The system must have a host-based intrusion detection tool installed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
GEN006480-ESXI5-PF	GEN006480-ESXI5-PF	GEN006480-ESXI5-PF_rule		Medium

Description
Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion detection tool can provide methods to immediately lock out detected intrusion attempts. Permanent finding - ESXi is neither a GP environment, nor does it utilize a COS. ESXi provides for console functionality (for initial configuration, troubleshooting, and Technical Support) via the Direct Connect User Interface (DCUI) and Tech Support Mode. These strongly controlled interfaces provide GP-like console functionality augmented for security and trust. All binaries executed in ESXi are signed, keyed, or validated by strong controls. There is no facility to interpret code at runtime and the compiled modules are subject to both the controls for execution and a default-deny policy (for unsigned code), integral to the kernel. Based on Regulatory Compliance, VMware believes that the customers should categorize ESX/ESXi hypervisors as they would for other network based appliances and treat them accordingly. Following the Best Practices outlined in the vSphere hardening guides reasonably ensures the security and integrity of the ESXi host's management interfaces.

Description

Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion detection tool can provide methods to immediately lock out detected intrusion attempts. Permanent finding - ESXi is neither a GP environment, nor does it utilize a COS. ESXi provides for console functionality (for initial configuration, troubleshooting, and Technical Support) via the Direct Connect User Interface (DCUI) and Tech Support Mode. These strongly controlled interfaces provide GP-like console functionality augmented for security and trust. All binaries executed in ESXi are signed, keyed, or validated by strong controls. There is no facility to interpret code at runtime and the compiled modules are subject to both the controls for execution and a default-deny policy (for unsigned code), integral to the kernel. Based on Regulatory Compliance, VMware believes that the customers should categorize ESX/ESXi hypervisors as they would for other network based appliances and treat them accordingly. Following the Best Practices outlined in the vSphere hardening guides reasonably ensures the security and integrity of the ESXi host's management interfaces.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-GEN006480-ESXI5-PF_chk )
ESXi does not support this requirement. This is a permanent finding.

Fix Text (F-GEN006480-ESXI5-PF_fix)
This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.