The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
GEN006575-ESXI5-PNF	GEN006575-ESXI5-PNF	GEN006575-ESXI5-PNF_rule		Low

Description
File integrity tools often use cryptographic hashes for verifying that file contents have not been altered. These hashes must be FIPS 140-2 approved. Applicable, but permanent not-a-finding - Applicable, but permanent not-a-finding - The vSphere Update Manager "application" (vUM is referenced in the vCenter STIG) makes it easy to manage tracking and patching of vSphere hosts. vUM keeps machines up to date and in compliance, and provides visibility into package/patch status across the virtual infrastructure with a compliance "dashboard". auto-backup.sh and backup.sh scripts are (by default) executed via cron every 60 and 10 minutes, respectively. The aforementioned negates the need for file integrity tools. Additionally: ESXi is neither a GP environment, nor does it utilize a COS. ESXi provides for console functionality (for initial configuration, troubleshooting, and Technical Support) via the Direct Connect User Interface (DCUI) and Tech Support Mode. These strongly controlled interfaces provide GP-like console functionality augmented for security and trust. All binaries executed in ESXi are signed, keyed, or validated by strong controls. There is no facility to interpret code at runtime and the compiled modules are subject to both the controls for execution and a default-deny policy (for unsigned code), integral to the kernel. Based on Regulatory Compliance, VMware believes that the customers should categorize ESX/ESXi hypervisors as they would for other network based appliances and treat them accordingly. Following the Best Practices outlined in the vSphere hardening guides reasonably ensures the security and integrity of the ESXi host's management interfaces.

Description

File integrity tools often use cryptographic hashes for verifying that file contents have not been altered. These hashes must be FIPS 140-2 approved. Applicable, but permanent not-a-finding - Applicable, but permanent not-a-finding - The vSphere Update Manager "application" (vUM is referenced in the vCenter STIG) makes it easy to manage tracking and patching of vSphere hosts. vUM keeps machines up to date and in compliance, and provides visibility into package/patch status across the virtual infrastructure with a compliance "dashboard". auto-backup.sh and backup.sh scripts are (by default) executed via cron every 60 and 10 minutes, respectively. The aforementioned negates the need for file integrity tools. Additionally: ESXi is neither a GP environment, nor does it utilize a COS. ESXi provides for console functionality (for initial configuration, troubleshooting, and Technical Support) via the Direct Connect User Interface (DCUI) and Tech Support Mode. These strongly controlled interfaces provide GP-like console functionality augmented for security and trust. All binaries executed in ESXi are signed, keyed, or validated by strong controls. There is no facility to interpret code at runtime and the compiled modules are subject to both the controls for execution and a default-deny policy (for unsigned code), integral to the kernel. Based on Regulatory Compliance, VMware believes that the customers should categorize ESX/ESXi hypervisors as they would for other network based appliances and treat them accordingly. Following the Best Practices outlined in the vSphere hardening guides reasonably ensures the security and integrity of the ESXi host's management interfaces.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-GEN006575-ESXI5-PNF_chk )
ESXi supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding.

Fix Text (F-GEN006575-ESXI5-PNF_fix)
This requirement is permanent not a finding. No fix is required.