UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IP tables or internal router/firewall is not configured to restrict IP addresses to services.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15826 ESX0340 SV-16765r1_rule Medium
Description
The service console is a privileged virtual machine with interfaces into the VMkernel. In earlier releases, the service console was the main interface, whereas in ESX Server 3 and later, the VI Client is the primary interface. The service console is now used for advanced administration and system management functions such as HTTP, SNMP, and API interfaces. There are several processes and services that run in the service console which include the following: hostd, authd, net-snmp. To protect these important services on the service console, access control lists will be utilized to ensure only authorized IP addresses are able to access these services.
STIG Date
VMware ESX 3 Server 2016-05-13

Details

Check Text ( C-16168r1_chk )
1. If check ESX0320 was not a finding, then this check is not a finding. If it was a finding, then proceed to step 2.
2. Ask the IAO/SA what device is being used to restrict these services. If it is a router or
firewall, then work with the network reviewer or system administrator to verify compliance.
3. If it is not a router/firewall, then review the IPtables configuration. Verify IPtables are configured on the ESX Server service console by performing the following:

# iptables –L | grep hostd

The displayed result should look similar to the following:

iptables –A INPUT -d –p tcp –dport 443 –j Accept //hostd
iptables –A INPUT -d –p tcp –dport 80 –j Accept //hostd

# iptables –L | grep authd

The displayed result should look similar to the following:

iptables –A INPUT -d –p tcp –dport 902 –j Accept //authd

# iptables –L | grep snmpd

The displayed result should look similar to the following:

iptables –A INPUT -d –p tcp –dport 161 –j Accept //snmpd

At the bottom of the INPUT chain you should see the following:

iptables –A INPUT –j REJECT //deny all rule at end of chain

If no rules are applied to the INPUT chain for these services, this is a finding.

If this cannot be verified, this is a finding.

Note: ESX Server 3.x uses hostd for the server daemon and it is not configurable with TCP wrappers. Hostd listens on http/https ports.
Fix Text (F-15778r1_fix)
Restrict access to the ESX Server services to only authorized IP addresses.