The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-OS-000270-ESXI5-PNF	SRG-OS-000270-ESXI5-PNF	SRG-OS-000270-ESXI5-PNF_rule		Medium

Description
In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and spyware. The requirement states that malicious code protection mechanisms, such as anti-virus, must be used on workstations, servers, and mobile computing devices. For the operating system, this means an anti-virus application must be installed. Permanent not a finding - ESXi is neither a GP environment, nor does it utilize a COS. ESXi provides for console functionality (for initial configuration, troubleshooting, and Technical Support) via the Direct Connect User Interface (DCUI) and Tech Support Mode. These strongly controlled interfaces provide GP-like console functionality augmented for security and trust. All binaries executed in ESXi are signed, keyed, or validated by strong controls. There is no facility to interpret code at runtime and the compiled modules are subject to both the controls for execution and a default-deny policy (for unsigned code), integral to the kernel. Based on Regulatory Compliance, VMware believes that the customers should categorize ESX/ESXi hypervisors as they would for other network based appliances and treat them accordingly. Following the Best Practices outlined in the vSphere hardening guides reasonably ensures the security and integrity of the ESXi host's management interfaces.

Description

In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and spyware. The requirement states that malicious code protection mechanisms, such as anti-virus, must be used on workstations, servers, and mobile computing devices. For the operating system, this means an anti-virus application must be installed. Permanent not a finding - ESXi is neither a GP environment, nor does it utilize a COS. ESXi provides for console functionality (for initial configuration, troubleshooting, and Technical Support) via the Direct Connect User Interface (DCUI) and Tech Support Mode. These strongly controlled interfaces provide GP-like console functionality augmented for security and trust. All binaries executed in ESXi are signed, keyed, or validated by strong controls. There is no facility to interpret code at runtime and the compiled modules are subject to both the controls for execution and a default-deny policy (for unsigned code), integral to the kernel. Based on Regulatory Compliance, VMware believes that the customers should categorize ESX/ESXi hypervisors as they would for other network based appliances and treat them accordingly. Following the Best Practices outlined in the vSphere hardening guides reasonably ensures the security and integrity of the ESXi host's management interfaces.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-SRG-OS-000270-ESXI5-PNF_chk )
ESXi supports this requirement and cannot be configured to be out of compliance. This is a permanent not a finding.

Fix Text (F-SRG-OS-000270-ESXI5-PNF_fix)
This requirement is permanent not a finding. No fix is required.