UCF STIG Viewer Logo

OS patches and updates are out of date on “off” and “suspended” virtual machines.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15932 ESX1210 SV-16874r1_rule ECSC-1 Medium
Description
Virtual machines create a condition where they may be on, off, or suspended. The requirement that machines be on in a conventional approach to patch management, virus and vulnerability scanning, and machine configuration creates an issue in the virtual world. Virtual machines can appear and disappear from the network sporadically. Conventional networks can “anneal” new machines into a known good configuration state very quickly. However, converging virtual machines to a known good state is more challenging since the state may change quickly. For instance, a vulnerable machine can appear briefly and either become infected or reappear in a vulnerable state at a later time. Therefore, vulnerable virtual machines may become infected with a virus and never be detected since the virtual machine may be suspended or off. Suspended and off virtual machines should be patched regularly to ensure patches are up to date. Virtual machines that are on will be kept current with the OS per the appropriate OS STIG.
STIG Date
VMware ESX 3 Virtual Machine 2016-05-03

Details

Check Text ( C-16280r1_chk )
Work with the OS reviewer to determine if the requirement is being met.
1. Login to VirtualCenter with the VI Client and select a suspended or off virtual machine.
2. Turn on the virtual machine and have the IAO/SA login.
3. Have the IAO/SA obtain the latest patch level for the OS and compare this to the latest release from the OS vendor. If the patch level is older than the latest release, this is a finding.

Fix Text (F-15878r1_fix)
Apply the latest OS patches for all “suspended” and “off” virtual machines.