| V-39428 | High | If the system boots from removable media, it must be stored in a safe or similarly secured container. | Storing the boot loader on removable media in an insecure location could allow a malicious user to modify the systems boot instructions or boot to an insecure operating system. |
| V-39429 | High | The operating system must be a supported release. | An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security... |
| V-39415 | High | The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. |
| V-39411 | High | The operating system must use cryptography to protect the confidentiality of remote access sessions. | Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet.
Remote access is... |
| V-39413 | High | The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to... |
| V-39412 | High | The SSH daemon must be configured to only use the SSHv2 protocol. | SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. |
| V-39384 | High | The system must be configured to only boot from the system boot device. | The ability to boot from removable media is the same as being able to boot into single user or maintenance mode without a password. This ability could allow a malicious user to boot the system and... |
| V-39387 | High | The system must verify the integrity of the installation media before installing ESXi. | Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.... |
| V-39386 | High | Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled. | Unnecessary services should be disabled to decrease the attack surface of the system. |
| V-39252 | High | There must be no .rhosts or hosts.equiv files on the system. | The .rhosts or hosts.equiv files are used to configure host-based authentication for individual users or the system. Host-based authentication is not sufficient for preventing unauthorized access... |
| V-39407 | High | The Image Profile and VIB Acceptance Levels must be verified. | The ESXi Image profile supports four acceptance levels:
(1) VMwareCertified - VIBs created, tested and signed by VMware
(2) VMwareAccepted - VIBs created by a VMware partner but tested and... |
| V-39277 | High | The system must not use removable media as the boot loader. | Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. |
| V-39372 | High | The system must ensure the dvPortGroup MAC Address Change policy is set to reject. | If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in... |
| V-39373 | High | The system must ensure the virtual switch MAC Address Change policy is set to reject. | If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in... |
| V-39392 | Medium | The system must set a timeout for the ESXi Shell to automatically disable itself after a predetermined period. | The ESXiShellTimeout setting is the number of seconds that can elapse before a logon occurs after the ESXi Shell is enabled. After the timeout period, if a logon has not occurred, the shell is... |
| V-39420 | Medium | The SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. |
| V-39422 | Medium | Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option. | The "nosuid" mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system that does not contain approved setuid files.... |
| V-39423 | Medium | The nosuid option must be enabled on all NFS client mounts. | Enabling the nosuid mount option prevents the system from granting owner or group owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users... |
| V-39425 | Medium | The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files. | Files with the setuid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation,... |
| V-39426 | Medium | The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files. | Files with the setgid bit set will allow anyone running these files to be temporarily assigned the GID of the file. While many system files depend on these attributes for proper operation,... |
| V-39414 | Medium | The SSH client must be configured to only use the SSHv2 protocol. | SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH client could provide access to the system with the privileges of the user running the client. |
| V-39417 | Medium | The system must ensure proper SNMP configuration. | If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a... |
| V-39416 | Medium | The system must require that passwords contain at least one special character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-39410 | Medium | The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions. | Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It... |
| V-39301 | Medium | The system must ensure the vpxuser auto-password change meets policy. | By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies.
NOTE: It is... |
| V-39418 | Medium | The system must prevent the use of dictionary words for passwords. | An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is... |
| V-39302 | Medium | The system must ensure the vpxuser password meets length policy. | The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password... |
| V-39385 | Medium | The system must enable lockdown mode to restrict remote access. | Enabling lockdown prevents all API-based access by the accounts to the ESXi host. Enabling lockdown mode disables all remote access to ESXi machines.
There are some operations, such as backup... |
| V-39381 | Medium | Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option. | The "nodev" (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system that does not contain approved device... |
| V-39383 | Medium | The root accounts list of preloaded libraries must be empty. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| V-39382 | Medium | The root accounts library search path must be the system default and must contain only absolute paths. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other... |
| V-39253 | Medium | The SSH daemon must limit connections to a single session. | The SSH protocol has the ability to provide multiple sessions over a single connection without reauthentication. A compromised client could use this feature to establish additional sessions to a... |
| V-39389 | Medium | All accounts must be assigned unique User Identification Numbers (UIDs). | Accounts sharing a UID have full access to each others' files. This has the same effect as sharing a login. There is no way to assure identification, authentication, and accountability because the... |
| V-39388 | Medium | All accounts on the system must have unique user or account names. | A unique user name is the first part of the identification and authentication process. If user names are not unique, there can be no accountability on the system for auditing purposes. Multiple... |
| V-39255 | Medium | The system must require that passwords contain at least one uppercase alphabetic character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-39254 | Medium | The system must use time sources local to the enclave. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. The network architecture should provide... |
| V-39300 | Medium | The system must ensure the vpxuser auto-password change meets policy. | By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies.
NOTE: It is... |
| V-39402 | Medium | The SSH client must be configured to not use CBC-based ciphers. | The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used. |
| V-39403 | Medium | The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. |
| V-39400 | Medium | Access to the management network must be strictly controlled through a network gateway. | A controlled gateway or other controlled method must be configured to access the management network. The management network must be isolated in order to prevent access by internal and external,... |
| V-39401 | Medium | Access to the management network must be strictly controlled through a network jump box. | Based upon an organization's risk assessment, jump boxes that run vSphere Client and other management clients (e.g., VSphere Management Assistant) must be configured. The management network must... |
| V-39404 | Medium | The SSH client must be configured to only use FIPS 140-2 approved ciphers. | DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES. |
| V-39405 | Medium | The operating system must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. | If ESXi Shell is enabled on the host and a user neglects to initiate an SSH session the idle connection will remain available indefinitely increasing the potential for someone to gain privileged... |
| V-39408 | Medium | Remote logging for ESXi hosts must be configured. | Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It... |
| V-39409 | Medium | The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited. | Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It... |
| V-39259 | Medium | The system must require at least four characters be changed between the old and new passwords during a password change. | To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed... |
| V-39393 | Medium | vSphere management traffic must be on a restricted network. | The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain... |
| V-39390 | Medium | The system must disable SSH. | The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to commands essential for server maintenance. Intended... |
| V-39391 | Medium | The system must not permit root logins using remote access programs, such as SSH. | Even though communications are encrypted, an additional layer of security may be gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific... |
| V-39396 | Medium | The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices. | Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from... |
| V-39397 | Medium | The operating system must monitor and control communications at the external boundary of the information system and at key internal boundaries within the system. | Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from... |
| V-39394 | Medium | The SSH daemon must be configured with the Department of Defense (DoD) logon banner. | Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources. |
| V-39395 | Medium | The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router. | If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial-of-Service attacks. |
| V-39398 | Medium | The operating system, at managed interfaces, must deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception). | Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from... |
| V-39399 | Medium | The operating system must enforce requirements for remote connections to the information system. | Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from... |
| V-39246 | Medium | The system must prevent the use of dictionary words for passwords. | An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is... |
| V-39247 | Medium | SNMP communities, users, and passphrases must be changed from the default. | Whether active or inactive, default communities, users, and passwords must be changed to maintain security. A service running with default authenticators allows acquisition of data about the... |
| V-39275 | Medium | The /etc/shells (or equivalent) file must exist. | The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized... |
| V-39276 | Medium | All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins. | The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not... |
| V-39271 | Medium | The SSH client must be configured to not allow X11 forwarding. | X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed. |
| V-39270 | Medium | The SSH client must not permit tunnels. | OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar... |
| V-39273 | Medium | The root accounts executable search path must be the vendor default and must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory... |
| V-39257 | Medium | The system must require passwords contain at least one lowercase alphabetic character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-39279 | Medium | The system must not be used as a syslog server (log host) for systems external to the enclave. | Syslog messages are typically unencrypted and may contain sensitive information and are, therefore, restricted to the enclave. |
| V-39278 | Medium | The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures. | If a remote log host is in use and it has not been justified and documented with the IAO, sensitive information could be obtained by unauthorized users without the SA's knowledge. A remote log... |
| V-39256 | Medium | The system must require passwords contain at least one lowercase alphabetic character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-39369 | Medium | All port groups must not be configured to VLAN values reserved by upstream physical switches. | Physical vendor-specific switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. Use of reserved VLAN IDs can result in a network denial-of-service. |
| V-39368 | Medium | All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT). | When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to... |
| V-39367 | Medium | All port groups must be configured to a value other than that of the native VLAN. | ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will... |
| V-39262 | Medium | The system must require that passwords contain a minimum of 14 characters. | The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space. |
| V-39263 | Medium | The system must enforce the entire password during authentication. | Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password. |
| V-39260 | Medium | The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes... |
| V-39261 | Medium | The system must prohibit the reuse of passwords within five iterations. | If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the... |
| V-39266 | Medium | The SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale. | Environment variables can be used to change the behavior of remote sessions and should be limited. Locale environment variables that specify the language, character set, and other features... |
| V-39267 | Medium | The SSH daemon must not permit user environment settings. | SSH may be used to provide limited functions other than an interactive shell session, such as file transfer. If local, user-defined environment settings (such as, those configured in... |
| V-39264 | Medium | System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others. | A system's BIOS or system controller handles the initial startup of a system and its configuration must be protected from unauthorized modification. When the BIOS or system controller supports the... |
| V-39265 | Medium | The SSH daemon must be configured to not allow X11 forwarding. | X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed. |
| V-39268 | Medium | The SSH daemon must not permit tunnels. | OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar... |
| V-39269 | Medium | The SSH client must not send environment variables to the server or must only send those pertaining to locale. | Environment variables can be used to change the behavior of remote sessions and should be limited. Locale environment variables specify the language, character set, and other features modifying... |
| V-39374 | Medium | The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode. | In order to communicate with virtual switches in VST mode, external switch ports must be configured as trunk ports. VST mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be... |
| V-39375 | Medium | The system must ensure the virtual switch Promiscuous Mode policy is set to reject. | When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual... |
| V-39376 | Medium | The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject. | When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual... |
| V-39370 | Medium | The system must ensure that the virtual switch Forged Transmits policy is set to reject. | If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage... |
| V-39371 | Medium | The system must ensure that the dvPortgroup Forged Transmits policy is set to reject. | If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage... |
| V-39297 | Medium | The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications. | The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM.... |
| V-39296 | Medium | The system must disable the Managed Object Browser (MOB). | The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well. This interface is meant to be... |
| V-39295 | Medium | The system must disable ESXi Shell unless needed for diagnostics or troubleshooting. | The ESXi Shell is an interactive command line environment available locally from the DCUI or remotely via SSH. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The... |
| V-39294 | Medium | The system must disable DCUI to prevent local administrative control. | The DCUI allows for low-level host configuration, such as configuring IP address, hostname, and root password, as well as diagnostic capabilities, such as enabling the ESXi shell, viewing log... |
| V-39293 | Medium | Persistent logging for all ESXi hosts must be configured. | ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of... |
| V-39292 | Medium | NTP time synchronization must be configured. | By ensuring that all systems use the same relative time source (including the relevant localization offset), and that the relative time source can be correlated to an agreed-upon time standard... |
| V-39347 | Medium | Keys from SSH authorized_keys file must be removed. | ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication. To enable password free access copy the remote users public key into the... |
| V-39258 | Medium | The system must require that passwords contain at least one numeric character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| V-39355 | Medium | Kernel core dumps must be disabled unless needed. | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial-of-Service by... |
| V-39352 | Medium | The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory. | ESXi hosts configured to join an Active Directory domain using host profiles do not protect the passwords used for host authentication. To avoid transmitting clear text passwords, the vSphere... |
| V-39353 | Medium | The system must zero out VMDK files prior to deletion. | The virtual disk must be zeroed out prior to deletion in order to prevent sensitive data in VMDK files from being recovered. |
| V-39350 | Medium | The contents of exposed configuration files must be verified. | Although most configurations on ESXi are controlled via an API, there are a limited set of configuration files that are used directly to govern host behavior. These specific files are exposed via... |
| V-39351 | Medium | Unauthorized kernel modules must not be loaded on the host. | VMware provides digital signatures for kernel modules. By default the ESXi host does not permit loading of kernel modules that lack a valid digital signature. However, this behavior can be... |
| V-39285 | Medium | The SSH daemon must not allow compression or must only allow compression after successful authentication. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection,... |
| V-39286 | Medium | The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router. | If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial-of-Service attacks. NOTE that IPv6 is not enabled by default. |
| V-39287 | Medium | The DHCP client must be disabled if not used. | DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server. |
| V-39432 | Medium | The IPv6 protocol handler must not be installed unless needed. | IPv6 is the next generation of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the... |
| V-39431 | Medium | The IPv6 protocol handler must not be bound to the network stack unless needed. | IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host. |
| V-39430 | Medium | The system clock must be synchronized to an authoritative DoD time source. | To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions,... |
| V-39249 | Low | The SSH client must be configured to not allow TCP forwarding. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the... |
| V-39424 | Low | The system must be checked for extraneous device files at least weekly. | If an unauthorized device is allowed to exist on the system, there is the possibility the system may perform unauthorized operations. |
| V-39427 | Low | For systems using DNS resolution, at least two name servers must be configured. | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name... |
| V-39304 | Low | SAN resources must be masked and zoned appropriately. | SAN activity must be segregated via zoning and LUN masking. The potential for any SAN client to mount and access any SAN drive will result in disk resource contention and data corruption. Zoning... |
| V-39303 | Low | The system must ensure uniqueness of CHAP authentication secrets. | The mutual authentication secret for each host must be different and the secret for each client authenticating to the server must be different as well. This ensures if a single host is... |
| V-39380 | Low | The system must disable the autoexpand option for VDS dvPortgroups. | If the "no-unused-dvports" guideline is followed, there should be only the amount of ports on a VDS that are actually needed. The Autoexpand feature on VDS dvPortgroups can override that limit.... |
| V-39251 | Low | The SSH client must be configured to not allow gateway ports. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the... |
| V-39250 | Low | The SSH daemon must be configured to not allow gateway ports. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the... |
| V-39248 | Low | The SSH daemon must be configured to not allow TCP connection forwarding. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the... |
| V-39274 | Low | The GID assigned to a user must exist. | If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the user may have unintended rights to that group. |
| V-39366 | Low | All port groups must be configured with a clear network label. | Each port group must be identified with a network label/name. Names serve as a functional descriptor for the port group. Without these descriptions, identifying port groups and functions becomes... |
| V-39365 | Low | All physical switch ports must be configured with spanning tree disabled. | Due to the integration of the ESXi Server into the physical network, the physical network (switch) adaptors must have spanning tree disabled or portfast configured for external switches, because... |
| V-39364 | Low | Only authorized administrators must have access to virtual networking components. | This control mitigates the risk of misconfiguration, whether accidental or malicious, and enforces key security concepts of separation of duties and least privilege. It is important to leverage... |
| V-39363 | Low | All IP-based storage traffic must be isolated using a vSwitch containing management-only port groups. | Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic... |
| V-39362 | Low | All IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch. | Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic... |
| V-39361 | Low | All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor. | Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic... |
| V-39360 | Low | All vSwitch and VLAN IDs must be fully documented. | VLAN tagging used on a vSwitch must correspond to the IDs on external VLAN-aware upstream switches, if any. If VLAN IDs are not tracked completely, mistaken re-use of IDs could allow for traffic... |
| V-39378 | Low | vMotion traffic must be isolated. | The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential... |
| V-39379 | Low | Spanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic. | If an ESXi host guest VM is configured to perform a bridging function, the VM will generate BPDU frames to send out to the VDS. The VDS forwards the BPDU frames through the network adapter to the... |
| V-39377 | Low | The system must ensure there are no unused ports on a distributed virtual port group. | The number of ports available on a dvSwitch distributed port group must be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the... |
| V-39299 | Low | The system must enable SSL for NFC. | NFC (Network File Copy) is used to migrate or clone a VM between two ESXi hosts over the network. By default, SSL is used only for the authentication of the transfer, but SSL must also be enabled... |
| V-39298 | Low | The system must enable bidirectional CHAP authentication for iSCSI traffic. | When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in... |
| V-39291 | Low | The system must have IEEE 1394 (Firewire) disabled unless needed. | Firewire is a common computer peripheral interface. Firewire devices may include storage devices that could be used to install malicious software on a system or exfiltrate data. |
| V-39349 | Low | Active Directory ESX Admin group membership must be verified unused. | When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be... |
| V-39348 | Low | The system must use Active Directory for local user authentication for accounts other than root and the vpxuser. | Creating local user accounts on each host presents challenges with having to synchronize account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory domain to... |
| V-39346 | Low | The system must prevent unintended use of dvfilter network APIs. | If products that use the dvfilter network API are not used, the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM... |
| V-39356 | Low | All dvPortgroup VLAN IDs must be fully documented. | If using VLAN tagging on a dvPortgroup, tags must correspond to the IDs on external VLAN-aware upstream switches if any. If VLAN IDs are not tracked completely, mistaken re-use of IDs could allow... |
| V-39357 | Low | All dvSwitch Private VLAN IDs must be fully documented. | dvSwitch Private VLANs (PVLANs) require primary and secondary VLAN IDs. The IDs must correspond to the IDs on external PVLAN-aware upstream switches, if any. If VLAN IDs are not tracked... |
| V-39358 | Low | All virtual switches must have a clear network label. | Network labels must identify each port group with a name. These names are important because they serve as a functional descriptor for the port group. Without these descriptions, identifying port... |
| V-39359 | Low | Virtual switch VLANs must be fully documented and have only the required VLANs. | When defining a physical switch port for trunk mode, only specified VLANs must be configured on the VLAN trunk link. The risk with not fully documenting all VLANs on the vSwitch is that it is... |
| V-39288 | Low | The system must have USB disabled unless needed. | USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data. |
| V-39289 | Low | The system must have USB Mass Storage disabled unless needed. | USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data. |
