The system must use and update a DoD-approved virus scan program.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
GEN006640-ESXI5-PNF	GEN006640-ESXI5-PNF	GEN006640-ESXI5-PNF_rule		Medium

Description
Virus scanning software can be used to protect a system from penetration by computer viruses and to limit their spread through intermediate systems. Virus scanning software is available to DoD on the JTF-GNO web site. Not applicable - ESXi is neither a GP environment, nor does it utilize a COS. ESXi provides for console functionality (for initial configuration, troubleshooting, and Technical Support) via the Direct Connect User Interface (DCUI) and Tech Support Mode. These strongly controlled interfaces provide GP-like console functionality augmented for security and trust. All binaries executed in ESXi are signed, keyed, or validated by strong controls. There is no facility to interpret code at runtime and the compiled modules are subject to both the controls for execution and a default-deny policy (for unsigned code), integral to the kernel. Based on Regulatory Compliance, VMware believes that the customers should categorize ESX/ESXi hypervisors as they would for other network based appliances and treat them accordingly. Following the Best Practices outlined in the vSphere hardening guides reasonably ensures the security and integrity of the ESXi host's management interfaces.

Description

Virus scanning software can be used to protect a system from penetration by computer viruses and to limit their spread through intermediate systems. Virus scanning software is available to DoD on the JTF-GNO web site. Not applicable - ESXi is neither a GP environment, nor does it utilize a COS. ESXi provides for console functionality (for initial configuration, troubleshooting, and Technical Support) via the Direct Connect User Interface (DCUI) and Tech Support Mode. These strongly controlled interfaces provide GP-like console functionality augmented for security and trust. All binaries executed in ESXi are signed, keyed, or validated by strong controls. There is no facility to interpret code at runtime and the compiled modules are subject to both the controls for execution and a default-deny policy (for unsigned code), integral to the kernel. Based on Regulatory Compliance, VMware believes that the customers should categorize ESX/ESXi hypervisors as they would for other network based appliances and treat them accordingly. Following the Best Practices outlined in the vSphere hardening guides reasonably ensures the security and integrity of the ESXi host's management interfaces.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-GEN006640-ESXI5-PNF_chk )
ESXi supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding.

Fix Text (F-GEN006640-ESXI5-PNF_fix)
This requirement is permanent not a finding. No fix is required.