Kernel core dumps must be disabled unless needed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
GEN003510-ESXI5-006660	GEN003510-ESXI5-006660	GEN003510-ESXI5-006660_rule		Medium

Description
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial-of-Service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.

Description

Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in Denial-of-Service by exhausting the available space on the target file system. The kernel core dump process may increase the amount of time a system is unavailable due to a crash. Kernel core dumps can be useful for kernel debugging.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-GEN003510-ESXI5-006660_chk )
Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. Open a root console session to the ESXi host. Retrieve the currently active diagnostic partition using the esxcli command line utility. The output (when configured) looks similar to : Active: mpx.vmhba2:C0:T0:L0:7 and Configured: mpx.vmhba2:C0:T0:L0:7. # esxcli system coredump partition get If the kernel core dumps are not "Active", this is not a finding. If the kernel core dumps are "Active" and needed, this is not a finding. If the kernel core dumps are "Active" and not needed, this is a finding. Re-enable Lockdown Mode on the host.

Check Text ( C-GEN003510-ESXI5-006660_chk )

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. Open a root console session to the ESXi host. Retrieve the currently active diagnostic partition using the esxcli command line utility. The output (when configured) looks similar to : Active: mpx.vmhba2:C0:T0:L0:7 and Configured: mpx.vmhba2:C0:T0:L0:7.
# esxcli system coredump partition get

If the kernel core dumps are not "Active", this is not a finding.
If the kernel core dumps are "Active" and needed, this is not a finding.
If the kernel core dumps are "Active" and not needed, this is a finding.

Re-enable Lockdown Mode on the host.

Fix Text (F-GEN003510-ESXI5-006660_fix)
Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. Open a root console session to the ESXi host. Retrieve the currently active diagnostic partition using the esxcli command line utility. To configure and activate (or deactivate) a specific device partition by its VMkernel device path, use the commands: esxcli system coredump partition set --partition="VM_Kernel_Name" esxcli system coredump partition set --enable true Example: Activate esxcli system coredump partition set --partition="mpx.vmhba2:C0:T0:L0:7" esxcli system coredump partition set --enable=true Example: Deactivate esxcli system coredump partition set --partition="mpx.vmhba2:C0:T0:L0:7" esxcli system coredump partition set --enable false Re-enable Lockdown Mode on the host.

Fix Text (F-GEN003510-ESXI5-006660_fix)

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. Open a root console session to the ESXi host. Retrieve the currently active diagnostic partition using the esxcli command line utility. To configure and activate (or deactivate) a specific device partition by its VMkernel device path, use the commands:
esxcli system coredump partition set --partition="VM_Kernel_Name"
esxcli system coredump partition set --enable true

Example: Activate
esxcli system coredump partition set --partition="mpx.vmhba2:C0:T0:L0:7"
esxcli system coredump partition set --enable=true

Example: Deactivate
esxcli system coredump partition set --partition="mpx.vmhba2:C0:T0:L0:7"
esxcli system coredump partition set --enable false

Re-enable Lockdown Mode on the host.