a finding.Virtual machine rollbacks are performed<GroupDescription></GroupDescription>ESX1090Virtual machine rollbacks are performed when virtual machine is connected to the network.<VulnDiscussion>Virtual machines may be rolled back to a previous state. Rolling back a virtual machine can re-expose patched vulnerabilities, re-enable previously disabled accounts or passwords, remove log files of a machine, use previously retired encryption keys, and change firewalls to expose vulnerabilities. Rolling back virtual machines can also reintroduce malicious code, and protocols reusing TCP sequence numbers that had been previously removed, which could allow TCP hijacking attacks. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Machine Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Disconnect from the network or power off the virtual machine before rollbacks.Ask the IAO/SA the process used for virtual machine rollbacks. If no process is used that includes disconnecting the virtual machine from the network before performing a revert to snapshot or rollback, this is a finding.Virtual machine requirements not documented<GroupDescription></GroupDescription>ESX1160Virtual machine requirements are not documented before creating a virtual machine.<VulnDiscussion>Guest operating systems may require different resources depending on the server function. A database or email server will require more resources than a basic Windows Domain Controller. Therefore, proper planning is required to determine what servers will be built within the virtualization server environment.
To properly create virtual machines within the virtualization server environment, a minimal list of requirements will be determined. These requirements are the amount of memory, amount of required disk space, the networking card assignment, required media, and proper disk mode to be used.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Guest Administrator]</Responsibility><IAControls>ECSC-1</IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Develop virtual machine requirements documentation.Request a copy of the virtual machine requirements documentation. If no documentation exists, this is a finding.ESX admins have not received proper training<GroupDescription></GroupDescription>ESX0828ESX administrators have not received proper training to administer the ESX Server.<VulnDiscussion>Different roles require different types of training. A skilled staff is one of the critical components to the security of an organization. The ESX Server is complex and has many components that need to be monitored and configured. If staff is not properly trained in administering the ESX Server, vulnerabilities will likely be open.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><Responsibility>[Virtual Server Administrator]</Responsibility><IAControls></IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Train all the ESX Server administrators.Request a copy of the ESX Server training documentation for all staff administering the ESX Servers and peripheral systems. If no training documentation can be produced, this is a finding.VMware ESX 3 and 4 Unsupported<GroupDescription></GroupDescription>ESX0100VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by the vendor for security updates must not be installed on a system.<VulnDiscussion>VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by VMware for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported ESXi operating system, virtual machines, and associated management software to ensure continued support.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target ESX Architecture and PolicyDISADPMS TargetESX Architecture and Policy1366Upgrade ESX version 3 and 4 systems, virtual machines, and associated management software to supported versions.
VMware support for ESX versions 3 and 4 ended 21 May 2016. If ESX version 3 or 4, virtual machines, or associated management software, such as VirtualCenter, is installed on a system, this is a finding.