Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must enable bidirectional CHAP authentication for iSCSI traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-99999-ESXI5-000141 | SRG-OS-99999-ESXI5-000141 | SRG-OS-99999-ESXI5-000141_rule | Low |
| Description |
|---|
| When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-99999-ESXI5-000141_chk ) |
|---|
| This check applies to the use of iSCSI storage. If iSCSI storage is not used, this check is not applicable. In the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if "Use Chap" is selected with a "Name" and a "Secret" configured. If iSCSI storage is used and "Use CHAP" is not selected and configured with a "Name" and a "Secret", this is a finding. |
| Fix Text (F-SRG-OS-99999-ESXI5-000141_fix) |
|---|
| In the vSphere Client, select the host, and then choose: Configuration >> Storage Adaptors >> iSCSI Initiator Properties >> CHAP >> CHAP (Target Authenticates Host). Select "Use Chap", and configure the "Name" and "Secret" options. |