| GEN002220-ESXI5-PNF | High | All shell files must have mode 0755 or less permissive. | Shells with world/group-write permissions give the ability to maliciously modify the shell to obtain unauthorized access. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS.... |
| GEN005200-ESXI5-PNF | High | X displays must not be exported to the world. | Open X displays allow an attacker to capture keystrokes and to execute commands remotely. Many users have their X Server set to xhost +, permitting access to the X Server by anyone, from anywhere.... |
| GEN001640-ESXI5-PNF | High | Run control scripts must not execute world-writable programs or scripts. | World-writable files could be modified accidentally or maliciously to compromise system integrity. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a... |
| GEN001100-ESXI5-PNF | High | Root passwords must never be passed over a network in clear text form. | If a user accesses the root account (or any account) using an unencrypted connection, the password is passed over the network in clear text form and is subject to interception and misuse. This is... |
| GEN008640-ESXI5-000055 | High | The system must not use removable media as the boot loader. | Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. |
| GEN004600-ESXI5-PNF | High | The SMTP service must be an up-to-date version. | The SMTP service version on the system must be current to avoid exposing vulnerabilities present in unpatched versions. Applicable, but permanent not-a-finding - The vSphere Update Manager... |
| ESXI5-VM-000008 | High | The system must disable virtual disk erasure.
| Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host... |
| GEN004220-ESXI5-PNF | High | Administrative accounts must not run a web browser, except as needed for local service administration. | If a web browser flaw is exploited while running as a privileged user, the entire system could be compromised. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN006380-ESXI5-PNF | High | The system must not use UDP for NIS/NIS+. | Implementing NIS or NIS+ under UDP may make the system more susceptible to a Denial of Service attack and does not provide the same quality of service as TCP. Applicable, but permanent... |
| ESXI5-VMNET-000016 | High | The system must ensure the virtual switches MAC Address Change policy is set to reject. | If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in... |
| ESXI5-VMNET-000015 | High | The system must ensure the dvPortGroup MAC Address Change policy is set to reject. | If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in... |
| GEN008680-ESXI5-000056 | High | If the system boots from removable media, it must be stored in a safe or similarly secured container. | Storing the boot loader on removable media in an insecure location could allow a malicious user to modify the systems boot instructions or boot to an insecure operating system. |
| GEN004620-ESXI5-PNF | High | The Sendmail server must have the debug feature disabled. | Debug mode is a feature present in older versions of Sendmail which, if not disabled, may allow an attacker to gain access to a system through the Sendmail service. Applicable, but permanent... |
| GEN003850-ESXI5-PNF | High | The telnet daemon must not be running. | The telnet daemon provides a typically unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user... |
| GEN005140-ESXI5-PNF | High | Any active TFTP daemon must be authorized and approved in the system accreditation package. | TFTP is a file transfer protocol often used by embedded systems to obtain configuration data or software. The service is unencrypted and does not require authentication of requests. Data available... |
| GEN005300-ESXI5-PNF | High | SNMP communities, users, and passphrases must be changed from the default. | Whether active or not, default SNMP passwords, users, and passphrases must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data... |
| GEN000100-ESXI5-000062 | High | The operating system must be a supported release. | An operating system release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security... |
| SRG-OS-99999-ESXI5-000134 | High | The ESXi host firewall must be configured to restrict access to services running on the host. | Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access from... |
| GEN005500-ESXI5-9990 | High | The SSH daemon must be configured to only use the SSHv2 protocol. | SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. Permanent not a finding - v2 is used. |
| GEN005080-ESXI5-PNF | High | The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system. | Secure mode limits TFTP requests to a specific directory. If TFTP is not running in secure mode, it may be able to write to any file or directory and may seriously impair system integrity,... |
| ESXI5-VM-000010 | High | The system must not use independent, nonpersistent disks.
| The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard... |
| GEN005000-ESXI5-PNF | High | Anonymous FTP accounts must not have a functional shell. | If an anonymous FTP account has been configured to use a functional shell, attackers could gain access to the shell if the account is compromised. Applicable, but permanent not-a-finding - The... |
| ESXI5-VM-000048 | High | The system must secure virtual machines as it would secure physical machines.
| A key to understanding the security requirements of a virtualized environment is the recognition that a virtual machine is, in most respects, the equivalent of a physical server. Therefore, it is... |
| GEN008700-ESXI5-PNF | High | The system boot loader must require authentication. | If the system's boot loader does not require authentication, users with console access to the system may be able to alter the system boot configuration or boot the system into single user or... |
| ESXI5-VM-000001 | High | The system must control virtual machine access to host resources. | By default, all virtual machines on an ESXi host share the resources equally. By using the resource management capabilities of ESXi, such as shares and limits, you can control the server resources... |
| ESXI5-VM-000007 | High | The system must disable virtual disk shrinking.
| Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and... |
| GEN005100-ESXI5-PNF | High | The TFTP daemon must have mode 0755 or less permissive. | If TFTP runs with the suid or sgid bit set, it may be able to write to any file or directory and may seriously impair system integrity, confidentiality, and availability. Applicable, but permanent... |
| ESXI5-VM-000044 | High | The system must minimize use of the VM console.
| The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and... |
| SRG-OS-99999-ESXI5-000140 | High | The system must not use default self-signed certificates for ESXi communication. | Using the default self-signed certificates leaves the SSL connection open to Man-in-The-Middle (MiTM) attacks. Replace default self-signed certificates with those from a trusted CA. |
| GEN000560-ESXI5-PNF | High | The system must not have accounts configured with blank or null passwords. | If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured... |
| GEN004640-ESXI5-PNF | High | The SMTP service must not have a uudecode alias active. | A common configuration for older Mail Transfer Agents (MTAs) includes an alias for the decode user. All mail sent to this user is sent to the uudecode program, which automatically converts and... |
| GEN003840-ESXI5-PNF | High | The rexec daemon must not be running. | The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Applicable, but permanent not-a-finding - The hypervisor... |
| GEN002040-ESXI5-PNF | High | There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system. | The .rhosts, .shosts, hosts.equiv, and shosts.equiv files are used to configure host-based authentication for individual users or the system. Host-based authentication is not sufficient for... |
| GEN003820-ESXI5-PNF | High | The rsh daemon must not be running. | The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Applicable, but permanent not-a-finding - The hypervisor... |
| GEN004400-ESXI5-PNF | High | Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root. | If a file executed through a mail aliases file is not owned and writable only by root, it may be subject to unauthorized modification. Unauthorized modification of files executed through aliases... |
| GEN000242-ESXI5-000079 | Medium | The system must use at least two time sources for clock synchronization. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. For redundancy, two time sources are required... |
| GEN001720-ESXI5-PNF | Medium | All global initialization files must have mode 0444 or less permissive. | Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Applicable, but permanent... |
| GEN000640-ESXI5-000068 | Medium | The system must require that passwords contain at least one special character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| SRG-OS-000101-ESXI5-PNF | Medium | The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability. Information system and security related documentation contains information pertaining to system... |
| GEN001470-ESXI5-PNF | Medium | The /etc/passwd file must not contain password hashes. | If password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes. Permanent not a finding - Hashes are... |
| GEN004950-ESXI5-PNF | Medium | The ftpusers file must not have an extended ACL. | Excessive permissions on the ftpusers file could permit unauthorized modification. Unauthorized modification could result in Denial-of-Service to authorized FTP users or permit unauthorized users... |
| GEN005306-ESXI5-PF | Medium | The SNMP service must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods. | The SNMP service must use SHA-1 or a FIPS 140-2 approved successor for authentication and integrity. Permanent finding - May need to use an application such as the Virtual Certes Enforcement Point... |
| GEN008260-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| GEN001730-ESXI5-PNF | Medium | All global initialization files must not have extended ACLs. | Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Applicable, but permanent... |
| SRG-OS-000042-ESXI5-PNF | Medium | The operating system must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, time stamps,... |
| GEN000480-ESXI5-PNF | Medium | The delay between login prompts following a failed login attempt must be at least 4 seconds. | Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks. Permanent not a finding - Built in, cannot be configured. |
| SRG-OS-000137-ESXI5-PNF | Medium | The operating system must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | The operating system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| SRG-OS-99999-ESXI5-000156 | Medium | The contents of exposed configuration files must be verified. | Although most configurations on ESXi are controlled via an API, there are a limited set of configuration files that are used directly to govern host behavior. These specific files are exposed via... |
| SRG-OS-99999-ESXI5-000157 | Medium | The Image Profile and VIB Acceptance Levels must be verified. | The ESXi Image profile supports four acceptance levels:
(1) VMwareCertified - VIBs created, tested and signed by VMware
(2) VMwareAccepted - VIBs created by a VMware partner but tested and... |
| SRG-OS-99999-ESXI5-000152 | Medium | Keys from SSH authorized_keys file must be removed. | ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication. To enable password free access copy the remote users public key into the... |
| SRG-OS-000250-ESXI5-PNF | Medium | The operating system must use cryptography to protect the integrity of remote access sessions. | Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. If cryptography is... |
| GEN003360-ESXI5-PNF | Medium | The at daemon must not execute group-writable or world-writable programs. | If the at facility executes world-writable or group-writable programs, it is possible for the programs to be accidentally or maliciously changed or replaced without the owner's intent or... |
| SRG-OS-99999-ESXI5-000158 | Medium | Unauthorized kernel modules must not be loaded on the host. | VMware provides digital signatures for kernel modules. By default, the ESXi host does not permit loading of kernel modules that lack a valid digital signature. However, this behavior can be... |
| SRG-OS-000123-ESXI5-PNF | Medium | The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account. | When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event... |
| GEN005040-ESXI5-PNF | Medium | All FTP users must have a default umask of 077. | The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask is stored as a 4-digit number, the first... |
| GEN003340-ESXI5-PNF | Medium | The at.allow file must have mode 0600 or less permissive. | Permissions more permissive than 0600 (read, write, and execute for the owner) may allow unauthorized or malicious access to the at.allow and/or at.deny files. Applicable, but permanent... |
| GEN001300-ESXI5-PNF | Medium | Library files must have mode 0755 or less permissive. | Unauthorized access could destroy the integrity of the library files. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a multi-user kernel where all... |
| GEN005260-ESXI5-PNF | Medium | X Window System connections that are not required must be disabled. | If unauthorized clients are permitted access to the X server, a user's X session may be compromised. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN003440-ESXI5-PNF | Medium | At jobs must not set the umask to a value less restrictive than 077. | The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask is often represented as a 4-digit... |
| SRG-OS-000264-ESXI5-PNF | Medium | The operating system must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| GEN000140-ESXI5-000063 | Medium | A file integrity baseline must be created and maintained. | A file integrity baseline is a collection of file metadata which is to evaluate the integrity of the system. A minimal baseline must contain metadata for all device files, setuid files, setgid... |
| GEN007740-ESXI5-000118 | Medium | The IPv6 protocol handler must not be installed unless needed. | IPv6 is the next generation of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the... |
| GEN005120-ESXI5-PNF | Medium | The TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user. | If TFTP has a valid shell, it increases the likelihood of someone logging to the TFTP account and compromising the system. Applicable, but permanent not-a-finding - no ftp. |
| GEN001390-ESXI5-PNF | Medium | The /etc/passwd file must not have an extended ACL. | File system ACLs can provide access to files beyond what is allowed by the mode numbers of the files. The /etc/passwd file contains the list of local system accounts. It is vital to system... |
| GEN002710-ESXI5-PNF | Medium | All system audit files must not have extended ACLs. | If a user can write to the audit logs, then audit trails can be modified or destroyed and system intrusion may not be detected. Applicable, but permanent not-a-finding - No ACLs. |
| SRG-OS-000038-ESXI5-PNF | Medium | The operating system must produce audit records containing sufficient information to establish when (date and time) the events occurred. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| SRG-OS-000055-ESXI5-PNF | Medium | The operating system must use internal system clocks to generate time stamps for audit records. | Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Time stamps generated by the information system... |
| GEN000585-ESXI5-000080 | Medium | The system must enforce the entire password during authentication. | Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password. |
| GEN004460-ESXI5-PNF | Medium | The system syslog service must log informational and more severe SMTP service messages. | If informational and more severe SMTP service messages are not logged, malicious activity on the system may go unnoticed. - Applicable, but permanent not-a-finding. no sendmail. |
| GEN008180-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| GEN006140-ESXI5-PNF | Medium | The /etc/smb.conf file must have mode 0644 or less permissive. | If the smb.conf file has excessive permissions, the file may be maliciously modified and the Samba configuration could be compromised. Applicable, but permanent not-a-finding - The hypervisor does... |
| GEN001830-ESXI5-PNF | Medium | All skeleton files (typically in /etc/skel) must be group-owned by root, bin, sys, system, or other. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Applicable, but permanent not-a-finding - The hypervisor... |
| GEN005521-ESXI5-000103 | Medium | The SSH daemon must restrict login ability to specific users and/or groups. | Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized... |
| SRG-OS-000228-ESXI5-PNF | Medium | The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access. | Requirement applies to publicly accessible systems. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system.... |
| GEN007950-ESXI5-PNF | Medium | The system must not respond to ICMPv6 echo requests sent to a broadcast address. | Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks. The ESXi-v5 firewall is enabled by default and allows Internet Control... |
| SRG-OS-000249-ESXI5-PF | Medium | The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the... |
| SRG-OS-000206-ESXI5-PNF | Medium | The operating system must reveal error messages only to authorized personnel. | root kits are software packages designed to conceal the compromise of a system from the SA. Root kit checking tools examine a system for evidence that a root kit is installed. Dedicated root kit... |
| SRG-OS-000054-ESXI5-PNF | Medium | The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria. | Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction... |
| GEN006320-ESXI5-PNF | Medium | The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive. | File permissions more permissive than 0600 for /etc/news/passwd.nntp may allow access to privileged information by system intruders or malicious users. Applicable, but permanent not-a-finding -... |
| GEN002340-ESXI5-PNF | Medium | Audio devices must be owned by root. | Audio and video devices that are globally accessible have proven to be another security hazard. There is software that can activate system microphones and video devices connected to user... |
| SRG-OS-000058-ESXI5-PNF | Medium | The operating system must protect audit information from unauthorized modification. | If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity... |
| GEN005531-ESXI5-000108 | Medium | The SSH daemon must not permit tunnels. | OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar... |
| SRG-OS-000115-ESXI5-PNF | Medium | The operating system must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices. | Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by specific... |
| GEN003810-ESXI5-PNF | Medium | The portmap or rpcbind service must not be running unless needed. | The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using Remote... |
| SRG-OS-000233-ESXI5-PF | Medium | The operating system must notify the user of the number of successful logins/accesses that occur during the organization-defined time period. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of successful attempts made to login to their account allows the user... |
| GEN003700-ESXI5-000077 | Medium | Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled. | Unnecessary services should be disabled to decrease the attack surface of the system. |
| SRG-OS-000176-ESXI5-PNF | Medium | The operating system must block both inbound and outbound traffic between instant messaging clients, independently configured by end users and external service providers. | Blocking restrictions do not include instant messaging services configured by an organization to perform an authorized function. This requirement specifies blocking any external instant messaging... |
| GEN005570-ESXI5-000115 | Medium | The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router. | If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial-of-Service attacks. NOTE that IPv6 is not enabled by default. |
| GEN005540-ESXI5-PNF | Medium | The SSH daemon must be configured for IP filtering. | The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses. Applicable, but permanent not-a-finding - no tcp wrappers.... |
| GEN001374-ESXI5-PNF | Medium | The /etc/nsswitch.conf file must not have an extended ACL. | The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from... |
| GEN002060-ESXI5-PNF | Medium | All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner. | If these files are accessible by users other than root or the owner, they could be used by a malicious user to set up a system compromise. Applicable, but permanent not-a-finding - Not a General... |
| SRG-OS-000036-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. | Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or... |
| GEN005190-ESXI5-PNF | Medium | The .Xauthority files must not have extended ACLs. | .Xauthority files ensure the user is authorized to access the specific X Windows host. Extended ACLs may permit unauthorized modification of these files, which could lead to Denial-of-Service to... |
| SRG-OS-000230-ESXI5-PF | Medium | The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to... |
| GEN005506-ESXI5-000098 | Medium | The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers. | The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used. |
| SRG-OS-000187-ESXI5-PNF | Medium | The operating system at organization-defined information system components must load and execute the operating environment from hardware-enforced, read-only media. | Organizations may require the information system to load the operating environment from hardware enforced read-only media. The term operating environment is defined as the code upon which... |
| GEN000800-ESXI5-000053 | Medium | The system must prohibit the reuse of passwords within five iterations. | If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the... |
| GEN003745-ESXI5-PNF | Medium | The inetd.conf and xinetd.conf files must not have extended ACLs. | The Internet service daemon configuration files must be protected as malicious modification could cause Denial-of-Service or increase the attack surface of the system. Applicable, but permanent... |
| SRG-OS-000114-ESXI5-PNF | Medium | The operating system must uniquely identify and authenticate an organization-defined list of specific and/or types of devices before establishing a connection. | Device authentication is a solution enabling an organization to manage both users and devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by... |
| GEN002280-ESXI5-PNF | Medium | Device files and directories must only be writable by users with a system account or as configured by the vendor. | System device files in writable directories could be modified, removed, or used by an unprivileged user to control system hardware. Applicable, but permanent not-a-finding - Not a General Purpose... |
| GEN006640-ESXI5-PNF | Medium | The system must use and update a DoD-approved virus scan program. | Virus scanning software can be used to protect a system from penetration by computer viruses and to limit their spread through intermediate systems. Virus scanning software is available to DoD on... |
| SRG-OS-000171-ESXI5-PNF | Medium | The operating system must employ NSA-approved cryptography to protect classified information. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| GEN005340-ESXI5-PNF | Medium | Management Information Base (MIB) files must have mode 0640 or less permissive. | The ability to read the MIB file could impart special knowledge to an intruder or malicious user about the ability to extract compromising information about the system or network. Applicable, but... |
| SRG-OS-000094-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to respond to unauthorized changes to organization-defined configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| GEN008100-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by root, bin, sys, or system. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| GEN001392-ESXI5-PNF | Medium | The /etc/group file must be group-owned by root, bin, sys, or system. | The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information. Applicable, but... |
| SRG-OS-000003-ESXI5-PNF | Medium | The operating system must automatically disable inactive accounts after an organization-defined time period. | Users are often the first line of defense within an application. Active users take notice of system and data conditions and are usually the first to notify systems administrators when they notice... |
| SRG-OS-000168-ESXI5-PF | Medium | The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective... |
| SRG-OS-000080-ESXI5-PNF | Medium | The operating system must enforce approved authorizations for logical access to the system in accordance with applicable policy. | Strong access controls are critical to securing data. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms... |
| GEN001410-ESXI5-PNF | Medium | The /etc/shadow file (or equivalent) must be group-owned by root, bin, sys, or system. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which... |
| GEN003930-ESXI5-PNF | Medium | The hosts.lpd (or equivalent) file must be group-owned by root, bin, sys, or system. | Failure to give group ownership of the hosts.lpd file to root, bin, sys, or system provides the members of the owning group and possible unauthorized users, with the potential to modify the... |
| ESXI5-VM-000009 | Medium | The system must disable HGFS file transfers.
| Certain automated operations such as automated tools upgrades, use a component into the hypervisor called "Host Guest File System" and an attacker could potentially use this to transfer files... |
| GEN002720-ESXI5-PNF | Medium | The audit system must be configured to audit failed attempts to access files and programs. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system... |
| GEN003940-ESXI5-PNF | Medium | The hosts.lpd (or equivalent) must have mode 0644 or less permissive. | Excessive permissions on the hosts.lpd (or equivalent) file may permit unauthorized modification. Unauthorized modifications could disrupt access to local printers from authorized remote hosts or... |
| GEN003835-ESXI5-PNF | Medium | The rlogind service must not be installed. | The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Applicable, but permanent not-a-finding - No rlogind service. |
| SRG-OS-000242-ESXI5-PNF | Medium | The operating system must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN004900-ESXI5-PNF | Medium | The ftpusers file must contain account names not allowed to use FTP. | The ftpusers file contains a list of accounts that are not allowed to use FTP to transfer files. If the file does not contain the names of all accounts not authorized to use FTP, then unauthorized... |
| SRG-OS-000151-ESXI5-PNF | Medium | The operating system must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination. | In the case of the operating system, the boundary may be the workstation on the public internet. In order to thwart an attack the operating system must be able to ensure communications are coming... |
| GEN000250-ESXI5-PNF | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| GEN003601-ESXI5-PNF | Medium | TCP backlog queue sizes must be set appropriately. | To provide some mitigation to TCP DoS attacks, the TCP backlog queue sizes must be set to at least 1280 or in accordance with product-specific guidelines. Permanent not a finding - The hypervisor... |
| SRG-OS-000133-ESXI5-PNF | Medium | The operating system must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users. | Operating system management functionality includes functions necessary to administer the operating, network components, workstations, or servers, and typically requires privileged user access. The... |
| GEN001820-ESXI5-PNF | Medium | All skeleton files and directories (typically in /etc/skel) must be owned by bin. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Failure to give ownership of sensitive files or utilities... |
| GEN003245-ESXI5-PNF | Medium | The at.allow file must not have an extended ACL. | File system extended ACLs provide access to files beyond what is allowed by the mode numbers of the files. Unauthorized modification of the at.allow file could result in Denial-of-Service to... |
| GEN001400-ESXI5-PNF | Medium | The /etc/shadow (or equivalent) file must be owned by root. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Failure to give ownership of sensitive files... |
| ESXI5-VMNET-000013 | Medium | The system must ensure that the virtual switch Forged Transmits policy is set to reject. | If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage... |
| ESXI5-VMNET-000012 | Medium | All port groups must not be configured to VLAN values reserved by upstream physical switches. | Physical vendor-specific switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. Use of reserved VLAN IDs can result in a network denial-of-service. |
| ESXI5-VMNET-000011 | Medium | All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT). | When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to... |
| ESXI5-VMNET-000010 | Medium | All port groups must be configured to a value other than that of the native VLAN. | ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will... |
| ESXI5-VMNET-000017 | Medium | The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode. | In order to communicate with virtual switches in VST mode, external switch ports must be configured as trunk ports. VST mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be... |
| ESXI5-VMNET-000014 | Medium | The system must ensure that the dvPortgroup Forged Transmits policy is set to reject. | If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage... |
| ESXI5-VMNET-000019 | Medium | The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject. | When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual... |
| ESXI5-VMNET-000018 | Medium | The system must ensure the virtual switch Promiscuous Mode policy is set to reject. | When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual... |
| GEN001160-ESXI5-PNF | Medium | All files and directories must have a valid owner. | Unowned files and directories may be unintentionally inherited if a user is assigned the same UID as the UID of the unowned files. Applicable, but permanent not-a-finding - Not a General Purpose... |
| GEN006200-ESXI5-PNF | Medium | The /etc/smbpasswd file must have mode 0600 or less permissive. | If the smbpasswd file has a mode more permissive than 0600, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts. Applicable, but... |
| GEN006120-ESXI5-PNF | Medium | The /etc/smb.conf file must be group-owned by root, bin, or sys. | If the group owner of the smb.conf file is not root or a system group, the file may be maliciously modified and the Samba configuration could be compromised. Applicable, but permanent... |
| SRG-OS-000173-ESXI5-PNF | Medium | The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| GEN003040-ESXI5-PNF | Medium | Crontabs must be owned by root or the crontab creator. | To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured. Applicable, but permanent not-a-finding - Not a General Purpose... |
| GEN003320-ESXI5-PNF | Medium | Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist. | Default accounts, such as bin, sys, adm, uucp, daemon, and others, should never have access to the "at" facility. This would create a possible vulnerability open to intruders or malicious users.... |
| SRG-OS-000124-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to restrict the use of maintenance tools to authorized personnel only. | The intent of this control is to address the security-related issues arising from the software brought into the operating system specifically for diagnostic and repair actions (e.g., a software... |
| GEN000360-ESXI5-PNF | Medium | Group Identifiers (GIDs) reserved for system accounts must not be assigned to non-system groups. | Reserved GIDs are typically used by system software packages. If non-system groups have GIDs in this range, they may conflict with system software, possibly leading to the group having permissions... |
| GEN007140-ESXI5-PNF | Medium | The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required. | The Lightweight User Datagram Protocol (UDP-Lite) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack... |
| SRG-OS-000028-ESXI5-PF | Medium | The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of... |
| GEN006235-ESXI5-PNF | Medium | Samba must be configured to not allow guest access to shares. | Guest access to shares permits anonymous access and is not permitted. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN001372-ESXI5-PNF | Medium | The /etc/nsswitch.conf file must be group-owned by root, bin, sys, or system. | The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from... |
| GEN001368-ESXI5-PNF | Medium | The /etc/hosts file must have mode 0644 or less permissive. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
| SRG-OS-000030-ESXI5-PF | Medium | The operating system must provide the capability for users to directly initiate session lock mechanisms. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not want to log out because of the temporary nature of... |
| GEN003619-ESXI5-PNF | Medium | The system must not be configured for network bridging. | Some systems have the ability to bridge or switch frames (link-layer forwarding) between multiple interfaces. This can be useful in a variety of situations but, if enabled when not needed, has the... |
| GEN001605-ESXI5-PNF | Medium | Run control scripts' library search paths must contain only absolute paths. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other... |
| SRG-OS-000271-ESXI5-PF | Medium | The operating system must take organization-defined list of least disruptive actions to terminate suspicious events. | System availability is a key tenet of system security. Organizations need to have the flexibility to be able to define the automated actions taken in response to an identified incident. This... |
| GEN001362-ESXI5-PNF | Medium | The /etc/resolv.conf file must be owned by root. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may... |
| GEN000402-ESXI5-PNF | Medium | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. | Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. Applicable, but permanent not-a-finding - The... |
| GEN007850-ESXI5-PNF | Medium | The DHCP client must not send dynamic DNS updates. | Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed. Applicable, but permanent not-a-finding - DHCP is required... |
| GEN000590-ESXI5-PF | Medium | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes. | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes... |
| GEN003830-ESXI5-PNF | Medium | The rlogind service must not be running. | The rlogind process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Applicable, but permanent not-a-finding - No rlogind service. |
| GEN003770-ESXI5-PNF | Medium | The services file must be group-owned by root, bin, sys, or system. | Failure to give ownership of system configuration files to root or a system group provides the designated owner and unauthorized users with the potential to change the system configuration which... |
| GEN004980-ESXI5-PNF | Medium | The FTP daemon must be configured for logging or verbose mode. | Verbose FTP logging allows the examination of events involving FTP account activity, including login/logout events and file transfers. Without this configuration, logs necessary for... |
| SRG-OS-99999-ESXI5-000161 | Medium | The system must zero out VMDK files prior to deletion. | The virtual disk must be zeroed prior to deletion in order to prevent sensitive data in VMDK files from being recovered. |
| SRG-OS-99999-ESXI5-000160 | Medium | The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory. | ESXi hosts configured to join an Active Directory domain using host profiles do not protect the passwords used for host authentication. To avoid transmitting clear text passwords, the vSphere... |
| SRG-OS-000276-ESXI5-PNF | Medium | The operating system must notify, as required, appropriate individuals when account is disabled. | Monitoring account disabling is critical to ensure a denial of service situation does not exist on the operating system. An unexpected account deletion can also be a sign of a rogue administrator... |
| GEN000440-ESXI5-PNF | Medium | Successful and unsuccessful logins and logouts must be logged. | Monitoring and recording successful and unsuccessful logins assists in tracking unauthorized access to the system. Without this logging, the ability to track unauthorized activity to specific user... |
| GEN001980-ESXI5-PNF | Medium | The .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups. | A plus (+) in system accounts' files causes the system to lookup the specified entry using NIS. If the system is not using NIS, no such entries should exist. Applicable, but permanent... |
| SRG-OS-000116-ESXI5-PNF | Medium | The operating system must authenticate devices before establishing wireless network connections using bidirectional cryptographically based authentication between devices. | Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by specific... |
| GEN003270-ESXI5-PNF | Medium | The cron.deny file must be group-owned by root, bin, sys, or cron. | Cron daemon control files restrict the scheduling of automated tasks and must be protected. Unauthorized modification of the cron.deny file could result in Denial-of-Service to authorized cron... |
| GEN003760-ESXI5-PNF | Medium | The services file must be owned by root or bin. | Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the... |
| GEN003480-ESXI5-PNF | Medium | The at.deny file must be owned by root, bin, or sys. | If the owner of the at.deny file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. Applicable, but permanent... |
| GEN000790-ESXI5-000085 | Medium | The system must prevent the use of dictionary words for passwords. | An easily guessable password provides an open door to any external or internal malicious intruder. Many computer compromises occur as the result of account name and password guessing. This is... |
| GEN002140-ESXI5-000046 | Medium | All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins. | The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not... |
| SRG-OS-000088-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to enforce access restrictions. | When dealing with access restrictions pertaining to change control, it should be noted that, any changes to the hardware, software, and/or firmware components of the information system and/or... |
| SRG-OS-000119-ESXI5-PNF | Medium | The operating system must dynamically manage identifiers, attributes, and associated access authorizations. | Dynamic management of identities and association of attributes and privileges with these identities are anticipated and provisioned. Pre-established trust relationships and mechanisms with... |
| SRG-OS-000177-ESXI5-PNF | Medium | The operating system must associate security attributes with information exchanged between information systems. | When data is exchanged between information systems, the security attributes associated with the data needs to be maintained. Security attributes are an abstraction representing the basic... |
| SRG-OS-000221-ESXI5-PNF | Medium | The operating system must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN008050-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords. | The authentication of automated LDAP connections between systems must not use passwords since more secure methods are available, such as PKI and Kerberos. Additionally, the storage of unencrypted... |
| GEN004820-ESXI5-PNF | Medium | Anonymous FTP must not be active on the system unless authorized. | Due to the numerous vulnerabilities inherent in anonymous FTP, it is recommended that it not be used. If anonymous FTP must be used on a system, the requirement must be authorized and approved in... |
| GEN005536-ESXI5-000110 | Medium | The SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. |
| GEN002825-ESXI5-PNF | Medium | The audit system must be configured to audit the loading and unloading of dynamic kernel modules. | Actions concerning dynamic kernel modules must be recorded as they are substantial events. Dynamic kernel modules can increase the attack surface of a system. A malicious kernel module can be used... |
| SRG-OS-000260-ESXI5-PF | Medium | The operating system must automatically implement organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately. | Any changes to the hardware, software, and/or firmware components of the operating system can potentially have significant effects on the overall security of the system. Accordingly, only... |
| SRG-OS-000232-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency. | Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the... |
| GEN002820-ESXI5-PNF | Medium | The audit system must be configured to audit all discretionary access control permission modifications. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system... |
| GEN003090-ESXI5-PNF | Medium | Crontab files must not have extended ACLs. | To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. ACLs on crontab files may provide unauthorized access to the... |
| SRG-OS-000082-ESXI5-PF | Medium | The operating system, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| SRG-OS-000251-ESXI5-PNF | Medium | The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited. | Remote access is any access to an organizational operating system by a user (or an information system) communicating through an external, non-organization-controlled network. Remote access to... |
| SRG-OS-000076-ESXI5-PF | Medium | The operating system must enforce maximum password lifetime restrictions. | Passwords need to be changed at specific policy based intervals. Any password no matter how complex can eventually be cracked. One method of minimizing this risk is to use complex passwords and... |
| GEN000950-ESXI5-PF | Medium | The root account's list of preloaded libraries must be empty. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| SRG-OS-000237-ESXI5-PF | Medium | The operating system must support and maintain the binding of organization-defined security attributes to information in process. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| GEN004420-ESXI5-PNF | Medium | Files executed through a mail aliases file must have mode 0755 or less permissive. | If a file executed through a mail aliases file has permissions greater than 0755, it can be modified by an unauthorized user and may contain malicious code or instructions possibly compromising... |
| GEN001379-ESXI5-PNF | Medium | The /etc/passwd file must be group-owned by root, bin, sys, or system. | The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Applicable, but permanent not-a-finding - Not... |
| GEN002360-ESXI5-PNF | Medium | Audio devices must be group-owned by root, sys, bin, or system. | Without privileged group owners, audio devices will be vulnerable to being used as eaves-dropping devices by malicious users or intruders to possibly listen to conversations containing sensitive... |
| SRG-OS-000118-ESXI5-PNF | Medium | The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization-defined time period of inactivity. | Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Attackers able to... |
| ESXI5-VM-000053 | Medium | The system must control access to VMs through the VMsafe CPU/memory "vmsafe.agentPort" API.
| The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware... |
| ESXI5-VM-000052 | Medium | The system must control access to VMs through VMsafe CPU/memory APIs.
| The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware... |
| SRG-OS-000142-ESXI5-PNF | Medium | The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service attacks. | In the case of Denial of Service attacks, care must be taken when designing the operating system so as to ensure that the operating system makes the best use of system resources. Permanent not a... |
| ESXI5-VM-000054 | Medium | The system must control access to VMs through the VMsafe CPU/memory "vmsafe.enable" API.
| The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware... |
| GEN006230-ESXI5-PNF | Medium | Samba must be configured to use encrypted passwords. | Samba must be configured to protect authenticators. If Samba passwords are not encrypted for storage, plain-text user passwords may be read by those with access to the Samba password file.... |
| GEN007900-ESXI5-PF | Medium | The system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6. | Reverse-path filtering provides protection against spoofed source addresses by causing the system to discard packets with source addresses for which the system has no route or if the route does... |
| GEN003120-ESXI5-PNF | Medium | Cron and crontab directories must be owned by root or bin. | Incorrect ownership of the cron or crontab directories could permit unauthorized users the ability to alter cron jobs and run automated jobs as privileged users. Failure to give ownership of cron... |
| SRG-OS-000004-ESXI5-PNF | Medium | The operating system must support the requirement to automatically audit on account creation. | Auditing of account creation is a method and best practice for mitigating the risk of an attacker creating a persistent method of re-establishing access. A comprehensive account management process... |
| GEN005810-ESXI5-PNF | Medium | All NFS-exported system files and system directories must be group-owned by root, bin, sys, or system. | Failure to give group ownership of sensitive files or directories to root provides the members of the owning group with the potential to access sensitive information or change system configuration... |
| GEN001140-ESXI5-PNF | Medium | System files and directories must not have uneven access permissions. | Discretionary access control is undermined if users, other than a file owner, have greater access permissions to system files and directories than the owner. Applicable, but permanent... |
| SRG-OS-000066-ESXI5-PF | Medium | The operating system, for PKI-based authentication must validate certificates by constructing a certification path with status information to an accepted trust anchor. | A trust anchor is an authoritative entity represented via a public key and associated data. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor, for... |
| SRG-OS-000188-ESXI5-PNF | Medium | The operating system at organization-defined information system components must load and execute organization-defined applications from hardware-enforced, read-only media. | Use of non-modifiable storage ensures the integrity of the software program from the point of creation of the read-only image. Organizations may require the information system to load specified... |
| GEN008000-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI. | LDAP can be used to provide user authentication and account information, which are vital to system security. Communication between an LDAP server and a host using LDAP requires authentication.... |
| GEN005537-ESXI5-000111 | Medium | The SSH daemon must use privilege separation. | SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section. |
| SRG-OS-000262-ESXI5-PF | Medium | The operating system uniquely must authenticate destination domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| SRG-OS-000109-ESXI5-PNF | Medium | The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator. | To assure individual accountability and prevent unauthorized access, organizational users shall be individually identified and authenticated. Users (and any processes acting on behalf of users)... |
| GEN001360-ESXI5-PNF | Medium | The NIS/NIS+/yp command files must have mode 0755 or less permissive. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise... |
| SRG-OS-000051-ESXI5-PNF | Medium | Operating system must support the capability to centralize the review and analysis of audit records from multiple components within the system. | Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
| SRG-OS-000048-ESXI5-PNF | Medium | The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures... |
| SRG-OS-000255-ESXI5-PNF | Medium | The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes time stamps, source... |
| GEN001800-ESXI5-PNF | Medium | All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Applicable, but permanent not-a-finding - Skel files do not exist. |
| GEN002520-ESXI5-PNF | Medium | All public directories must be owned by root or an application account. | If a public directory has the sticky bit set and is not owned by a privileged UID, unauthorized users may be able to modify files created by others. Applicable, but permanent not-a-finding - Not a... |
| SRG-OS-000024-ESXI5-PNF | Medium | The operating system must retain the notification message or banner on the screen until users take explicit actions to logon for further access. | To establish acceptance of system usage policy, a click-through banner at operating system logon is required. The banner must prevent further activity on the application unless and until the user... |
| GEN005420-ESXI5-PNF | Medium | The /etc/syslog.conf file must be group-owned by root, bin, sys, or system. | If the group owner of /etc/syslog.conf is not root, bin, or sys, unauthorized users could be permitted to view, edit, or delete important system messages handled by the syslog facility.... |
| GEN003780-ESXI5-PNF | Medium | The services file must have mode 0444 or less permissive. | The services file is critical to the proper operation of network services and must be protected from unauthorized modification. Unauthorized modification could result in the failure of network... |
| GEN005160-ESXI5-PNF | Medium | Any X Windows host must write .Xauthority files. | .Xauthority files ensure the user is authorized to access the specific X Windows host. If .Xauthority files are not used, it may be possible to obtain unauthorized access to the X Windows host.... |
| GEN006040-ESXI5-PNF | Medium | The system must not have any peer-to-peer file-sharing application installed. | Peer-to-peer file-sharing software can result in the unintentional exfiltration of information. There are also many legal issues associated with these types of utilities including copyright... |
| GEN002200-ESXI5-PNF | Medium | All shell files must be owned by root or bin. | If shell files are owned by users other than root or bin, they could be modified by intruders or malicious users to perform unauthorized actions. Applicable, but permanent not-a-finding - Not a... |
| GEN008200-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| SRG-OS-000254-ESXI5-PNF | Medium | The operating system must initiate session audits at system start-up. | Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or... |
| SRG-OS-000265-ESXI5-PNF | Medium | The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| GEN003430-ESXI5-PNF | Medium | The "at" directory must be group-owned by root, bin, sys, or cron. | If the group of the "at" directory is not root, bin, sys, or cron, unauthorized users could be allowed to view or edit files containing sensitive information within the directory. Applicable, but... |
| GEN003020-ESXI5-PNF | Medium | Cron must not execute programs in, or subordinate to, world-writable directories. | If cron programs are located in or subordinate to world-writable directories, they become vulnerable to removal and replacement by malicious users or system intruders. Applicable, but permanent... |
| GEN008300-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| SRG-OS-000135-ESXI5-PNF | Medium | The operating system must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions. | The operating system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| GEN005460-ESXI5-000060 | Medium | The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures. | If a remote log host is in use and it has not been justified and documented with the IAO, sensitive information could be obtained by unauthorized users without the SA's knowledge. A remote log... |
| GEN005750-ESXI5-PNF | Medium | The NFS export configuration file must be group-owned by root, bin, sys, or system. | Failure to give group ownership of the NFS export configuration file to root or a system group provides the designated group owner and possible unauthorized users with the potential to change... |
| GEN004360-ESXI5-PNF | Medium | The aliases file must be owned by root. | If the aliases file is not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email. Applicable, but permanent not-a-finding - no aliases file... |
| SRG-OS-000001-ESXI5-PNF | Medium | The operating system must provide automated support for account management functions. | A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Examples include, but... |
| GEN000750-ESXI5-000084 | Medium | The system must require at least four characters be changed between the old and new passwords during a password change. | To ensure password changes are effective in their goals, the system must ensure old and new passwords have significant differences. Without significant changes, new passwords may be easily guessed... |
| SRG-OS-000227-ESXI5-PNF | Medium | The operating system must provide additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device. | Mobile devices present additional risks related to attempted unauthorized access. If they are lost, stolen or misplaced, attempts can be made to unlock the device by guessing the PIN. In order to... |
| GEN002420-ESXI5-00878 | Medium | Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option. | The "nosuid" mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system that does not contain approved setuid files.... |
| SRG-OS-000121-ESXI5-PNF | Medium | The operating system must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Non-organizational users include all operating system users other than organizational users which include employees or individuals the organization deems to have equivalent status of employees... |
| GEN004580-ESXI5-PNF | Medium | The system must not use .forward files. | The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops which... |
| GEN005523-ESXI5-PNF | Medium | The SSH private host key files must have mode 0600 or less permissive. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated. Applicable, but permanent not-a-finding. VMware's ESXi-v5 is a multi-user kernel where all users are... |
| GEN004500-ESXI5-PNF | Medium | The SMTP service log file must have mode 0644 or less permissive. | If the SMTP service log file is more permissive than 0644, unauthorized users may be allowed to change the log file. Applicable, but permanent not-a-finding - no sendmail. |
| SRG-OS-000087-ESXI5-PNF | Medium | The operating system must enforce logical access restrictions associated with changes to the information system. | When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can... |
| GEN001365-ESXI5-PNF | Medium | The /etc/resolv.conf file must not have an extended ACL. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may... |
| SRG-OS-000209-ESXI5-PF | Medium | The operating system must validate the binding of the information producer's identity to the information. | Predictable failure prevention requires organizational planning to address system failure issues. If a subsystem of the operating system, hardware, or the operating system itself, is key to... |
| GEN008140-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| SRG-OS-000107-ESXI5-PF | Medium | The operating system must use multifactor authentication for local access to privileged accounts. | Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g.,... |
| GEN002730-ESXI5-PNF | Medium | The audit system must alert the SA when the audit storage volume approaches its capacity. | An accurate and current audit trail is essential for maintaining a record of system activity. If the system fails, the SA must be notified and must take prompt action to correct the problem.... |
| GEN001310-ESXI5-PNF | Medium | All library files must not have extended ACLs. | Unauthorized access could destroy the integrity of the library files. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| SRG-OS-000203-ESXI5-PNF | Medium | The operating system must check the validity of information inputs. | Invalid user input occurs when a user inserts data or characters the system is unprepared to process that data. This results in unanticipated behavior that could lead to a compromise. Permanent... |
| GEN002460-ESXI5-20047 | Medium | The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files. | Files with the sgid bit set will allow anyone running these files to be temporarily assigned the group id of the file. While many system files depend on these attributes for proper operation,... |
| SRG-OS-000022-ESXI5-PNF | Medium | The operating system, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account for an organization-defined time period or must lock the account until released by an administrator IAW organizational policy. | Anytime an authentication method is exposed to allow for the utilization of an operating system, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts,... |
| GEN007540-ESXI5-PNF | Medium | The Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled. | The Transparent Inter-Process Communication (TIPC) protocol is a relatively new cluster communications protocol developed by Ericsson. Binding this protocol to the network stack increases the... |
| SRG-OS-000247-ESXI5-PNF | Medium | The operating system must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| SRG-OS-000091-ESXI5-PF | Medium | The operating system must enforce a two-person rule for changes to organization-defined information system components and system-level information. | Regarding access restrictions for changes made to organization-defined information system components and system level information. Any changes to the hardware, software, and/or firmware components... |
| GEN005580-ESXI5-PNF | Medium | A system used for routing must not run other network services or applications. | Installing extraneous software on a system designated as a dedicated router poses a security threat to the system and the network. Should an attacker gain access to the router through the... |
| GEN005590-ESXI5-PNF | Medium | The system must not be running any routing protocol daemons, unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be... |
| GEN001391-ESXI5-PNF | Medium | The /etc/group file must be owned by root. | The /etc/group file is critical to system security and must be owned by a privileged user. The group file contains a list of system groups and associated information. Applicable, but permanent... |
| SRG-OS-000110-ESXI5-PF | Medium | The operating system must use multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed. | Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g.,... |
| GEN002380-ESXI5-PNF | Medium | The owner, group owner, mode, ACL, and location of files with the suid bit set must be documented using site-defined procedures. | All files with the suid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation,... |
| SRG-OS-000274-ESXI5-PNF | Medium | The operating system must notify, as required, appropriate individuals when accounts are created. | Monitoring account creation is critical to ensure only appropriate personnel have access to the operating system. This reduces the possibility a rogue account will be created. In order to... |
| GEN005020-ESXI5-PNF | Medium | The anonymous FTP account must be configured to use chroot or a similarly isolated environment. | If an anonymous FTP account does not use a chroot or similarly isolated environment, the system may be more vulnerable to exploits against the FTP service. Such exploits could allow an attacker to... |
| GEN001393-ESXI5-PNF | Medium | The /etc/group file must have mode 0644 or less permissive. | The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information. Applicable, but... |
| GEN000280-ESXI5-PNF | Medium | Direct logins must not be permitted to shared, default, application, or utility accounts. | Shared accounts (accounts where two or more people log in with the same user identification) do not provide identification and authentication. There is no way to provide for non-repudiation or... |
| GEN002480-ESXI5-PNF | Medium | Public directories must be the only world-writable directories and world-writable files must be located only in public directories. | World-writable files and directories make it easy for a malicious user to place potentially compromising files on the system. Applicable, but permanent not-a-finding - Not a General Purpose (GP)... |
| SRG-OS-000067-ESXI5-PF | Medium | The operating system, for PKI-based authentication must enforce authorized access to the corresponding private key. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and... |
| SRG-OS-99999-ESXI5-000132 | Medium | Persistent logging for all ESXi hosts must be configured. | ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of... |
| SRG-OS-99999-ESXI5-000133 | Medium | Remote logging for ESXi hosts must be configured. | Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It... |
| SRG-OS-99999-ESXI5-000131 | Medium | NTP time synchronization must be configured. | By ensuring that all systems use the same relative time source (including the relevant localization offset), and that the relative time source can be correlated to an agreed-upon time standard... |
| SRG-OS-99999-ESXI5-000136 | Medium | The system must disable ESXi Shell unless needed for diagnostics or troubleshooting. | The ESXi Shell is an interactive command line environment available locally from the DCUI or remotely via SSH. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The... |
| SRG-OS-99999-ESXI5-000137 | Medium | The system must disable the Managed Object Browser (MOB). | The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well. This interface is meant to be... |
| GEN001371-ESXI5-PNF | Medium | The /etc/nsswitch.conf file must be owned by root. | The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from... |
| GEN005180-ESXI5-PNF | Medium | All .Xauthority files must have mode 0600 or less permissive. | .Xauthority files ensure the user is authorized to access the specific X Windows host. Excessive permissions may permit unauthorized modification of these files, which could lead to Denial of... |
| SRG-OS-99999-ESXI5-000138 | Medium | The system must disable SSH. | The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to commands essential for server maintenance. Intended... |
| SRG-OS-99999-ESXI5-000139 | Medium | The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications. | The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM.... |
| SRG-OS-000229-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to centrally manage configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| SRG-OS-000007-ESXI5-PNF | Medium | The operating system must enforce one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| GEN002230-ESXI5-PNF | Medium | All shell files must not have extended ACLs. | Shells with world/group-write permissions give the ability to maliciously modify the shell to obtain unauthorized access. Applicable, but permanent not-a-finding - The hypervisor does not support... |
| GEN003140-ESXI5-PNF | Medium | Cron and crontab directories must be group-owned by root, sys, bin or cron. | To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. Failure to give group-ownership of cron or crontab directories... |
| SRG-OS-000231-ESXI5-PNF | Medium | The operating system must enforce requirements for remote connections to the information system. | The organization will define the requirements for connection of remote connections. In order to ensure the connection provides adequate integrity and confidentiality of the connection, the... |
| GEN007080-ESXI5-PNF | Medium | The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. | The Datagram Congestion Control Protocol (DCCP) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack... |
| GEN000620-ESXI5-000067 | Medium | The system must require that passwords contain at least one numeric character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| SRG-OS-000085-ESXI5-PNF | Medium | The operating system must track problems associated with the security attribute binding. | The operating system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information... |
| GEN000410-ESXI5-PNF | Medium | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. | Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. Applicable, but permanent not-a-finding - The... |
| GEN003605-ESXI5-PF | Medium | The system must not apply reversed source routing to TCP responses. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| SRG-OS-000084-ESXI5-PF | Medium | The operating system must bind security attributes to information to facilitate information flow policy enforcement. | Operating system application enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.... |
| SRG-OS-000263-ESXI5-PF | Medium | The operating system must track problems associated with the information transfer. | When an operating system transfers data, there is the chance an error or problem with the data transfer may occur. The operating system needs to track failures and any problems encountered when... |
| ESXI5-VM-000045 | Medium | The system must prevent unauthorized removal, connection and modification of devices by setting the "isolation.device.connectable.disable" keyword to true..
| Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to connect or disconnect devices, such as network... |
| SRG-OS-000269-ESXI5-PF | Medium | The operating system must preserve organization-defined system state information in the event of a system failure. | Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality,... |
| GEN007860-ESXI5-PF | Medium | The system must ignore IPv6 ICMP redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An... |
| GEN005550-ESXI5-000114 | Medium | The SSH daemon must be configured with the Department of Defense (DoD) logon banner. | Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources. |
| GEN003050-ESXI5-PNF | Medium | Crontab files must be group-owned by root, cron, or the crontab creator's primary group. | To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured. Applicable, but permanent not-a-finding - Not a General Purpose... |
| GEN007660-ESXI5-PNF | Medium | The Bluetooth protocol handler must be disabled or not installed. | Bluetooth is a Personal Area Network (PAN) technology. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the... |
| GEN000520-ESXI5-PNF | Medium | The root user must not own the logon session for an application requiring a continuous display. | If an application is providing a continuous display and is running with root privileges, unauthorized users could interrupt the process and gain root access to the system. Applicable, but... |
| SRG-OS-000223-ESXI5-PF | Medium | The operating system, when transferring information between different security domains, must detect unsanctioned information. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| SRG-OS-000009-ESXI5-PNF | Medium | The operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| SRG-OS-000053-ESXI5-PNF | Medium | The operating system audit records must be able to be used by a report generation capability. | Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify a network element that has been... |
| GEN005400-ESXI5-PNF | Medium | The /etc/syslog.conf file must be owned by root. | If the /etc/syslog.conf file is not owned by root, unauthorized users could be allowed to view, edit, or delete important system messages handled by the syslog facility. Applicable, but permanent... |
| GEN001550-ESXI5-PNF | Medium | All files and directories contained in user's home directories must be group-owned by a group the home directory's owner is a member. | If a user's files are group-owned by a group where the user is not a member, unintended users may be able to access them. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS.... |
| SRG-OS-000002-ESXI5-PNF | Medium | The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account. | When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists. To address this, in the... |
| GEN006480-ESXI5-PF | Medium | The system must have a host-based intrusion detection tool installed. | Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion detection tool can... |
| GEN001394-ESXI5-PNF | Medium | The /etc/group file must not have an extended ACL. | The /etc/group file is critical to system security and must be protected from unauthorized modification. The group file contains a list of system groups and associated information. Applicable, but... |
| GEN006340-ESXI5-PNF | Medium | Files in /etc/news must be owned by root or news. | If critical system files are not owned by a privileged user, system integrity could be compromised. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| SRG-OS-000174-ESXI5-PNF | Medium | The operating system must protect the integrity and availability of publicly available information and applications. | The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications with such protection likely being implemented as part of... |
| GEN003470-ESXI5-PNF | Medium | The at.allow file must be group-owned by root, bin, sys, or cron. | If the group owner of the at.allow file is not set to root, bin, sys, or cron, unauthorized users could be allowed to view or edit the list of users permitted to run "at" jobs. Unauthorized... |
| GEN004930-ESXI5-PNF | Medium | The ftpusers file must be group-owned by root, bin, sys, or system. | If the ftpusers file is not group-owned by root or a system group, an unauthorized user may modify the file to allow unauthorized accounts to use FTP. Applicable, but permanent not-a-finding - The... |
| SRG-OS-000175-ESXI5-PNF | Medium | The operating system must prohibit remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed. | Collaborative computing devices include networked white boards, cameras, and microphones. Collaborative software examples include instant messaging or chat clients. Applicable, but permanent... |
| SRG-OS-000041-ESXI5-PNF | Medium | The operating system must produce audit records containing sufficient information to establish the outcome (success or failure) of the events. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time... |
| SRG-OS-000202-ESXI5-PNF | Medium | The operating system must detect unauthorized changes to software and information. | Unauthorized changes to the operating system software or information on the system can possibly result in integrity or availability concerns. In order to quickly react to this situation, the... |
| SRG-OS-000010-ESXI5-PF | Medium | The operating system must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. | Protected processing domains can be used to separate different data types. The operating system must enforce information flow control to ensure information does not pass into domains that are not... |
| SRG-OS-000052-ESXI5-PNF | Medium | The operating system must support an audit reduction capability. | Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review information systems and/or applications with an audit reduction... |
| GEN001220-ESXI5-PNF | Medium | All system files, programs, and directories must be owned by a system account. | Restricting permissions will protect the files from unauthorized modification. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a multi-user kernel... |
| GEN003190-ESXI5-PNF | Medium | The cron log files must not have extended ACLs. | Cron logs contain reports of scheduled system activities and must be protected from unauthorized access or manipulation. Applicable, but permanent not-a-finding - The hypervisor does not support... |
| ESXI5-VM-000011 | Medium | The system must disable VM-to-VM communication through VMCI.
| If the interface is not restricted, a VM can detect and be detected by all other VMs with the same option enabled within the same host. This might be the intended behavior, but custom-built... |
| ESXI5-VM-000013 | Medium | The system must disable VM Monitor Control.
| When Virtual Machines are running on a hypervisor they are "aware" that they are running in a virtual environment and this information is available to tools inside the guest OS. This can give... |
| GEN000251-ESXI5-PNF | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| SRG-OS-000246-ESXI5-PNF | Medium | The operating system must only allow authorized users to associate security attributes with information. | The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges,... |
| GEN003380-ESXI5-PNF | Medium | The "at" daemon must not execute programs in, or subordinate to, world-writable directories. | If "at" programs are located in, or subordinate, to world-writable directories, they become vulnerable to removal and replacement by malicious users or system intruders. Applicable, but permanent... |
| SRG-OS-000243-ESXI5-PNF | Medium | The operating system must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| GEN002300-ESXI5-PNF | Medium | Device files used for backup must only be readable and/or writable by root or the backup user. | System backups could be accidentally or maliciously overwritten and destroy the ability to recover the system if a compromise should occur. Unauthorized users could also copy system files.... |
| SRG-OS-000061-ESXI5-PNF | Medium | The operating system must protect against an individual falsely denying having performed a particular action. | Non-repudiation of actions taken is required in order to maintain integrity. Non-repudiation protects individuals against later claims by an author of not having updated a particular file, invoked... |
| SRG-OS-000257-ESXI5-PNF | Medium | The operating system must protect audit tools from unauthorized modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may... |
| SRG-OS-000222-ESXI5-PF | Medium | The operating system, when transferring information between different security domains, must implement policy filters constraining data structure and content to organization-defined information security policy requirements. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN005505-ESXI5-000097 | Medium | The SSH daemon must be configured to only use FIPS 140-2 approved ciphers. | DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES. |
| GEN008780-ESXI5-PNF | Medium | The system's boot loader configuration file(s) must be group-owned by root, bin, sys, or system. | The system's boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modifications resulting from improper group ownership may compromise... |
| SRG-OS-000148-ESXI5-PNF | Medium | The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks. | This control enhancement is implemented within the remote device (e.g., notebook/laptop computer) via configuration settings not configurable by the user of the device. An example of a non-remote... |
| GEN003607-ESXI5-PF | Medium | The system must not accept source-routed IPv4 packets. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| GEN001320-ESXI5-PNF | Medium | NIS/NIS+/yp files must be owned by root, sys, or bin. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to... |
| SRG-OS-000216-ESXI5-PNF | Medium | The operating system must use cryptographic mechanisms to protect the integrity of audit information. | Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data. Permanent not a... |
| GEN003900-ESXI5-PNF | Medium | The hosts.lpd file (or equivalent) must not contain a "+" character. | Having the "+" character in the hosts.lpd (or equivalent) file allows all hosts to use local system print resources. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS.... |
| SRG-OS-99999-ESXI5-000149 | Medium | The ESXi system must be properly patched. Vendor-recommended software patches, system security patches, and updates, must be installed and up-to-date. | By staying up to date on ESXi patches, vulnerabilities in the hypervisor can be mitigated. An educated attacker can exploit known vulnerabilities when attempting to attain access or elevate... |
| GEN005375-ESXI5-PNF | Medium | The snmpd.conf file must not have an extended ACL. | The snmpd.conf file contains authenticators and must be protected from unauthorized access and modification. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN004920-ESXI5-PNF | Medium | The ftpusers file must be owned by root. | If the file ftpusers is not owned by root, an unauthorized user may modify the file to allow unauthorized accounts to use FTP. Applicable, but permanent not-a-finding - no ftp. |
| GEN001845-ESXI5-PNF | Medium | Global initialization files' library search paths must contain only absolute paths. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other... |
| SRG-OS-000239-ESXI5-PNF | Medium | The operating system must automatically audit account modification. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify... |
| GEN001660-ESXI5-PNF | Medium | All system start-up files must be owned by root. | System start-up files not owned by root could lead to system compromise by allowing malicious users or applications to modify them for unauthorized purposes. This could lead to system and network... |
| SRG-OS-000035-ESXI5-PNF | Medium | The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction. | Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g.,... |
| GEN003060-ESXI5-PNF | Medium | Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist. | To centralize the management of privileged account crontabs, of the default system accounts, only root may have a crontab. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS.... |
| GEN007020-ESXI5-PNF | Medium | The Stream Control Transmission Protocol (SCTP) must be disabled unless required. | The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the... |
| SRG-OS-000178-ESXI5-PNF | Medium | The operating system must validate the integrity of security attributes exchanged between systems. | When data is exchanged between information systems, the security attributes associated with the data needs to be maintained. Security attributes are an abstraction representing the basic... |
| GEN001901-ESXI5-PNF | Medium | Local initialization files' library search paths must contain only absolute paths. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other... |
| GEN005504 | Medium | The SSH daemon must only listen on management network addresses unless authorized for uses other than management. | The SSH daemon should only listen on network addresses designated for management traffic. If the system has multiple network interfaces and SSH listens on addresses not designated for management... |
| GEN008620-ESXI5-000054 | Medium | System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others. | A system's BIOS or system controller handles the initial startup of a system and its configuration must be protected from unauthorized modification. When the BIOS or system controller supports the... |
| GEN005512-ESXI5-702 | Medium | The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. |
| GEN008160-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification... |
| GEN007800-ESXI5-PNF | Medium | The system must not have Teredo enabled. | Teredo is an IPv6 transition mechanism involving tunneling IPv6 packets encapsulated in IPv4 packets. Unauthorized tunneling may circumvent network security. Applicable, but permanent... |
| GEN005380-ESXI5-PNF | Medium | If the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS. | Installing extraneous software on a system designated as a dedicated Network Management System (NMS) server poses a security threat to the system and the network. Should an attacker gain access to... |
| GEN002430-ESXI5-PF | Medium | Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the "nodev" option. | The "nodev" (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system that does not contain approved device... |
| GEN003250-ESXI5-PNF | Medium | The cron.allow file must be group-owned by root, bin, sys, or cron. | If the group of the cron.allow is not set to root, bin, sys, or cron, the possibility exists for an unauthorized user to view or edit the list of users permitted to use cron. Unauthorized... |
| GEN000945-ESXI5-PF | Medium | The root account's library search path must be the system default and must contain only absolute paths. | The library search path environment variable(s) contain a list of directories for the dynamic linker to search to find libraries. If this path includes the current working directory or other... |
| GEN000240-ESXI5-000058 | Medium | The system clock must be synchronized to an authoritative DoD time source. | To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions,... |
| SRG-OS-000240-ESXI5-PNF | Medium | The operating system must automatically audit account disabling actions. | When accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying processes themselves. In order to detect and... |
| SRG-OS-99999-ESXI5-000142 | Medium | The system must enable lockdown mode to restrict remote access. | Enabling lockdown prevents all API-based access by the accounts to the ESXi host. Enabling lockdown mode disables all remote access to ESXi machines.
There are some operations, such as backup... |
| GEN003420-ESXI5-PNF | Medium | The "at" directory must be owned by root, bin, or sys. | If the owner of the "at" directory is not root, bin, or sys, unauthorized users could be allowed to view or edit files containing sensitive information within the directory. Applicable, but... |
| GEN002400-ESXI5-10047 | Medium | The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files. | Files with the suid bit set will allow anyone running these files to be temporarily assigned the UID of the file. While many system files depend on these attributes for proper operation, security... |
| SRG-OS-000005-ESXI5-PNF | Medium | The operating system must dynamically manage user privileges and associated access authorizations. | While user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing mission/business requirements and operational needs of the organization.... |
| GEN003600-ESXI5-PF | Medium | The system must not forward IPv4 source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| SRG-OS-000277-ESXI5-PNF | Medium | The operating system must notify, as required, appropriate individuals for account termination. | Monitoring account termination is critical to ensure a denial of service situation does not exist on the operating system. An unexpected account termination can also be a sign of a rogue... |
| SRG-OS-000270-ESXI5-PNF | Medium | The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. | In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes... |
| SRG-OS-99999-ESXI5-000146 | Medium | The system must ensure the vpxuser password meets length policy. | The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password... |
| GEN005522-ESXI5-PNF | Medium | The SSH public host key files must have mode 0644 or less permissive. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised. Applicable, but permanent not-a-finding. VMware's ESXi-v5 is a multi-user kernel where all users... |
| SRG-OS-000108-ESXI5-PNF | Medium | The operating system must use multifactor authentication for local access to non-privileged accounts. | Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g.,... |
| GEN001700-ESXI5-PNF | Medium | System start-up files must only execute programs owned by a privileged UID or an application. | System start-up files that execute programs owned by other than root (or another privileged user) or an application indicates the system may have been compromised. Applicable, but permanent... |
| SRG-OS-000047-ESXI5-PNF | Medium | The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). | It is critical when a system is at risk of failing to process audit logs as required, it detects and takes action to mitigate the failure. Audit processing failures include, software/hardware... |
| GEN001430-ESXI5-PNF | Medium | The /etc/shadow file must not have an extended ACL. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which... |
| SRG-OS-99999-ESXI5-000148-PNF | Medium | The system must establish a password policy for password complexity. | ESXi uses the pam_passwdqc.so plug-in to set rules that users must observe when creating passwords and to check password strength. Passwords that are not easily guessed and that are difficult for... |
| SRG-OS-000062-ESXI5-PNF | Medium | The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components. | The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of... |
| GEN007700-ESXI5-000116 | Medium | The IPv6 protocol handler must not be bound to the network stack unless needed. | IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host. |
| SRG-OS-000032-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. | Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. Remote access is any access to an organizational information system by a... |
| GEN001610-ESXI5-PF | Medium | Run control scripts' lists of preloaded libraries must contain only absolute paths. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| GEN001870-ESXI5-PNF | Medium | Local initialization files must be group-owned by the user's primary group or root. | Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Applicable, but permanent... |
| GEN004480-ESXI5-PNF | Medium | The SMTP service log file must be owned by root. | If the SMTP service log file is not owned by root, then unauthorized personnel may modify or delete the file to hide a system compromise. Applicable, but permanent not-a-finding - no sendmail. |
| GEN002980-ESXI5-PNF | Medium | The cron.allow file must have mode 0600 or less permissive. | A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is... |
| GEN007780-ESXI5-PNF | Medium | The system must not have 6to4 enabled. | 6to4 is an IPv6 transition mechanism that involves tunneling IPv6 packets encapsulated in IPv4 packets on an ad-hoc basis. This is not a preferred transition strategy and increases the attack... |
| SRG-OS-000113-ESXI5-PNF | Medium | The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to... |
| GEN001340-ESXI5-PNF | Medium | NIS/NIS+/yp files must be group-owned by root, sys, bin, other, or system. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to... |
| GEN003280-ESXI5-PNF | Medium | Access to the "at" utility must be controlled via the at.allow and/or at.deny file(s). | The "at" facility selectively allows users to execute jobs at deferred times. It is usually used for one-time jobs. The at.allow file selectively allows access to the "at" facility. If there is no... |
| GEN001369-ESXI5-PNF | Medium | The /etc/hosts file must not have an extended ACL. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
| GEN006290-ESXI5-PNF | Medium | The /etc/news/hosts.nntp.nolimit file must not have an extended ACL. | File system extended ACLs provide access to files beyond what is allowed by the mode numbers of the files. Excessive permissions on the hosts.nntp.nolimit file may allow unauthorized modification... |
| GEN005538-ESXI5-000112 | Medium | The SSH daemon must not allow rhosts RSA authentication. | If SSH permits rhosts RSA authentication, a user may be able to log in based on the keys of the host originating the request and not any user-specific authentication. |
| GEN003540-ESXI5-PNF | Medium | The system must implement non-executable program stacks. | A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the... |
| GEN005307-ESXI5-PF | Medium | The SNMP service must require the use of a FIPS 140-2 approved encryption algorithm for protecting the privacy of SNMP messages. | The SNMP service must use AES or a FIPS 140-2 approved successor algorithm for protecting the privacy of communications. Permanent finding - May need to use an application such as the Virtual... |
| SRG-OS-000063-ESXI5-PNF | Medium | The operating system must allow designated organizational personnel to select which auditable events are to be audited by the operating system. | The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of... |
| GEN006160-ESXI5-PNF | Medium | The /etc/smbpasswd file must be owned by root. | If the smbpasswd file is not owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts. Applicable, but permanent... |
| GEN001240-ESXI5-PNF | Medium | System files, programs, and directories must be group-owned by a system group. | Restricting permissions will protect the files from unauthorized modification. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a multi-user kernel... |
| SRG-OS-000273-ESXI5-PNF | Medium | The operating system must enforce requirements for the connection of mobile devices to operating systems. | Wireless access introduces security risks which must be addressed through implementation of strict controls and procedures such as authentication, encryption, and defining what resources that can... |
| GEN003920-ESXI5-PNF | Medium | The hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp. | Failure to give ownership of the hosts.lpd file to root, bin, sys, or lp provides the designated owner, and possible unauthorized users, with the potential to modify the hosts.lpd file.... |
| GEN005280-ESXI5-PNF | Medium | The system must not have the UUCP service active. | The UUCP utility is designed to assist in transferring files, executing remote commands, and sending email between UNIX systems over phone lines and direct connections between systems. The UUCP... |
| GEN003790-ESXI5-PNF | Medium | The services file must not have an extended ACL. | The services file is critical to the proper operation of network services and must be protected from unauthorized modification. If the services file has an extended ACL, it may be possible for... |
| SRG-OS-000167-ESXI5-PF | Medium | The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. | Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective... |
| SRG-OS-000235-ESXI5-PF | Medium | The operating system must notify the user of organization-defined security-related changes to the user's account that occur during the organization-defined time period. | Some organizations may define certain security events as events requiring user notification. An organization may define an event such as a password change to a user's account occurring outside of... |
| GEN003960-ESXI5-PNF | Medium | The traceroute command owner must be root. | If the traceroute command owner has not been set to root, an unauthorized user could use this command to obtain knowledge of the network topology inside the firewall. This information may allow an... |
| GEN004390-ESXI5-PNF | Medium | The alias file must not have an extended ACL. | Excessive permissions on the aliases file may permit unauthorized modification. If the alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect... |
| GEN005360-ESXI5-PNF | Medium | The snmpd.conf file must be owned by bin. | The snmpd.conf file contains authenticators and must be protected from unauthorized access and modification. If the file is not owned by bin, it may be subject to access and modification from... |
| SRG-OS-000105-ESXI5-PF | Medium | The operating system must use multifactor authentication for network access to privileged accounts. | Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include:(i) something you know (e.g., password/PIN);(ii) something you have (e.g.,... |
| SRG-OS-000238-ESXI5-PF | Medium | The operating system must support and maintain the binding of organization-defined security attributes to information in transmission. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| SRG-OS-000015-ESXI5-PF | Medium | The operating system must support organization-defined one-way flows using hardware mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN006225-ESXI5-PNF | Medium | Samba must be configured to use an authentication mechanism other than share. | Samba share authentication does not provide for individual user identification and must not be used. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN001590-ESXI5-PNF | Medium | All run control scripts must have no extended ACLs. | If the startup files are writable by other users, the startup files could be modified to insert malicious commands. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| SRG-OS-000049-ESXI5-PNF | Medium | The operating system must provide a real-time alert when organization-defined audit failure events occur. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures... |
| GEN003845-ESXI5-PNF | Medium | The rexecd service must not be installed. | The rexecd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Applicable, but permanent not-a-finding - No rexecd service. |
| GEN005220-ESXI5-PNF | Medium | .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server. | If access to the X server is not restricted, a user's X session may be compromised. Applicable, but permanent not-a-finding - no X windows. |
| GEN003260-ESXI5-PNF | Medium | The cron.deny file must be owned by root, bin, or sys. | Cron daemon control files restrict the scheduling of automated tasks and must be protected. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a... |
| GEN001270-ESXI5-PNF | Medium | System log files must not have extended ACLs, except as needed to support authorized software. | If the system log files are not protected, unauthorized users could change the logged data, eliminating its forensic value. Authorized software may be given log file access through the use of... |
| GEN006565-ESXI5-PNF | Medium | The system package management tool must be used to verify system software periodically. | Verification using the system package management tool can be used to determine that system software has not been tampered with. Applicable, but permanent not-a-finding - The vSphere Update Manager... |
| GEN005395-ESXI5-PNF | Medium | The /etc/syslog.conf file must not have an extended ACL. | Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN000460-ESXI5-PF | Medium | The system must disable accounts after three consecutive unsuccessful login attempts. | Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks. Permanent finding - Due to being the system default... |
| GEN003740-ESXI5-PNF | Medium | The inetd.conf and xinetd.conf files must have mode 0440 or less permissive. | The Internet service daemon configuration files must be protected as malicious modification could cause Denial of Service or increase the attack surface of the system. Applicable, but permanent... |
| SRG-OS-000182-ESXI5-PNF | Medium | The operating system must prevent the download of prohibited mobile code. | Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| SRG-OS-000198-ESXI5-PNF | Medium | The operating system must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. | Intrusion-monitoring tools can accumulate a significant amount of sensitive data; examples could include user account information and application data not related to the intrusion monitoring... |
| GEN002700-ESXI5-PNF | Medium | System audit logs must have mode 0640 or less permissive. | If a user can write to the audit logs, audit trails can be modified or destroyed and system intrusion may not be detected. System audit logs are those files generated from the audit system and do... |
| SRG-OS-000125-ESXI5-PNF | Medium | The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| GEN003580-ESXI5-PF | Medium | The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks. | One use of initial TCP sequence numbers is to verify bidirectional communication between two hosts, which provides some protection against spoofed source addresses being used by the connection... |
| SRG-OS-000234-ESXI5-PF | Medium | The operating system must notify the user of the number of unsuccessful login/access attempts that occur during organization-defined time period. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts made to login to their account allows the... |
| GEN007940-ESXI5-PF | Medium | The system must not accept source-routed IPv6 packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| SRG-OS-000136-ESXI5-PNF | Medium | The operating system must implement an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions. | The operating system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to and protecting the... |
| SRG-OS-000189-ESXI5-PNF | Medium | The operating system must employ organization-defined information system components with no writeable storage that are persistent across component restart or power on/off. | Organizations may require operating systems to be non-modifiable or to be stored and executed on non-writeable storage. Use of non-modifiable storage ensures the integrity of the program from the... |
| SRG-OS-000253-ESXI5-PNF | Medium | The operating system must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| GEN008060-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| GEN001840-ESXI5-PNF | Medium | All global initialization files' executable search paths must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory... |
| SRG-OS-000045-ESXI5-PNF | Medium | The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| GEN000340-ESXI5-PNF | Medium | UIDs reserved for system accounts must not be assigned to non-system accounts. | Reserved UIDs are typically used by system software packages. If non-system accounts have UIDs in this range, they may conflict with system software, possibly leading to the user having... |
| ESXI5-VM-000049 | Medium | The system must use secure protocols for virtual serial port access.
| Serial ports are interfaces for connecting peripherals to the virtual machine. They are often used on physical systems to provide a direct, low-level connection to the console of a server, and a... |
| ESXI5-VM-000046 | Medium | The system must prevent unauthorized removal, connection and modification of devices by setting the "isolation.device.edit.disable" keyword to true..
| Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to connect or disconnect devices, such as network... |
| ESXI5-VM-000047 | Medium | The system must not send host information to guests.
| If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this... |
| SRG-OS-000100-ESXI5-PNF | Medium | The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software,... |
| SRG-OS-000040-ESXI5-PNF | Medium | The operating system must produce audit records containing sufficient information to establish the sources of the events. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| ESXI5-VM-000042 | Medium | The system must limit VM logging record contents.
| Use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files... |
| GEN008240-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or system. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| ESXI5-VM-000041 | Medium | The system must limit VM logging records.
| Use these settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure new log files... |
| SRG-OS-000008-ESXI5-PNF | Medium | The operating system must prevent access to organization-defined security-relevant information except during secure, non-operable system states. | Security-relevant information is any information within the information system potentially impacting the operation of security functions in a manner that could result in failure to enforce the... |
| GEN002440-ESXI5-PNF | Medium | The owner, group-owner, mode, ACL, and location of files with the sgid bit set must be documented using site-defined procedures. | All files with the sgid bit set will allow anyone running these files to be temporarily assigned the GID of the file. While many system files depend on these attributes for proper operation,... |
| GEN003200-ESXI5-PNF | Medium | The cron.deny file must have mode 0600 or less permissive. | If file permissions for cron.deny are more permissive than 0600, sensitive information could be viewed or edited by unauthorized users. Applicable, but permanent not-a-finding - Not a General... |
| GEN005800-ESXI5-PNF | Medium | All NFS-exported system files and system directories must be owned by root. | Failure to give ownership of sensitive files or directories to root provides the designated owner and possible unauthorized users with the potential to access sensitive information or change... |
| GEN000000-ESXI5-PNF | Medium | The system must comply with product-specific security requirements. | Each operating system has unique security considerations that must be addressed to ensure system security. Permanent not a finding - This STIG applies all of the vendor-specific security... |
| SRG-OS-000081-ESXI5-PF | Medium | The operating system, when transferring information between different security domains, must identify information flows by data type specification and usage. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN008080-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| SRG-OS-000261-ESXI5-PF | Medium | The operating system uniquely must identify destination domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN003612-ESXI5-PF | Medium | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. | A TCP SYN flood attack can cause Denial of Service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are a mechanism used to not track a connection... |
| SRG-OS-000207-ESXI5-PF | Medium | The operating system must support the requirement that organizations, if an information system component failure is detected must activate an organization-defined alarm and/or automatically shuts down the operating system. | Predictable failure prevention requires organizational planning to address system failure issues. If a subsystem of the operating system, hardware, or the operating system itself, is key to... |
| SRG-OS-000097-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications. | Operating systems are capable of providing a wide variety of functions and services. Execution must be disabled based on organization-defined specifications. Permanent not a finding - There is no... |
| GEN005510-ESXI5-700 | Medium | The SSH client must be configured to only use FIPS 140-2 approved ciphers. | DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES. |
| GEN007840-ESXI5-000119 | Medium | The DHCP client must be disabled if not needed. | DHCP allows for the unauthenticated configuration of network parameters on the system by exchanging information with a DHCP server. |
| GEN000300-ESXI5-000035 | Medium | All accounts on the system must have unique user or account names. | A unique user name is the first part of the identification and authentication process. If user names are not unique, there can be no accountability on the system for auditing purposes. Multiple... |
| GEN001373-ESXI5-PNF | Medium | The /etc/nsswitch.conf file must have mode 0644 or less permissive. | The nsswitch.conf file (or equivalent) configures the source of a variety of system security information including account, group, and host lookups. Malicious changes could prevent the system from... |
| GEN007480-ESXI5-PNF | Medium | The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required. | The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases... |
| GEN003730-ESXI5-PNF | Medium | The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system. | Failure to give ownership of sensitive files or utilities to system groups may provide unauthorized users with the potential to access sensitive information or change the system configuration... |
| GEN002560-ESXI5-PNF | Medium | The system and user default umask must be 077. | The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a 4-digit number,... |
| GEN001740-ESXI5-PNF | Medium | All global initialization files must be owned by bin. | Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of... |
| SRG-OS-000037-ESXI5-PNF | Medium | The operating system must produce audit records containing sufficient information to establish what type of events occurred. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| SRG-OS-000272-ESXI5-PF | Medium | The operating system must respond to security function anomalies in accordance with organization-defined responses and alternative action(s). | The need to verify security functionality applies to all security functions. For those security functions unable to execute automated self-tests the organization either implements compensating... |
| SRG-OS-000143-ESXI5-PNF | Medium | The operating system must limit the use of resources by priority. | Priority protection helps prevent a lower-priority process from delaying or interfering with the operating system servicing any higher-priority process. Operating systems must limit potential high... |
| GEN003980-ESXI5-PNF | Medium | The traceroute command must be group-owned by sys, bin, root, or system. | If the group owner of the traceroute command has not been set to a system group, unauthorized users could have access to the command and use it to gain information regarding a network's topology... |
| GEN003410-ESXI5-PNF | Medium | The "at" directory must not have an extended ACL. | If the "at" directory has an extended ACL, unauthorized users could be allowed to view or to edit files containing sensitive information within the "at" directory. Unauthorized modifications could... |
| SRG-OS-000213-ESXI5-PF | Medium | The operating system must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists. | It is critical when an operating system is at risk of failing to process audit logs as required it takes action to mitigate the failure. If the system were to continue processing without auditing... |
| GEN006280-ESXI5-PNF | Medium | The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive. | Excessive permissions on the hosts.nntp.nolimit file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users.... |
| GEN006100-ESXI5-PNF | Medium | The /etc/smb.conf file must be owned by root. | The /etc/smb.conf file allows access to other machines on the network and grants permissions to certain users. If it is owned by another user, the file may be maliciously modified and the Samba... |
| GEN001367-ESXI5-PNF | Medium | The /etc/hosts file must be group-owned by root, bin, sys, or system. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
| GEN004430-ESXI5-PNF | Medium | Files executed through a mail aliases file must not have extended ACLs. | Excessive permissions on files executed through a mail alias file could result in modification by an unauthorized user, execution of malicious code, and/or system compromise. Applicable, but... |
| GEN001580-ESXI5-PNF | Medium | All run control scripts must have mode 0755 or less permissive. | If the startup files are writable by other users, the startup files could be modified to insert malicious commands. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS.... |
| SRG-OS-000185-ESXI5-PF | Medium | The operating system must protect the confidentiality and integrity of information at rest. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to... |
| GEN003581-ESXI5-PNF | Medium | Network interfaces must not be configured to allow user control. | Configuration of network interfaces should be limited to privileged users. Manipulation of network interfaces may result in a Denial-of-Service or bypass of network security mechanisms. Permanent... |
| SRG-OS-000201-ESXI5-PF | Medium | The operating system must provide automated support for the management of distributed security testing. | The need to verify security functionality applies to all security functions. Applicable, but permanent finding - The hypervisor does not support this functionality. |
| GEN001760-ESXI5-PNF | Medium | All global initialization files must be group-owned by root, sys, bin, other, system, or the system default. | Global initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Failure to give ownership of... |
| SRG-OS-000180-ESXI5-PNF | Medium | The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code... |
| GEN001810-ESXI5-PNF | Medium | Skeleton files must not have extended ACLs. | If the skeleton files are not protected, unauthorized personnel could change user startup parameters and possibly jeopardize user files. Applicable, but permanent not-a-finding - The hypervisor... |
| GEN001880-ESXI5-PNF | Medium | All local initialization files must have mode 0740 or less permissive. | Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Applicable, but permanent... |
| GEN000940-ESXI5-000042 | Medium | The root account's executable search path must be the vendor default and must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory... |
| GEN005350-ESXI5-PNF | Medium | Management Information Base (MIB) files must not have extended ACLs. | The ability to read the MIB file could impart special knowledge to an intruder or malicious user about the ability to extract compromising information about the system or network. Applicable, but... |
| GEN004800-ESXI5-PNF | Medium | Unencrypted FTP must not be used on the system. | FTP is typically unencrypted and, therefore, presents confidentiality and integrity risks. FTP may be protected by encryption in certain cases, such as when used in a Kerberos environment. SFTP... |
| GEN000760-ESXI5-PNF | Medium | Accounts must be locked upon 35 days of inactivity. | On some systems, accounts with disabled passwords still allow access using rcp, remsh, or rlogin through equivalent remote hosts. All that is required is the remote host name and the user name... |
| GEN006600-ESXI5-PNF | Medium | The system's access control program must log each system access attempt. | If access attempts are not logged, then multiple attempts to log on to the system by an unauthorized user may go undetected. Permanent not a finding - Auditing cannot be configured/implemented... |
| SRG-OS-000083-ESXI5-PNF | Medium | The operating system must enforce security policies regarding information on interconnected systems. | The operating system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information... |
| GEN008280-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must not have an extended ACL. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| GEN000540-ESXI5-PNF | Medium | Users must not be able to change passwords more than once every 24 hours. | The ability to change passwords frequently facilitates users reusing the same password. This can result in users effectively never changing their passwords. This would be accomplished by users... |
| GEN000320-ESXI5-000036 | Medium | All accounts must be assigned unique User Identification Numbers (UIDs). | Accounts sharing a UID have full access to each others' files. This has the same effect as sharing a login. There is no way to assure identification, authentication, and accountability because the... |
| GEN003604-ESXI5-PF | Medium | The system must not respond to ICMP timestamp requests sent to a broadcast address. | The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system. Responding to broadcast ICMP timestamp requests facilitates network... |
| GEN001890-ESXI5-PNF | Medium | Local initialization files must not have extended ACLs. | Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Applicable, but permanent... |
| SRG-OS-000099-ESXI5-PNF | Medium | The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives. | Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be... |
| SRG-OS-000204-ESXI5-PNF | Medium | The operating system must identify potentially security-relevant error conditions. | The structure and content of error messages need to be carefully considered by the organization. The extent to which the operating system is able to identify and handle error conditions is guided... |
| GEN002020-ESXI5-PNF | Medium | All .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs. | If these files are not properly configured, they could allow malicious access by unknown malicious users from untrusted hosts who could compromise the system. Applicable, but permanent... |
| GEN006560-ESXI5-PF | Medium | The system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach. | Timely notifications of potential security compromises minimize the potential damage. Applicable, but permanent finding - The hypervisor does not support this function. |
| GEN003608-ESXI5-PNF | Medium | Proxy ARP must not be enabled on the system. | Proxy ARP allows a system to respond to ARP requests on one interface on behalf of hosts connected to another interface. If this function is enabled when not required, addressing information may... |
| GEN000740-ESXI5-PNF | Medium | All non-interactive/automated processing account passwords must be changed at least once per year or be locked. | Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for... |
| GEN005840-ESXI5-PNF | Medium | The NFS server must be configured to restrict file system access to local hosts. | The NFS access option limits user access to the specified level. This assists in protecting exported file systems. If access is not restricted, unauthorized hosts may be able to access the... |
| GEN003300-ESXI5-PNF | Medium | The at.deny file must not be empty if it exists. | On some systems, if there is no at.allow file and there is an empty at.deny file, then the system assumes that everyone has permission to use the "at" facility. This could create an insecure... |
| GEN004540-ESXI5-PNF | Medium | The SMTP service HELP command must not be enabled. | The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnerabilities present in specific software... |
| SRG-OS-000214-ESXI5-PF | Medium | The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications. | Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a... |
| GEN001000-ESXI5-PNF | Medium | Remote consoles must be disabled or protected from unauthorized access. | The remote console feature provides an additional means of access to the system which could allow unauthorized access if not disabled or properly secured. With virtualization technologies, remote... |
| SRG-OS-000020-ESXI5-PNF | Medium | The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. | This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control... |
| SRG-OS-000029-ESXI5-PF | Medium | The operating system must initiate a session lock after the organization-defined time period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of... |
| GEN001900-ESXI5-PNF | Medium | All local initialization files' executable search paths must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory... |
| GEN001480-ESXI5-PNF | Medium | All users' home directories must have mode 0750 or less permissive. | Excessive permissions on home directories allow unauthorized access to user's files. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a multi-user... |
| GEN004940-ESXI5-PNF | Medium | The ftpusers file must have mode 0640 or less permissive. | Excessive permissions on the ftpusers file could permit unauthorized modification. Unauthorized modification could result in Denial-of-Service to authorized FTP users or permit unauthorized users... |
| GEN004380-ESXI5-PNF | Medium | The aliases file must have mode 0644 or less permissive. | Excessive permissions on the aliases file may permit unauthorized modification. If the alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect... |
| GEN006400-ESXI5-PNF | Medium | The Network Information System (NIS) protocol must not be used. | Due to numerous security vulnerabilities existing within NIS, it must not be used. Possible alternative directory services are NIS+ and LDAP. Applicable, but permanent not-a-finding - no NIS. |
| GEN001500-ESXI5-PNF | Medium | All interactive users' home directories must be owned by their respective users. | If users do not own their home directories, unauthorized users could access user files. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a multi-user... |
| GEN002690-ESXI5-PNF | Medium | System audit logs must be group-owned by root, bin, sys, or system. | Sensitive system and user information could provide a malicious user with enough information to penetrate further into the system. Applicable, but permanent not-a-finding - Not a General Purpose... |
| GEN004840-ESXI5-PNF | Medium | If the system is an anonymous FTP server, it must be isolated to the DMZ network. | Anonymous FTP is a public data service which is only permitted in a server capacity when located on the DMZ network. Applicable, but permanent not-a-finding - No ftp, anon or otherwise. |
| SRG-OS-000046-ESXI5-PF | Medium | The operating system must alert designated organizational officials in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures... |
| GEN006000-ESXI5-PNF | Medium | The system must not have a public Instant Messaging (IM) client installed. | Public Instant Messaging (IM) systems are not approved for use and may result in the unauthorized distribution of information. IM clients provide a way for a user to send a message to one or more... |
| SRG-OS-000012-ESXI5-PF | Medium | The operating system must prevent encrypted data from bypassing content checking mechanisms. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN004410-ESXI5-PNF | Medium | Files executed through a mail aliases file must be group-owned by root, bin, or sys, and must reside within a directory group-owned by root, bin, or sys. | If a file executed through a mail aliases file is not group-owned by root or a system group, it may be subject to unauthorized modification. Unauthorized modification of files executed through... |
| GEN005511-ESXI5-701 | Medium | The SSH client must be configured to not use CBC-based ciphers. | The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used. |
| GEN003080-ESXI5-PNF | Medium | Crontab files must have mode 0600 or less permissive, and files in cron script directories must have mode 0700 or less permissive. | To protect the integrity of scheduled system jobs and prevent malicious modification to these jobs, crontab files must be secured. Applicable, but permanent not-a-finding - Not a General Purpose... |
| GEN005490-ESXI5-PF | Medium | The SSH daemon must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode). | Cryptographic modules used by the system must be validated by the NIST CVMP as compliant with FIPS 140-Cryptography performed by modules not validated is viewed by NIST as providing no protection... |
| SRG-OS-000224-ESXI5-PF | Medium | The operating system, when transferring information between different security domains, must prohibit the transfer of unsanctioned information in accordance with the security policy. | Information flow control regulates where information is allowed to travel within an operating system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN008720-ESXI5-PNF | Medium | The system's boot loader configuration file(s) must have mode 0600 or less permissive. | File permissions greater than 0600 on boot loader configuration files could allow an unauthorized user to view or modify sensitive information pertaining to system boot instructions. Applicable,... |
| GEN002000-ESXI5-PNF | Medium | There must be no .netrc files on the system. | Unencrypted passwords for remote FTP servers may be stored in .netrc files. Policy requires passwords be encrypted in storage and not used in access scripts. Applicable, but permanent... |
| GEN004880-ESXI5-PNF | Medium | The ftpusers file must exist. | The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. If this file does not exist, then unauthorized accounts can utilize FTP. Applicable, but permanent... |
| SRG-OS-000245-ESXI5-PF | Medium | The operating system must maintain the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions. | The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges,... |
| GEN008040-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the system must check that the LDAP server's certificate has not been revoked. | LDAP can be used to provide user authentication and account information, which are vital to system security. Communication between an LDAP server and a host using LDAP requires authentication.... |
| GEN001570-ESXI5-PNF | Medium | All files and directories contained in user home directories must not have extended ACLs. | Excessive permissions allow unauthorized access to user files. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN004000-ESXI5-PNF | Medium | The traceroute file must have mode 0700 or less permissive. | If the mode of the traceroute executable is more permissive than 0700, malicious code could be inserted by an attacker and triggered whenever the traceroute command is executed by authorized... |
| GEN001420-ESXI5-PNF | Medium | The /etc/shadow (or equivalent) file must have mode 0400. | The /etc/shadow file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. The file also contains password hashes which... |
| GEN001366-ESXI5-PNF | Medium | The /etc/hosts file must be owned by root. | The /etc/hosts file (or equivalent) configures local host name to IP address mappings that typically take precedence over DNS resolution. If this file is maliciously modified, it could cause the... |
| GEN001600-ESXI5-PNF | Medium | Run control scripts' executable search paths must contain only absolute paths. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory... |
| GEN005390-ESXI5-PNF | Medium | The /etc/syslog.conf file must have mode 0640 or less permissive. | Unauthorized users must not be allowed to access or modify the /etc/syslog.conf file. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a multi-user... |
| GEN001361-ESXI5-PNF | Medium | NIS/NIS+/yp command files must not have extended ACLs. | NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. ACLs on these files could result in unauthorized... |
| GEN002740-ESXI5-PNF | Medium | The audit system must be configured to audit file deletions. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system... |
| GEN000220-ESXI5-000064 | Medium | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. | Changes in system libraries and binaries can indicate compromise or significant system events, such as patching needing to be checked by automated processes and the results reviewed by the SA. |
| GEN006060-ESXI5-PNF | Medium | The system must not run Samba unless needed. | Samba is a tool used for the sharing of files and printers between Windows and UNIX operating systems. It provides access to sensitive files and, therefore, poses a security risk if compromised.... |
| SRG-OS-000139-ESXI5-PNF | Medium | The operating system must not share resources used to interface with systems operating at different security levels. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| GEN005539-ESXI5-000113 | Medium | The SSH daemon must not allow compression or must only allow compression after successful authentication. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection,... |
| GEN007200-ESXI5-PNF | Medium | The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed. | The Internetwork Packet Exchange (IPX) protocol is a network-layer protocol that is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host.... |
| SRG-OS-000184-ESXI5-PF | Medium | The operating system must fail to an organization-defined known state for organization-defined types of failures. | Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. It helps prevent a loss of confidentiality, integrity, or availability in... |
| GEN001520-ESXI5-PNF | Medium | All interactive users' home directories must be group-owned by the home directory owner's primary group. | If the GID of the home directory is not the same as the GID of the user, this would allow unauthorized access to files. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS.... |
| GEN001170-ESXI5-PNF | Medium | All files and directories must have a valid group owner. | Files without a valid group owner may be unintentionally inherited if a group is assigned the same GID as the GID of the files without a valid group owner. Applicable, but permanent not-a-finding... |
| SRG-OS-000181-ESXI5-PNF | Medium | The operating system must prevent the execution of prohibited mobile code. | Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| GEN003750-ESXI5-PNF | Medium | The xinetd.d directory must have mode 0755 or less permissive. | The Internet service daemon configuration files must be protected as malicious modification could cause Denial-of-Service or increase the attack surface of the system. Applicable, but permanent... |
| SRG-OS-000059-ESXI5-PNF | Medium | The operating system must protect audit information from unauthorized deletion. | If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity... |
| GEN005440-ESXI5-000078 | Medium | The system must not be used as a syslog server (log host) for systems external to the enclave. | Syslog messages are typically unencrypted and may contain sensitive information and are, therefore, restricted to the enclave. |
| GEN001120-ESXI5-000051 | Medium | The system must not permit root logins using remote access programs, such as SSH. | Even though communications are encrypted, an additional layer of security may be gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific... |
| SRG-OS-000226-ESXI5-PNF | Medium | The operating system must uniquely authenticate source domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN007760-ESXI5-PNF | Medium | Proxy Neighbor Discovery Protocol (NDP) must not be enabled on the system. | Proxy Neighbor Discovery Protocol (NDP) allows a system to respond to NDP requests on one interface on behalf of hosts connected to another interface. If this function is enabled when not... |
| GEN003815-ESXI5-PNF | Medium | The portmap or rpcbind service must not be installed unless needed. | The portmap and rpcbind services increase the attack surface of the system and should only be used when needed. The portmap or rpcbind services are used by a variety of services using Remote... |
| GEN006210-ESXI5-PNF | Medium | The /etc/smbpasswd file must not have an extended ACL. | If the permissions of the smbpasswd file are too permissive, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts. Applicable, but... |
| SRG-OS-000241-ESXI5-PNF | Medium | The operating system must automatically audit account termination. | Accounts are utilized for identifying individual application users or for identifying the application processes themselves. When accounts are deleted, a Denial of Service could happen. The... |
| GEN007260-ESXI5-PNF | Medium | The AppleTalk protocol must be disabled or not installed. | The AppleTalk suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause... |
| GEN003755-ESXI5-PNF | Medium | The xinetd.d directory must not have an extended ACL. | The Internet service daemon configuration files must be protected as malicious modification could cause Denial-of-Service or increase the attack surface of the system. Applicable, but permanent... |
| ESXI5-VM-000034 | Medium | The system must disconnect unauthorized floppy devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| SRG-OS-000186-ESXI5-PF | Medium | The operating system must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. | Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative... |
| SRG-OS-000205-ESXI5-PNF | Medium | The operating system must generate error messages providing information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. | Any operating system providing too much information in error logs and in administrative messages to the screen, risks compromising the data and security of the structure and content of error... |
| GEN000680-ESXI5-PF | Medium | The system must require passwords to contain no more than three consecutive repeating characters. | To enforce the use of complex passwords, the number of consecutive repeating characters is limited. Passwords with excessive repeated characters may be more vulnerable to password-guessing... |
| GEN008360-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the LDAP TLS key file must not have an extended ACL. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| SRG-OS-000127-ESXI5-PNF | Medium | The operating system must audit non-local maintenance and diagnostic sessions. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| GEN008120-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| GEN002960-ESXI5-PNF | Medium | Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s). | The cron facility allows users to execute recurring jobs on a regular and unattended basis. The cron.allow file designates accounts that are allowed to enter and execute jobs using the cron... |
| SRG-OS-000219-ESXI5-PNF | Medium | The operating system must monitor for atypical usage of operating system accounts. | Atypical account usage is behavior that is not part of normal usage cycles, e.g., accounts logging in after hours or on weekends. Permanent not a finding - Auditing cannot be... |
| SRG-OS-000033-ESXI5-PNF | Medium | The operating system must use cryptography to protect the confidentiality of remote access sessions. | Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will occur over the public Internet. Remote access is any... |
| GEN005501-ESXI5-9778 | Medium | The SSH client must be configured to only use the SSHv2 protocol. | SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH client could provide access to the system with the privileges of the user running the client. |
| GEN001850-ESXI5-PNF | Medium | Global initialization files' lists of preloaded libraries must contain only absolute paths. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| GEN003490-ESXI5-PNF | Medium | The at.deny file must be group-owned by root, bin, sys, or cron. | If the group owner of the at.deny file is not set to root, bin, sys, or cron, unauthorized users could be allowed to view or edit sensitive information contained within the file. Unauthorized... |
| GEN005480-ESXI5-PNF | Medium | The syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures. | Unintentionally running a syslog server that accepts remote messages puts the system at increased risk. Malicious syslog messages sent to the server could exploit vulnerabilities in the server... |
| SRG-OS-99999-ESXI5-000145 | Medium | The system must ensure the vpxuser auto-password change meets policy. | By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies.
NOTE: It is... |
| SRG-OS-99999-ESXI5-000144 | Medium | The system must ensure proper SNMP configuration. | If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a... |
| SRG-OS-000006-ESXI5-PF | Medium | The operating system must enforce dual authorization, based on organizational policies and procedures for organization-defined privileged commands. | Dual authorization mechanisms require two distinct approving authorities to approve the use of the command prior to it being invoked. An organization may determine certain commands or... |
| SRG-OS-000039-ESXI5-PNF | Medium | The operating system must produce audit records containing sufficient information to establish where the events occurred. | Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source... |
| SRG-OS-000089-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to support auditing of the enforcement actions. | Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.... |
| SRG-OS-000128-ESXI5-PNF | Medium | The operating system must protect non-local maintenance sessions through the use of a strong authenticator tightly bound to the user. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| GEN003000-ESXI5-PNF | Medium | Cron must not execute group-writable or world-writable programs. | If cron executes group-writable or world-writable programs, there is a possibility that unauthorized users could manipulate the programs with malicious intent. This could compromise system and... |
| GEN003720-ESXI5-PNF | Medium | The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin. | Failure to give ownership of sensitive files or utilities to root provides the designated owner and unauthorized users with the potential to access sensitive information or change the system... |
| SRG-OS-000278-ESXI5-PNF | Medium | The operating system must use cryptographic mechanisms to protect the integrity of audit tools. | Auditing and logging are key components of any security architecture. It is essential security personnel know what is being done, what attempted to be done, where it was done, when it was done,... |
| SRG-OS-000064-ESXI5-PNF | Medium | The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events. | The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of... |
| ESXI5-VM-000012 | Medium | The system must enable VM logging. | The following settings can be used to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. Ensure... |
| GEN005740-ESXI5-PNF | Medium | The NFS export configuration file must be owned by root. | Failure to give ownership of the NFS export configuration file to root provides the designated owner and possible unauthorized users with the potential to change system configuration which could... |
| SRG-OS-000244-ESXI5-PNF | Medium | The operating system must only allow authorized entities to change security attributes. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| SRG-OS-000098-ESXI5-PNF | Medium | The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system. | Baselining of systems allows for a mechanism to determine when unauthorized additions or changes are made. It also ensures the appropriate patch management is in place for the components on the... |
| GEN008320-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, sys, or system. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| SRG-OS-000014-ESXI5-PF | Medium | The operating system must enforce information flow control on metadata. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| SRG-OS-000122-ESXI5-PF | Medium | The operating system must implement a configurable capability to automatically disable the operating system if any of the organization-defined lists of security violations are detected. | When responding to a security incident a capability must exist allowing authorized personnel to disable a particular system if the system exhibits a security violation and the organization... |
| GEN000960-ESXI5-PNF | Medium | The root account must not have world-writable directories in its executable search path. | If the root search path contains a world-writable directory, malicious software could be placed in the path by intruders and/or malicious users and inadvertently run by root with all of root's... |
| GEN008020-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provides a certificate and this certificate has a valid trust path to a trusted CA. | The NSS LDAP service provides user mappings which are a vital component of system security. Communication between an LDAP server and a host using LDAP for NSS require authentication. Applicable,... |
| SRG-OS-000183-ESXI5-PNF | Medium | The operating system must prevent the automatic execution of mobile code in organization-defined software applications and must require organization-defined actions prior to executing the code. | Decisions regarding the employment of mobile code within operating systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies... |
| GEN000020-ESXI5-PNF | Medium | The system must require authentication upon booting into single-user and maintenance modes. | If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to... |
| GEN003865-ESXI5-PNF | Medium | Network analysis tools must not be installed. | Network analysis tools allow for the capture of network traffic visible to the system. Applicable, but permanent finding - PING and TRACEROUTE are part of the standard vendor distribution. |
| GEN005880-ESXI5-PNF | Medium | The NFS server must not allow remote root access. | If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system. Applicable, but permanent not-a-finding - no nfsd. |
| GEN002990-ESXI5-PNF | Medium | The cron.allow file must not have an extended ACL. | A cron.allow file that is readable and/or writable by other than root could allow potential intruders and malicious users to use the file contents to help discern information, such as who is... |
| GEN007880-ESXI5-PF | Medium | The system must not send IPv6 ICMP redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table that could... |
| SRG-OS-000225-ESXI5-PNF | Medium | The operating system must uniquely identify source domains for information transfer. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN006300-ESXI5-PNF | Medium | The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive. | Excessive permissions on the nnrp.access file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users. Applicable, but... |
| SRG-OS-000268-ESXI5-PNF | Medium | The operating system must take corrective actions, when unauthorized mobile code is identified. | Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code... |
| SRG-OS-000117-ESXI5-PNF | Medium | The operating system must authenticate devices before establishing network connections using bidirectional cryptographically based authentication between devices. | Device authentication is a solution enabling an organization to manage both users and devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by... |
| GEN001680-ESXI5-PNF | Medium | All system start-up files must be group-owned by root, sys, bin, other, or system. | If system start-up files do not have a group owner of root or a system group, the files may be modified by malicious users or intruders. Applicable, but permanent not-a-finding - Not a General... |
| GEN008340-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the LDAP TLS key file must have mode 0600 or less permissive. | LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification.... |
| GEN002120-ESXI5-000045 | Medium | The /etc/shells (or equivalent) file must exist. | The shells file (or equivalent) lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized... |
| GEN003950-ESXI5-PNF | Medium | The hosts.lpd (or equivalent) file must not have an extended ACL. | Excessive permissions on the hosts.lpd (or equivalent) file may permit unauthorized modification. Unauthorized modifications could disrupt access to local printers from authorized remote hosts or... |
| GEN002210-ESXI5-PNF | Medium | All shell files must be group-owned by root, bin, sys, or system. | If shell files are group-owned by users other than root or a system group, they could be modified by intruders or malicious users to perform unauthorized actions. Applicable, but permanent... |
| GEN003510-ESXI5-006660 | Medium | Kernel core dumps must be disabled unless needed. | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial-of-Service by... |
| SRG-OS-000141-ESXI5-PNF | Medium | The operating system must restrict the ability of users to launch Denial of Service attacks against other information systems or networks. | When it comes to Denial of Service attacks (DoS), most of the attention is paid to ensuring the systems and applications are not victims of these attacks. While it is true those accountable for... |
| SRG-OS-000102-ESXI5-PNF | Medium | The operating system must implement transaction recovery for transaction-based systems. | Recovery and reconstitution constitutes executing an operating system contingency plan comprised of activities to restore essential missions and business functions. Transaction rollback and... |
| GEN001060-ESXI5-PNF | Medium | The system must log successful and unsuccessful access to the root account. | If successful and unsuccessful logins and logouts are not monitored or recorded, access attempts cannot be tracked. Without this logging, it may be impossible to track unauthorized access to the... |
| GEN009120-ESXI5-PNF | Medium | The system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. | In accordance with CTO 07-015 PKI authentication is required. This provides stronger, two-factor authentication than using a username/password. Applicable, but permanent not-a-finding - The... |
| GEN002320-ESXI5-PNF | Medium | Audio devices must have mode 0660 or less permissive. | Audio and video devices that are globally accessible have proven to be another security hazard. There is software that can activate system microphones and video devices connected to user... |
| GEN003180-ESXI5-PNF | Medium | The cron log file must have mode 0600 or less permissive. | Cron logs contain reports of scheduled system activities and must be protected from unauthorized access or manipulation. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS.... |
| GEN005820-ESXI5-PNF | Medium | The NFS anonymous UID and GID must be configured to values that have no permissions. | When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to... |
| GEN002760-ESXI5-PNF | Medium | The audit system must be configured to audit all administrative, privileged, and security actions. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system... |
| GEN005320-ESXI5-PNF | Medium | The snmpd.conf file must have mode 0600 or less permissive. | The snmpd.conf file contains authenticators and must be protected from unauthorized access and modification. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's... |
| SRG-OS-000111-ESXI5-PF | Medium | The operating system must use multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the operating system being accessed. | Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g.,... |
| GEN000880-ESXI5-PNF | Medium | The root account must be the only account having an UID of 0. | If an account has an UID of 0, it has root authority. Multiple accounts with an UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Permanent not... |
| GEN003609-ESXI5-PF | Medium | The system must ignore IPv4 ICMP redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An... |
| GEN001380-ESXI5-PNF | Medium | The /etc/passwd file must have mode 0644 or less permissive. | If the password file is writable by a group owner or the world, the risk of password file compromise is increased. The password file contains the list of accounts on the system and associated... |
| SRG-OS-000149-ESXI5-PNF | Medium | The operating system must route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices. | A proxy server is designed to hide the identity of the client when making a connection to a server on the outside of its network. This prevents any hackers on the outside of learning IP addresses... |
| GEN003252-ESXI5-PNF | Medium | The at.deny file must have mode 0600 or less permissive. | The "at" daemon control files restrict access to scheduled job manipulation and must be protected. Unauthorized modification of the at.deny file could result in Denial-of-Service to authorized... |
| GEN000252-ESXI5-PNF | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| GEN006080-ESXI5-PNF | Medium | The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL. | SWAT is a tool used to configure Samba. As it modifies Samba configuration, which can impact system security, it must be protected from unauthorized access. SWAT authentication may involve the... |
| SRG-OS-000093-ESXI5-PNF | Medium | The operating system must employ automated mechanisms to centrally verify configuration settings. | Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters... |
| GEN005900-ESXI5-00891 | Medium | The nosuid option must be enabled on all NFS client mounts. | Enabling the nosuid mount option prevents the system from granting owner or group owner privileges to programs with the suid or sgid bit set. If the system does not restrict this access, users... |
| SRG-OS-000129-ESXI5-PNF | Medium | The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. | Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal... |
| GEN000930-ESXI5-PNF | Medium | The root account's home directory must not have an extended ACL. | File system extended ACLs provide access to files beyond what is allowed by the mode numbers of the files. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| SRG-OS-000060-ESXI5-PNF | Medium | The operating system must produce audit records on hardware-enforced, write-once media. | The protection of audit records from unauthorized or accidental deletion or modification requires the operating system produce audit records on hardware-enforced write-once media. Permanent not a... |
| ESXI5-VM-000039 | Medium | The system must limit sharing of console connections.
| By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If... |
| ESXI5-VM-000038 | Medium | The system must disconnect unauthorized USB devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| GEN001020-ESXI5-PNF | Medium | The root account must not be used for direct logins. | Direct login with the root account prevents individual user accountability. Acceptable non-routine uses of the root account for direct login are limited to emergency maintenance, the use of... |
| ESXI5-VM-000032 | Medium | The system must disable unnecessary or superfluous functions inside VMs. | By disabling unnecessary system components that are not needed to support the application or service running on the system, the number of parts is reduced that can be attacked. VMs often do not... |
| ESXI5-VM-000037 | Medium | The system must disconnect unauthorized serial devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| ESXI5-VM-000036 | Medium | The system must disconnect unauthorized parallel devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| ESXI5-VM-000035 | Medium | The system must disconnect unauthorized IDE devices.
| Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and... |
| GEN008220-ESXI5-PNF | Medium | For systems using NSS LDAP, the TLS certificate file must be owned by root. | The NSS LDAP service provides user mappings which are a vital component of system security. Its configuration must be protected from unauthorized modification. Applicable, but permanent... |
| SRG-OS-000086-ESXI5-PF | Medium | The operating system must provide the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies. | In order to control changes in policy, a privileged administrator must be able to change policy filters to support different security policies. Applicable, but permanent finding - The hypervisor... |
| SRG-OS-000134-ESXI5-PNF | Medium | The operating system must isolate security functions from non-security functions. | Operating system management functionality includes functions necessary to administer the operating, network components, workstations, or servers, and typically requires privileged user access. The... |
| GEN000253-ESXI5-PNF | Medium | The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| GEN007920-ESXI5-PF | Medium | The system must not forward IPv6 source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| GEN004710-ESXI5-PNF | Medium | Mail relaying must be restricted. | If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending SPAM or other unauthorized activity. Applicable, but permanent... |
| SRG-OS-000065-ESXI5-PNF | Medium | The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. | Audit generation and audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated.... |
| GEN000241-ESXI5-PNF | Medium | The system clock must be synchronized continuously, or at least daily. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. Internal system clocks tend to drift and... |
| SRG-OS-000258-ESXI5-PNF | Medium | The operating system must protect audit tools from unauthorized deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may... |
| GEN003100-ESXI5-PNF | Medium | Cron and crontab directories must have mode 0755 or less permissive. | To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. Applicable, but permanent not-a-finding - Not a General... |
| SRG-OS-000079-ESXI5-PNF | Medium | The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system shall not provide any information allowing an... |
| GEN001378-ESXI5-PNF | Medium | The /etc/passwd file must be owned by root. | The /etc/passwd file contains the list of local system accounts. It is vital to system security and must be protected from unauthorized modification. Applicable, but permanent not-a-finding - Not... |
| GEN005450-ESXI5-PNF | Medium | The system must use a remote syslog server (log host). | A syslog server (log host) receives syslog messages from one or more systems. This data can be used as an authoritative log source in the event a system is compromised and its local logs are... |
| GEN006180-ESXI5-PNF | Medium | The /etc/smbpasswd file must be group-owned by root. | If the smbpasswd file is not group-owned by root, the smbpasswd file may be maliciously accessed or modified, potentially resulting in the compromise of Samba accounts. Applicable, but permanent... |
| GEN006460-ESXI5-PNF | Medium | Any NIS+ server must be operating at security level 2. | If the NIS+ server is not operating in, at least, security level 2, there is no encryption and the system could be penetrated by intruders and/or malicious users. Applicable, but permanent... |
| GEN005532-ESXI5-709 | Medium | The SSH client must not permit tunnels. | OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar... |
| SRG-OS-000140-ESXI5-PF | Medium | The operating system must protect against or must limit the effects of the organization-defined or referenced types of Denial of Service attacks. | A variety of technologies exist to limit, or in some cases, eliminate the effects of Denial of Service attacks. Employing increased capacity combined with service redundancy may reduce the... |
| SRG-OS-000218-ESXI5-PNF | Medium | The operating system must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. | Audits records can be generated from various components within the operating system. The list of audited events is the set of events for which audits are to be generated. This set of events is... |
| GEN000920-ESXI5-PNF | Medium | The root account's home directory (other than /) must have mode 0700. | Permissions greater than 0700 could allow unauthorized users access to the root home directory. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a... |
| GEN003603-ESXI5-PF | Medium | The system must not respond to ICMPv4 echoes sent to a broadcast address. | Responding to broadcast Internet Control Message Protocol (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Applicable, but permanent finding - The... |
| SRG-OS-000106-ESXI5-PF | Medium | The operating system must use multifactor authentication for network access to non-privileged accounts. | Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g.,... |
| GEN006270-ESXI5-PNF | Medium | The /etc/news/hosts.nntp file must not have an extended ACL. | File system extended ACLs provide access to files beyond what is allowed by the mode numbers of the files. Excessive permissions on the hosts.nntp file may allow unauthorized modification which... |
| SRG-OS-000131-ESXI5-PF | Medium | The operating system must employ cryptographic mechanisms to protect information in storage. | When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and... |
| GEN005560-ESXI5-000061 | Medium | The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router. | If a system has no default gateway defined, the system is at increased risk of man-in-the-middle, monitoring, and Denial-of-Service attacks. |
| GEN000290-ESXI5-PNF | Medium | The system must not have unnecessary accounts. | Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and... |
| SRG-OS-000138-ESXI5-PNF | Medium | The operating system must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| GEN007320-ESXI5-PNF | Medium | The DECnet protocol must be disabled or not installed. | The DECnet suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the... |
| GEN008760-ESXI5-PNF | Medium | The system's boot loader configuration files must be owned by root. | The system's boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modification of these files resulting from improper ownership could... |
| GEN003210-ESXI5-PNF | Medium | The cron.deny file must not have an extended ACL. | If there are excessive file permissions for the cron.deny file, sensitive information could be viewed or edited by unauthorized users. Applicable, but permanent not-a-finding - The hypervisor does... |
| GEN003110-ESXI5-PNF | Medium | Cron and crontab directories must not have extended ACLs. | To protect the integrity of scheduled system jobs and to prevent malicious modification to these jobs, crontab files must be secured. ACLs on cron and crontab directories may provide unauthorized... |
| GEN004370-ESXI5-PNF | Medium | The aliases file must be group-owned by root, sys, bin, or system. | If the alias file is not group-owned by root or a system group, an unauthorized user may modify the file to add aliases to run malicious code or redirect email. Applicable, but permanent... |
| GEN000600-ESXI5-000066 | Medium | The system must require that passwords contain at least one uppercase alphabetic character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| GEN007980-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. | LDAP can be used to provide user authentication and account information, which are vital to system security. Communication between an LDAP server and a host using LDAP requires protection.... |
| GEN001210-ESXI5-PNF | Medium | All system command files must not have extended ACLs. | Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default... |
| SRG-OS-000256-ESXI5-PNF | Medium | The operating system must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may... |
| GEN003606-ESXI5-PF | Medium | The system must prevent local applications from generating source-routed packets. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security... |
| SRG-OS-000196-ESXI5-PF | Medium | The operating system must provide a near real-time alert when any of the organization-defined list of compromise or potential compromise indicators occurs. | When an intrusion detection security event occurs it is imperative the operating system that has detected the event immediately notify the appropriate support personnel so they can respond... |
| GEN002860-ESXI5-PNF | Medium | Audit logs must be rotated daily. | Rotate audit logs daily to preserve audit file system space and to conform to the DoD/DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for... |
| GEN003400-ESXI5-PNF | Medium | The "at" directory must have mode 0755 or less permissive. | If the "at" directory has a mode more permissive than 0755, unauthorized users could be allowed to view or to edit files containing sensitive information within the "at" directory. Unauthorized... |
| GEN005495-ESXI5-PF | Medium | The SSH client must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode). | Cryptographic modules used by the system must be validated by the NIST CVMP as compliant with FIPS 140-Cryptography performed by modules not validated is viewed by NIST as providing no protection... |
| GEN002640-ESXI5-PNF | Medium | Default system accounts must be disabled or removed. | Vendor accounts and software may contain backdoors allowing unauthorized access to the system. These backdoors are common knowledge and present a threat to system security if the account is not... |
| SRG-OS-000017-ESXI5-PNF | Medium | The operating system must provide the capability for a privileged administrator to enable/disable organization-defined security policy filters. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN006360-ESXI5-PNF | Medium | The files in /etc/news must be group-owned by root or news. | If critical system files do not have a privileged group owner, system integrity could be compromised. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN001363-ESXI5-PNF | Medium | The /etc/resolv.conf file must be group-owned by root, bin, sys, or system. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may... |
| GEN006420-ESXI5-PNF | Medium | NIS maps must be protected through hard-to-guess domain names. | The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information. Applicable, but permanent not-a-finding - The hypervisor does... |
| GEN003460-ESXI5-PNF | Medium | The at.allow file must be owned by root, bin, or sys. | If the owner of the at.allow file is not set to root, bin, or sys, unauthorized users could be allowed to view or edit sensitive information contained within the file. Applicable, but permanent... |
| SRG-OS-000200-ESXI5-PF | Medium | The operating system must provide notification of failed automated security tests. | The need to verify security functionality applies to all security functions. For those security functions unable to execute automated self-tests the organization either implements compensating... |
| SRG-OS-000220-ESXI5-PNF | Medium | The operating system must enforce an organization-defined Discretionary Access Control (DAC) policy that must allow users to specify and control sharing by named individuals or groups of individuals, or by both. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| SRG-OS-000275-ESXI5-PNF | Medium | The operating system must notify, as required, appropriate individuals when accounts are modified. | Monitoring account modification is critical to ensure only appropriate personnel have access to the operating system. This reduces the possibility that an account will be given more access than is... |
| GEN002330-ESXI5-PNF | Medium | Audio devices must not have extended ACLs. | File system ACLs can provide access to files beyond what is allowed by the mode numbers of the files. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| SRG-OS-000199-ESXI5-PNF | Medium | The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification). | Security functional testing involves testing the operating system for conformance to the operating system security function specifications, as well as, for the underlying security model. The need... |
| SRG-OS-000112-ESXI5-PNF | Medium | The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to... |
| GEN000580-ESXI5-000065 | Medium | The system must require that passwords contain a minimum of 14 characters. | The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space. |
| GEN005600-ESXI5-PNF | Medium | IP forwarding for IPv4 must not be enabled, unless the system is a router. | If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.... |
| GEN003825-ESXI5-PNF | Medium | The rshd service must not be installed. | The rshd process provides a typically unencrypted, host-authenticated remote access service. SSH should be used in place of this service. Applicable, but permanent not-a-finding - No rshd service. |
| SRG-OS-000156-ESXI5-PF | Medium | The operating system must fail securely in the event of an operational failure of a boundary protection device. | Fail secure is a condition achieved by the operating system employing a set of information system mechanisms to ensure, in the event of an operational failure of a boundary protection device at a... |
| GEN007970-ESXI5-PNF | Medium | If the system is using LDAP for authentication or account information, the system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for protecting the LDAP connection. | LDAP can be used to provide user authentication and account information, which are vital to system security. Cryptographic modules used by the system must be validated by the NIST CVMP as... |
| GEN006240-ESXI5-PNF | Medium | The system must not run an Internet Network News (INN) server. | Internet Network News (INN) servers access Usenet newsfeeds and store newsgroup articles. INN servers use the Network News Transfer Protocol (NNTP) to transfer information from the Usenet to the... |
| GEN001180-ESXI5-PNF | Medium | All network services daemon files must have mode 0755 or less permissive. | Restricting permission on daemons will protect them from unauthorized modification and possible system compromise. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's... |
| SRG-OS-000074-ESXI5-PNF | Medium | The operating system must enforce password encryption for transmission. | Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them.... |
| GEN001902-ESXI5-PNF | Medium | Local initialization files' lists of preloaded libraries must contain only absolute paths. | The library preload list environment variable contains a list of libraries for the dynamic linker to load before loading the libraries required by the binary. If this list contains paths to... |
| GEN006620-ESXI5-PF | Medium | The system's access control program must be configured to grant or deny system access to specific hosts. | If the system's access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.... |
| SRG-OS-000146-ESXI5-PNF | Medium | The operating system must prevent public access into an organization's internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. | Access into an organization's internal network and to key internal boundaries must be tightly controlled and managed. In the case of the operating system, the key boundary may be the workstation... |
| GEN004010-ESXI5-PNF | Medium | The traceroute file must not have an extended ACL. | If an extended ACL exists on the traceroute executable file, it may provide unauthorized users with access to the file. Malicious code could be inserted by an attacker and triggered whenever the... |
| SRG-OS-000236-ESXI5-PNF | Medium | The operating system must support and maintain the binding of organization-defined security attributes to information in storage. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects, objects) with respect to safeguarding information. These attributes are... |
| GEN001364-ESXI5-PNF | Medium | The /etc/resolv.conf file must have mode 0644 or less permissive. | The resolv.conf (or equivalent) file configures the system's DNS resolver. DNS is used to resolve host names to IP addresses. If DNS configuration is modified maliciously, host name resolution may... |
| SRG-OS-000211-ESXI5-PF | Medium | The operating system must validate the binding of the reviewer's identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain. | This non-repudiation control enhancement is intended to mitigate the risk that information could be modified between review and transfer/release particularly when the transfer is occurring between... |
| SRG-OS-000252-ESXI5-PNF | Medium | The operating system must provide the capability to capture/record and log all content related to a user session. | Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or... |
| SRG-OS-000210-ESXI5-PF | Medium | The operating system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. | When it comes to data review and data release, there must be a correlation between the reviewed data and the person who performs the review. If the reviewer is a human or if the review function is... |
| GEN005305-ESXI5-PF | Medium | The SNMP service must use only SNMPv3 or its successors. | SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an attacker or other... |
| GEN003660-ESXI5-PNF | Medium | The system must log authentication informational data. | Monitoring and recording successful and unsuccessful logins assists in tracking unauthorized access to the system. PNF - Data is logged to auth.log (default/not configurable behavior). |
| SRG-OS-000208-ESXI5-PNF | Medium | The operating system must associate the identity of the information producer with the information. | Non-repudiation supports audit requirements to provide the appropriate organizational officials the means to identify who produced specific information in the event of an information transfer.... |
| SRG-OS-000018-ESXI5-PNF | Medium | The operating system must provide the capability for a privileged administrator to configure the organization-defined security policy filters to support different security policies. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and... |
| GEN008380-ESXI5-PF | Medium | A root kit check tool must be run on the system at least weekly. | Root kits are software packages designed to conceal the compromise of a system from the SA. Root kit checking tools examine a system for evidence that a root kit is installed. Dedicated root kit... |
| GEN003255-ESXI5-PNF | Medium | The at.deny file must not have an extended ACL. | The "at" daemon control files restrict access to scheduled job manipulation and must be protected. Unauthorized modification of the at.deny file could result in Denial-of-Service to authorized... |
| GEN001940-ESXI5-PNF | Medium | User start-up files must not execute world-writable programs. | If start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to become Trojans destroying user files or otherwise compromising the... |
| GEN003610-ESXI5-PF | Medium | The system must not send IPv4 ICMP redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table that could... |
| GEN000588-ESXI5-PF | Medium | The system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for generating system password hashes. | Cryptographic modules used by the system must be validated by the NIST CVMP as compliant with FIPS 140-Cryptography performed by modules not validated is viewed by NIST as providing no protection... |
| GEN000400-ESXI5-000037 | Medium | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. | Failure to display the login banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. |
| GEN007960-ESXI5-PNF | Medium | The ldd command must be disabled unless it protects against the execution of untrusted files. | The ldd command provides a list of dependent libraries needed by a given binary, which is useful for troubleshooting software. Instead of parsing the binary file, some ldd implementations invoke... |
| GEN002100-ESXI5-PNF | Medium | The .rhosts file must not be supported in PAM. | The .rhosts files are used to specify a list of hosts that are permitted remote access to a particular account without authenticating. The use of such a mechanism defeats strong identification and... |
| GEN006150-ESXI5-PNF | Medium | The /etc/smb.conf file must not have an extended ACL. | Excessive permissions could endanger the security of the Samba configuration file and, ultimately, the system and network. Applicable, but permanent not-a-finding - The hypervisor does not support... |
| GEN003160-ESXI5-PNF | Medium | Cron logging must be implemented. | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious... |
| GEN006260-ESXI5-PNF | Medium | The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive. | Excessive permissions on the hosts.nntp file may allow unauthorized modification which could lead to Denial-of-Service to authorized users or provide access to unauthorized users. Applicable, but... |
| SRG-OS-000019-ESXI5-PNF | Medium | The operating system must implement separation of duties through assigned information system access authorizations. | Separation of duties is a prevalent Information Technology control implemented at different layers of the information system, including the operating system and in applications. It serves to... |
| GEN003613-ESXI5-PF | Medium | The system must use a reverse-path filter for IPv4 network traffic when possible. | Reverse-path filtering provides protection against spoofed source addresses by causing the system to discard packets that have source addresses for which the system has no route or if the route... |
| GEN007820-ESXI5-PNF | Medium | The system must not have IP tunnels configured. | IP tunneling mechanisms can be used to bypass network filtering. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN005720-ESXI5-PNF | Medium | NFS servers must only accept NFS requests from privileged ports on client systems. | If clients are not required to use privileged ports to get NFS services, then exported file systems may be in danger of mounting by malicious users and intruders that do not have access to... |
| SRG-OS-000031-ESXI5-PF | Medium | The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the system but does not log out because of the temporary nature of... |
| GEN000595-ESXI5-000082 | Medium | The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. | Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes... |
| GEN001200-ESXI5-PNF | Medium | All system command files must have mode 0755 or less permissive. | Restricting permissions will protect system command files from unauthorized modification. System command files include files present in directories used by the operating system for storing default... |
| GEN002680-ESXI5-PNF | Medium | System audit logs must be owned by root. | Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information. Permanent not a finding -... |
| GEN006220-ESXI5-PNF | Medium | The smb.conf file must use the hosts option to restrict access to Samba. | Samba increases the attack surface of the system and must be restricted to communicate only with systems requiring access. Applicable, but permanent not-a-finding - The hypervisor does not support... |
| GEN000500-ESXI5-PNF | Medium | Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment. | If graphical desktop sessions do not lock the session after 15 minutes of inactivity, requiring re-authentication to resume operations, the system or individual data could be compromised by an... |
| GEN006330-ESXI5-PNF | Medium | The /etc/news/passwd.nntp file must not have an extended ACL. | Extended ACLs may provide excessive permissions on the /etc/news/passwd.nntp file, which may permit unauthorized access or modification to the NNTP configuration. Applicable, but permanent... |
| GEN001475-ESXI5-PNF | Medium | The /etc/group file must not contain any group password hashes. | Group passwords are typically shared and should not be used. Additionally, if password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or... |
| GEN001860-ESXI5-PNF | Medium | All local initialization files must be owned by the user or root. | Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accounts upon logon. Applicable, but permanent... |
| GEN000246-ESXI5-PNF | Medium | The system time synchronization method must use cryptographic algorithms to verify the authenticity and integrity of the time data. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for... |
| GEN005365-ESXI5-PNF | Medium | The snmpd.conf file must be group-owned by root, bin, sys, or system. | The snmpd.conf file contains authenticators and must be protected from unauthorized access and modification. If the file is not group-owned by a system group, it may be subject to access and... |
| SRG-OS-000120-ESXI5-PF | Medium | The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity, and... |
| GEN008740-ESXI5-PNF | Medium | The system's boot loader configuration file(s) must not have extended ACLs. | File system extended ACLs provide access to files beyond what is allowed by the mode numbers of the files. If extended ACLs are present on the system's boot loader configuration file(s), these... |
| SRG-OS-000013-ESXI5-PF | Medium | The operating system must enforce organization-defined limitations on the embedding of data types within other data types. | Embedding of data within other data is often used for the clandestine transfer of data. Embedding of data within other data can circumvent protections in place to protect information and systems.... |
| GEN005610-ESXI5-PNF | Medium | The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router. | If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.... |
| SRG-OS-000068-ESXI5-PF | Medium | The operating system, for PKI-based authentication must map the authenticated identity to the user account. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. The... |
| GEN003240-ESXI5-PNF | Medium | The cron.allow file must be owned by root, bin, or sys. | If the owner of the cron.allow file is not set to root, bin, or sys, the possibility exists for an unauthorized user to view or to edit sensitive information. Applicable, but permanent... |
| GEN005240-ESXI5-PNF | Medium | The .Xauthority utility must only permit access to authorized hosts. | If unauthorized clients are permitted access to the X server, a user's X session may be compromised. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN002800-ESXI5-PNF | Medium | The audit system must be configured to audit login, logout, and session initiation. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system... |
| GEN005507-ESXI5-000099 | Medium | The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. |
| GEN000610-ESXI5-000083 | Medium | The system must require passwords contain at least one lowercase alphabetic character. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid... |
| SRG-OS-99999-ESXI5-000135 | Medium | The system must disable DCUI to prevent local administrative control. |
The DCUI allows for low-level host configuration, such as configuring IP address, hostname, and root password, as well as diagnostic capabilities, such as enabling the ESXi shell, viewing log... |
| SRG-OS-000170-ESXI5-PF | Medium | The operating system must employ FIPS-validated cryptography to protect unclassified information. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| GEN006310-ESXI5-PNF | Medium | The /etc/news/nnrp.access file must not have an extended ACL. | File system extended ACLs provide access to files beyond what is allowed by the mode numbers of the files. Excessive permissions on the nnrp.access file may allow unauthorized modification which... |
| GEN002540-ESXI5-PNF | Medium | All public directories must be group-owned by root or an application group. | If a public directory has the sticky bit set and is not group-owned by a system GID, unauthorized users may be able to modify files created by others. Applicable, but permanent not-a-finding - Not... |
| SRG-OS-000172-ESXI5-PF | Medium | The operating system must employ FIPS-validated cryptography to protect information when it must be separated from individuals who have the necessary clearances, yet lack the necessary access approvals. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to... |
| GEN004510-ESXI5-PNF | Medium | The SMTP service log file must not have an extended ACL. | If the SMTP service log file has an extended ACL, unauthorized users may be allowed to access or to modify the log file. Applicable, but permanent not-a-finding - The hypervisor does not support... |
| SRG-OS-000169-ESXI5-PNF | Medium | The operating system must implement required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. | Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing... |
| GEN003640-ESXI5-PNF | Medium | The root file system must employ journaling or another mechanism ensuring file system consistency. | File system journaling, or logging, can allow reconstruction of file system data after a system crash, thus, preserving the integrity of data that may have otherwise been lost. Journaling file... |
| GEN001190-ESXI5-PNF | Medium | All network services daemon files must not have extended ACLs. | Restricting permission on daemons will protect them from unauthorized modification and possible system compromise. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| SRG-OS-000075-ESXI5-PNF | Medium | The operating system must enforce minimum password lifetime restrictions. | Passwords need to be changed at specific policy based intervals, however if the information system or application allows the user to immediately and continually change their password then the... |
| GEN003501-ESXI5-PNF | Low | The system must be configured to store any process core dumps in a specific, centralized directory. | Specifying a centralized location for core file creation allows for the centralized protection of core files. Process core dumps contain the memory in use by the process when it crashed. Any data... |
| GEN003611-ESXI5-PNF | Low | The system must log martian packets. | Martian packets are packets containing addresses known by the system to be invalid. Logging these messages allows the SA to identify misconfigurations or attacks in progress. Permanent not a... |
| GEN008440-ESXI5-PNF | Low | Automated file system mounting tools must not be enabled unless needed. | Automated file system mounting tools may provide unprivileged users with the ability to access local media and network shares. If this access is not necessary for the system's operation, it must... |
| SRG-OS-99999-ESXI5-000155 | Low | Active Directory "ESX Admin" group membership must be verified. | When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be... |
| SRG-OS-99999-ESXI5-000150 | Low | SAN resources must be masked and zoned appropriately. | SAN activity must be segregated via zoning and LUN masking. Use of zoning must also take into account any host groups on the SAN device(s).
|
| SRG-OS-99999-ESXI5-000151 | Low | The system must prevent unintended use of dvfilter network APIs. | If products that use the dvfilter network API are not used, the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM... |
| SRG-OS-99999-ESXI5-000153 | Low | The system must set a timeout for the ESXi Shell to automatically disable idle sessions after a predetermined period. | If ESXi Shell is enabled on the host and a user forgets to logout of their SSH session the idle connection will remain indefinitely increasing the potential for someone to gain privileged access... |
| SRG-OS-99999-ESXI5-000159 | Low | The system must verify the integrity of the installation media before installing ESXi. |
Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels:
(1)... |
| ESXI5-VM-000033 | Low | The system must disable VIX messages from the VM.
| The VIX API is a library for writing scripts and programs to manipulate virtual machines. If custom VIX programming is not used in the environment, then consider disabling certain features to... |
| GEN000454-ESXI5-PF | Low | The system must display the number of unsuccessful login attempts since the last successful login for a user account upon logging in. | Providing users with feedback on recent login failures facilitates user recognition and reporting of attempted unauthorized account use. Permanent finding - The hypervisor does not support this function. |
| GEN001560-ESXI5-PNF | Low | All files and directories contained in user's home directories must have mode 0750 or less permissive. | Excessive permissions allow unauthorized access to user's files. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's ESXi-v5 is a multi-user kernel where all users... |
| GEN005529-ESXI5-708 | Low | The SSH client must not send environment variables to the server or must only send those pertaining to locale. | Environment variables can be used to change the behavior of remote sessions and should be limited. Locale environment variables specify the language, character set, and other features modifying... |
| GEN000452-ESXI5-PF | Low | The system must display the date and time of the last successful account login upon login. | Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. Permanent finding - The hypervisor does not support... |
| GEN008500-ESXI5-000123 | Low | The system must have IEEE 1394 (Firewire) disabled unless needed. | Firewire is a common computer peripheral interface. Firewire devices may include storage devices that could be used to install malicious software on a system or exfiltrate data. |
| ESXI5-VM-000002 | Low | The system must disable tools auto install.
| Tools auto install can initiate an automatic reboot, disabling this option will prevent tools from being installed automatically and prevent automatic machine reboots. |
| ESXI5-VM-000028 | Low | The unexposed feature keyword "isolation.tools.unityActive.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000029 | Low | The unexposed feature keyword "isolation.tools.unity.windowContents.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000020 | Low | The unexposed feature keyword "isolation.ghi.host.shellAction.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000021 | Low | The unexposed feature keyword "isolation.tools.dispTopoRequest.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000022 | Low | The unexposed feature keyword "isolation.tools.trashFolderState.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000023 | Low | The unexposed feature keyword "isolation.tools.ghi.trayicon.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| GEN005517-ESXI5-000101 | Low | The SSH daemon must be configured to not allow gateway ports. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the... |
| ESXI5-VM-000025 | Low | The unexposed feature keyword "isolation.tools.unityInterlockOperation.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000027 | Low | The unexposed feature keyword "isolation.tools.unity.taskbar.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| GEN001460-ESXI5-PNF | Low | All interactive user home directories defined in the /etc/passwd file must exist. | If a user has a home directory defined that does not exist, the user may be given the / directory, by default, as the current working directory upon logon. This could create a denial of service... |
| GEN001280-ESXI5-PNF | Low | Manual page files must have mode 0644 or less permissive. | If manual pages are compromised, misleading information could be inserted, causing actions that may compromise the system. Applicable, but permanent not-a-finding - no man pages. |
| GEN002718-ESXI5-PNF | Low | System audit tool executables must not have extended ACLs. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. Applicable, but permanent not-a-finding - Not a General Purpose (GP)... |
| GEN001080-ESXI5-PNF | Low | The root shell must be located in the / file system. | To ensure the root shell is available in repair and administrative modes, the root shell must be located in the / file system. Permanent not a finding - Both the sh and ash shells are located in... |
| SRG-OS-99999-ESXI5-000154 | Low | The system must use Active Directory for local user authentication. | Creating local user accounts on each host presents challenges with having to synchronize account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory domain to... |
| GEN003621-ESXI5-PF | Low | The system must use a separate file system for /var. | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. Permanent finding - Note that while links from this... |
| GEN000850-ESXI5-PNF | Low | The system must restrict the ability to switch to the root user for members of a defined group. | Configuring a supplemental group for users permitted to switch to the root user prevents unauthorized users from accessing the root account, even with knowledge of the root credentials.... |
| ESXI5-VM-000050 | Low | The system must use templates to deploy VMs whenever possible.
| By capturing a hardened base operating system image (with no applications installed) in a template, ensure all virtual machines are created with a known baseline level of security. Then use this... |
| GEN001780-ESXI5-PNF | Low | Global initialization files must contain the mesg -n or mesg n commands. | If the mesg -n or mesg n command is not placed into the system profile, messaging can be used to cause a Denial-of-Service attack. Applicable, but permanent not-a-finding - no mesg command. |
| ESXI5-VMNET-000022 | Low | vSphere management traffic must be on a restricted network. | The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain... |
| ESXI5-VMNET-000023 | Low | Access to the management network must be strictly controlled. | A controlled gateway or other controlled method must be configured to access the management network. The management network must be isolated in order to prevent access by internal and external,... |
| ESXI5-VMNET-000020 | Low | The system must ensure there are no unused ports on a distributed virtual port group. | The number of ports available on a dvSwitch distributed port group must be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the... |
| ESXI5-VMNET-000026 | Low | The system must disable the autoexpand option for VDS dvPortgroups. | If the "no-unused-dvports" guideline is followed, there should be only the amount of ports on a VDS that are actually needed. The Autoexpand feature on VDS dvPortgroups can override that limit.... |
| ESXI5-VMNET-000024 | Low | Access to the management network must be strictly controlled. | Based upon a local site-specific risk assessment, jump boxes that run vSphere Client and other management clients (e.g., VSphere Management Assistant) must be configured. The management network... |
| GEN005518-ESXI5-704 | Low | The SSH client must be configured to not allow gateway ports. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the... |
| GEN003602-ESXI5-PF | Low | The system must not process ICMP timestamp requests. | The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system. Applicable, but permanent finding - The hypervisor does not support this... |
| GEN001290-ESXI5-PNF | Low | All manual page files must not have extended ACLs. | If manual pages are compromised, misleading information could be inserted, causing actions that may compromise the system. Applicable, but permanent not-a-finding - The hypervisor does not support... |
| ESXI5-VMNET-000021 | Low | vMotion traffic must be isolated. | The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential... |
| GEN004660-ESXI5-PNF | Low | The SMTP service must not have the EXPN feature active. | The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute-force attack on user accounts. EXPN may also provide additional... |
| GEN001540-ESXI5-PNF | Low | All files and directories contained in interactive user's home directories must be owned by the home directory's owner. | If users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system... |
| ESXI5-VM-000051 | Low | The system must control access to VMs through the dvfilter network APIs.
| A VM must be configured explicitly to accept access by the dvfilter network API. This should be done only for VMs that are wanted to be done. An attacker might compromise the VM by making use of... |
| GEN004560-ESXI5-PNF | Low | The SMTP service's SMTP greeting must not provide version information. | The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version. Applicable, but permanent not-a-finding - The hypervisor does... |
| GEN001960-ESXI5-PNF | Low | User start-up files must not contain the mesg -y or mesg y command. | The mesg -y or mesg y command turns on terminal messaging. On systems that do not default to mesg -n, the system profile (or equivalent) provides it. If the user changes this setting, write access... |
| GEN008480-ESXI5-000122 | Low | The system must have USB Mass Storage disabled unless needed. | USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data. |
| GEN003500-ESXI5-PNF | Low | Process core dumps must be disabled unless needed. | Process core dumps contain the memory in use by the process when it crashed. Process core dump files can be of significant size and their use can result in file systems filling to capacity, which... |
| ESXI5-VM-000043 | Low | The system must limit informational messages from the VM to the VMX file.
| The configuration file containing these name-value pairs is limited to a size of 1MB. This 1MB capacity should be sufficient for most cases, but this value can change if necessary. The value can... |
| GEN003620-ESXI5-PF | Low | A separate file system must be used for user home directories (such as /home or equivalent). | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. Permanent finding - VMFS is a single disk/partition... |
| GEN005519-ESXI5-000102 | Low | The SSH daemon must be configured to not allow X11 forwarding. | X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed. |
| ESXI5-VM-000015 | Low | The unexposed feature keyword "isolation.bios.bbs.disable" must be initialized to decrease the VMs potential attack vectors.. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000014 | Low | The unexposed feature keyword "isolation.tools.ghi.autologon.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000017 | Low | The unexposed feature keyword "isolation.tools.ghi.launchmenu.change" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000016 | Low | The unexposed feature keyword "isolation.tools.getCreds.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000019 | Low | The unexposed feature keyword "isolation.tools.ghi.protocolhandler.info.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000018 | Low | The unexposed feature keyword "isolation.tools.memSchedFakeSampleStats.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| GEN002500-ESXI5-PNF | Low | The sticky bit must be set on all public directories. | Failing to set the sticky bit on the public directories allows unauthorized users to delete files in the directory structure. Applicable, but permanent not-a-finding - Not a General Purpose (GP)... |
| GEN005770-ESXI5-PNF | Low | The NFS exports configuration file must not have an extended ACL. | File system extended ACLs provide access to files beyond what is allowed by the mode numbers of the files. Excessive permissions on the NFS export configuration file could allow unauthorized... |
| GEN000900-ESXI5-PF | Low | The root user's home directory must not be the root directory (/). | Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files that root places... |
| GEN005533-ESXI5-000109 | Low | The SSH daemon must limit connections to a single session. | The SSH protocol has the ability to provide multiple sessions over a single connection without reauthentication. A compromised client could use this feature to establish additional sessions to a... |
| GEN005526-ESXI5-000105 | Low | The SSH daemon must not permit Kerberos authentication unless needed. | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation.... |
| SRG-OS-99999-ESXI5-000147 | Low | The system must ensure uniqueness of CHAP authentication secrets. | The mutual authentication secret for each host must be different and the secret for each client authenticating to the server must be different as well. This ensures if a single host is... |
| GEN005525-ESXI5-9994 | Low | The SSH client must not permit GSSAPI authentication unless needed. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing... |
| GEN000380-ESXI5-000043 | Low | The GID assigned to a user must exist. | If a user is assigned the GID of a group not existing on the system, and a group with that GID is subsequently created, the user may have unintended rights to that group. |
| GEN003502-ESXI5-PNF | Low | The centralized process core dump data directory must be owned by root. | Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the... |
| GEN003624-ESXI5-PF | Low | The system must use a separate file system for /tmp (or equivalent). | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. Permanent finding - Note that while links from this... |
| GEN005528-ESXI5-000106 | Low | The SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale. | Environment variables can be used to change the behavior of remote sessions and should be limited. Locale environment variables that specify the language, character set, and other features... |
| GEN003504-ESXI5-PNF | Low | The centralized process core dump data directory must have mode 0700 or less permissive. | Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the... |
| GEN002751-ESXI5-PNF | Low | The audit system must be configured to audit account modification. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system... |
| GEN005520-ESXI5-705 | Low | The SSH client must be configured to not allow X11 forwarding. | X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection and should not be enabled unless needed. |
| GEN001440-ESXI5-PNF | Low | All interactive users must be assigned a home directory in the /etc/passwd file. | If users do not have a valid home directory, there is no place for the storage and control of files they own. Applicable, but permanent not-a-finding - Not a General Purpose (GP) OS. VMware's... |
| ESXI5-VMNET-000025 | Low | Spanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic. | If an ESXi host guest VM is configured to perform a bridging function, the VM will generate BPDU frames to send out to the VDS. The VDS forwards the BPDU frames through the network adapter to the... |
| GEN008800-ESXI5-PNF | Low | The system package management tool must cryptographically verify the authenticity of software packages during installation. | To prevent the installation of software from unauthorized sources, the system package management tool must use cryptographic algorithms to verify the packages are authentic. Permanent not a... |
| ESXI5-VM-000026 | Low | The unexposed feature keyword "isolation.tools.unity.push.update.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| GEN005516-ESXI5-703 | Low | The SSH client must be configured to not allow TCP forwarding. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the... |
| GEN004440-ESXI5-PNF | Low | Sendmail logging must not be set to less than nine in the sendmail.cf file. | If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the Sendmail service. Applicable, but permanent... |
| GEN008420-ESXI5-PNF | Low | The system must use available memory address randomization techniques. | Successful exploitation of buffer overflow vulnerabilities relies in some measure to having a predictable address structure of the executing program. Address randomization techniques reduce the... |
| GEN003800-ESXI5-PNF | Low | Inetd or xinetd logging/tracing must be enabled. | Inetd or xinetd logging and tracing allows the system administrators to observe the IP addresses that are connecting to their machines and to observe what network services are being sought. This... |
| GEN003623-ESXI5-PNF | Low | The system must use a separate file system for the system audit data path. | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. Permanent not a finding - Note that while links... |
| GEN002715-ESXI5-PNF | Low | System audit tool executables must be owned by root. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. Applicable, but permanent not-a-finding - Not a General Purpose (GP)... |
| GEN002260-ESXI5-000047 | Low | The system must be checked for extraneous device files at least weekly. | If an unauthorized device is allowed to exist on the system, there is the possibility the system may perform unauthorized operations. |
| GEN006570-ESXI5-PNF | Low | The file integrity tool must be configured to verify ACLs. | ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools. Applicable, but permanent not-a-finding (No ACLs). |
| GEN002716-ESXI5-PNF | Low | System audit tool executables must be group-owned by root, bin, sys, or system. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. Applicable, but permanent not-a-finding - Not a General Purpose (GP)... |
| GEN008820-ESXI5-PNF | Low | The system package management tool must not automatically obtain updates. | System package management tools can obtain a list of updates and patches from a package repository and make this information available to the SA for review and action. Using a package repository... |
| ESXI5-VM-000003 | Low | The system must explicitly disable copy operations.
| Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| ESXI5-VM-000006 | Low | The system must explicitly disable paste operations.
| Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| ESXI5-VM-000004 | Low | The system must explicitly disable drag and drop operations.
| Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| ESXI5-VM-000005 | Low | The system must explicitly disable any GUI functionality for copy/paste operations.
| Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or... |
| GEN002750-ESXI5-PNF | Low | The audit system must be configured to audit account creation. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises, and damages incurred during a system... |
| GEN003522-ESXI5-PNF | Low | The kernel core dump data directory must have mode 0700 or less permissive. | Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the mode of... |
| GEN003521-ESXI5-PNF | Low | The kernel core dump data directory must be group-owned by root, bin, sys, or system. | Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel... |
| GEN000510-ESXI5-PNF | Low | The system must display a publicly-viewable pattern during a graphical desktop environment session lock. | To protect the on-screen content of a session, it must be replaced with a publicly-viewable pattern upon session lock (such as a blank screen). This requirement applies to graphical desktop... |
| GEN002753-ESXI5-PNF | Low | The audit system must be configured to audit account termination. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system... |
| ESXI5-VM-000024 | Low | The unexposed feature keyword "isolation.tools.unity.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| SRG-OS-99999-ESXI5-000143 | Low | The system must enable SSL for NFC. |
NFC (Network File Copy) is used to migrate or clone a VM between two ESXi hosts over the network. By default, SSL is used only for the authentication of the transfer, but SSL must also be enabled... |
| SRG-OS-99999-ESXI5-000141 | Low | The system must enable bidirectional CHAP authentication for iSCSI traffic. | When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in... |
| GEN003220-ESXI5-PNF | Low | Cron programs must not set the umask to a value less restrictive than 077. | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to a mode of 700 or less permissive. Although umask is often represented as a 4-digit... |
| GEN003520-ESXI5-PNF | Low | The kernel core dump data directory must be owned by root. | Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If the kernel... |
| GEN004700-ESXI5-PNF | Low | The Sendmail service must not have the wizard backdoor active. | Very old installations of the Sendmail mailing system contained a feature whereby a remote user connecting to the SMTP port can enter the WIZ command and be given an interactive shell with root... |
| ESXI5-VMNET-000008 | Low | All physical switch ports must be configured with spanning tree disabled. | Due to the integration of the ESXi Server into the physical network, the physical network (switch) adaptors must have spanning tree disabled or portfast configured for external switches, because... |
| ESXI5-VMNET-000009 | Low | All port groups must be configured with a clear network label. | Each port group must be identified with a network label/name. Names serve as a functional descriptor for the port group. Without these descriptions, identifying port groups and functions becomes... |
| ESXI5-VMNET-000004 | Low | Virtual switch VLANs must be fully documented and have only the required VLANs. | When defining a physical switch port for trunk mode, only specified VLANs must be configured on the VLAN trunk link. The risk with not fully documenting all VLANs on the vSwitch is that it is... |
| ESXI5-VMNET-000005 | Low | All vSwitch and VLAN IDs must be fully documented. | VLAN tagging used on a vSwitch must correspond to the IDs on external VLAN-aware upstream switches, if any. If VLAN IDs are not tracked completely, mistaken re-use of IDs could allow for traffic... |
| ESXI5-VMNET-000006 | Low | All IP-based storage traffic must be isolated. | Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic... |
| ESXI5-VMNET-000007 | Low | Only authorized administrators must have access to virtual networking components. | This control mitigates the risk of misconfiguration, whether accidental or malicious, and enforces key security concepts of separation of duties and least privilege. It is important to leverage... |
| ESXI5-VMNET-000001 | Low | All dvPortgroup VLAN IDs must be fully documented. | If using VLAN tagging on a dvPortgroup, tags must correspond to the IDs on external VLAN-aware upstream switches if any. If VLAN IDs are not tracked completely, mistaken re-use of IDs could allow... |
| ESXI5-VMNET-000002 | Low | All dvSwitch Private VLAN IDs must be fully documented. | dvSwitch Private VLANs (PVLANs) require primary and secondary VLAN IDs. The IDs must correspond to the IDs on external PVLAN-aware upstream switches, if any. If VLAN IDs are not tracked... |
| ESXI5-VMNET-000003 | Low | All virtual switches must have a clear network label. | Network labels must identify each port group with a name. These names are important because they serve as a functional descriptor for the port group. Without these descriptions, identifying port... |
| GEN002717-ESXI5-PNF | Low | System audit tool executables must have mode 0750 or less permissive. | To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected. Applicable, but permanent not-a-finding - Not a General Purpose (GP)... |
| GEN002719-ESXI5-PF | Low | The audit system must alert the SA in the event of an audit processing failure. | An accurate and current audit trail is essential for maintaining Permanent finding - Auditing cannot be configured/implemented like a typical UNIX system. |
| GEN002752-ESXI5-PNF | Low | The audit system must be configured to audit account disabling. | If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system... |
| ESXI5-VM-000031 | Low | The unexposed feature keyword "isolation.tools.guestDnDVersionSet.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| ESXI5-VM-000030 | Low | The unexposed feature keyword "isolation.tools.vmxDnDVersionGet.disable" must be initialized to decrease the VMs potential attack vectors. | Because VMware virtual machines are designed to work on both vSphere, as well as, hosted virtualization platforms, such as Workstation and Fusion, there are some VMX parameters that do not apply... |
| GEN003650-ESXI5-PNF | Low | All local file systems must employ journaling or another mechanism ensuring file system consistency. | File system journaling, or logging, can allow reconstruction of file system data after a system crash, thus preserving the integrity of data that may have otherwise been lost. Journaling file... |
| GEN004680-ESXI5-PNF | Low | The SMTP service must not have the VRFY feature active. | The VRFY (Verify) command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute-force attack on user accounts. VRFY may provide additional... |
| GEN005530-ESXI5-000107 | Low | The SSH daemon must not permit user environment settings. | SSH may be used to provide limited functions other than an interactive shell session, such as file transfer. If local, user-defined environment settings (such as, those configured in... |
| GEN003860-ESXI5-PNF | Low | The system must not have the finger service active. | The finger service provides information about the system's users to network clients. This information could expose information that could be used in subsequent attacks. Applicable, but permanent... |
| GEN003523-ESXI5-PNF | Low | The kernel core dump data directory must not have an extended ACL. | Kernel core dumps may contain the full contents of system memory at the time of the crash. As the system memory may contain sensitive information, it must be protected accordingly. If there is an... |
| GEN005515-ESXI5-000100 | Low | The SSH daemon must be configured to not allow TCP connection forwarding. | SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the... |
| GEN002870-ESXI5-PNF | Low | The system must be configured to send audit records to a remote audit server. | Audit records contain evidence that can be used in the investigation Permanent not a finding - Remote logging is covered as a VMware HG requirement. Audit records are logged to a remote syslog... |
| GEN008460-ESXI5-000121 | Low | The system must have USB disabled unless needed. | USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data. |
| GEN001490-ESXI5-PNF | Low | User home directories must not have extended ACLs. | Excessive permissions on home directories allow unauthorized access to user files. Applicable, but permanent not-a-finding - The hypervisor does not support this function. |
| GEN000244-ESXI5-000163 | Low | The system must use time sources local to the enclave. | A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. The network architecture should provide... |
| GEN003503-ESXI5-PNF | Low | The centralized process core dump data directory must be group-owned by root, bin, sys, or system. | Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the... |
| GEN006575-ESXI5-PNF | Low | The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents. | File integrity tools often use cryptographic hashes for verifying that file contents have not been altered. These hashes must be FIPS 140-2 approved. Applicable, but permanent not-a-finding -... |
| GEN005524-ESXI5-000104 | Low | The SSH daemon must not permit GSSAPI authentication unless needed. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing... |
| GEN005760-ESXI5-PNF | Low | The NFS export configuration file must have mode 0644 or less permissive. | Excessive permissions on the NFS export configuration file could allow unauthorized modification of the file, which could result in Denial-of-Service to authorized NFS exports and the creation of... |
| GEN003505-ESXI5-PNF | Low | The centralized process core dump data directory must not have an extended ACL. | Process core dumps contain the memory in use by the process when it crashed. Any data the process was handling may be contained in the core file, and it must be protected accordingly. If the... |
| GEN006571-ESXI5-PNF | Low | The file integrity tool must be configured to verify extended attributes. | Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. Applicable, but permanent not-a-finding (No extended attributes). |
| GEN001375-ESXI5-000086 | Low | For systems using DNS resolution, at least two name servers must be configured. | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name... |
