UCF STIG Viewer Logo

VMware ESX 3 Policy


Overview

Date Finding Count (24)
2016-05-03 CAT I (High): 1 CAT II (Med): 11 CAT III (Low): 12
STIG Description
The VMware ESX 3 Policy Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-68721 High VMware ESX operating systems, virtual machines, and associated management software that are no longer supported by the vendor for security updates must not be installed on a system.
V-15903 Medium Virtual machines are removed from the site without approval documentation.
V-15881 Medium VirtualCenter logs are reviewed daily.
V-15882 Medium There is no up-to-date documentation of the virtualization infrastructure.
V-15841 Medium ESX Server log files are not reviewed daily.
V-15825 Medium A third party firewall is configured on ESX Server.
V-15877 Medium VirtualCenter Server groups are not reviewed monthly
V-15879 Medium There is no VirtualCenter baseline configuration document for users, groups, permissions, and roles.
V-15878 Medium No documented configuration management process exists for VirtualCenter changes.
V-15902 Medium Virtual machine moved to removable media are not documented.
V-15833 Medium Hash signatures for the /etc files are not reviewed monthly.
V-15853 Medium Disaster recovery plan does not include ESX Servers, VirtualCenter servers, virtual machines, and necessary peripherals associated with the system.
V-15892 Low VI Console is used to administer virtual machines.
V-16851 Low ESX administrators have not received proper training to administer the ESX Server.
V-15919 Low Virtual machine requirements are not documented before creating a virtual machine.
V-15889 Low The VMware-converter utility is not used for VMDK imports or exports.
V-15845 Low The IAO/SA does not subscribe to vendor security patches and update notifications.
V-15900 Low No policy exists to restrict copying and sharing virtual machines over networks and removable media.
V-15875 Low Users assigned to VirtualCenter groups are not documented.
V-15876 Low Users in the VirtualCenter Server Windows Administrators group are not documented.
V-15898 Low The IAO/SA does not document and approve virtual machine renames.
V-15905 Low Virtual machine rollbacks are performed when virtual machine is connected to the network.
V-15891 Low No policy exists to assign virtual machines to personnel.
V-15851 Low There are no procedures for the backup and recovery of the ESX Server, management servers, and virtual machines.