The ESXi host must use DOD-approved encryption to protect the confidentiality of network sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-265974	ESXI-80-000247	SV-265974r1003578_rule		Medium

Description
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. In ESXi 8.0 Update 3 and newer TLS profiles are available to configure client and server TLS settings and must be configured to use only strong ciphers.

STIG	Date
VMware vSphere 8.0 ESXi Security Technical Implementation Guide	2024-07-11

Details

Check Text ( C-69897r1003576_chk )
From an ESXi shell, run the following command: # esxcli system tls server get --show-profile-defaults --show-current-boot-profile or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.tls.server.get.CreateArgs() $arguments.showprofiledefaults = $true $arguments.showcurrentbootprofile = $true $esxcli.system.tls.server.get.invoke($arguments) Example result: Profile: NIST_2024 Cipher List: ECDHE+AESGCM Cipher Suite: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384 Groups: prime256v1:secp384r1:secp521r1 Protocol Versions: tls1.2,tls1.3 Reboot Required: true If the TLS profile is not set to "NIST_2024" or is not the current boot profile, this is a finding.

Check Text ( C-69897r1003576_chk )

From an ESXi shell, run the following command:

# esxcli system tls server get --show-profile-defaults --show-current-boot-profile

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.tls.server.get.CreateArgs()
$arguments.showprofiledefaults = $true
$arguments.showcurrentbootprofile = $true
$esxcli.system.tls.server.get.invoke($arguments)

Example result:

Profile: NIST_2024
Cipher List: ECDHE+AESGCM
Cipher Suite: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
Groups: prime256v1:secp384r1:secp521r1
Protocol Versions: tls1.2,tls1.3
Reboot Required: true

If the TLS profile is not set to "NIST_2024" or is not the current boot profile, this is a finding.

Fix Text (F-69800r1003577_fix)
TLS Profiles can be configured with vSphere Configuration Profiles or manually on each host for clusters not using vSphere Configuration Profiles. For ESXi hosts in clusters managed with vSphere Configuration Profiles do the following: Note: These steps assume a vSphere Configuration Profile is already in use for the target cluster. From the vSphere Client, go to Host and Clusters. Select the vCenter Server >> Select the target cluster >> Configure >> Desired State >> Configuration >> Draft. Click "Create Draft" or "Import from Host" if a draft does not exist. Select system >> tls_server >> Configure Settings. Select "NIST_2024" from the drop down for profile and click "Save". Click "Apply Changes" and run through the pre-check to enforce the change. Note: Updating this setting through a vSphere Configuration Profile will place hosts into maintenance mode and perform a rolling reboot of all hosts in the cluster. For standalone hosts or clusters not managed with vSphere Configuration Profiles do the following: Prior to changing the TLS profile it is highly recommended to place the host in maintenance mode. From an ESXi shell, run the following command: # esxcli system tls server set -p NIST_2024 or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.tls.server.set.CreateArgs() $arguments.profile = "NIST_2024" $esxcli.system.tls.server.set.invoke($arguments) A reboot is required to complete the process of changing profiles.

Fix Text (F-69800r1003577_fix)

TLS Profiles can be configured with vSphere Configuration Profiles or manually on each host for clusters not using vSphere Configuration Profiles.

For ESXi hosts in clusters managed with vSphere Configuration Profiles do the following:

Note: These steps assume a vSphere Configuration Profile is already in use for the target cluster.

From the vSphere Client, go to Host and Clusters.

Select the vCenter Server >> Select the target cluster >> Configure >> Desired State >> Configuration >> Draft.

Click "Create Draft" or "Import from Host" if a draft does not exist.

Select system >> tls_server >> Configure Settings.

Select "NIST_2024" from the drop down for profile and click "Save".

Click "Apply Changes" and run through the pre-check to enforce the change.

Note: Updating this setting through a vSphere Configuration Profile will place hosts into maintenance mode and perform a rolling reboot of all hosts in the cluster.

For standalone hosts or clusters not managed with vSphere Configuration Profiles do the following:

Prior to changing the TLS profile it is highly recommended to place the host in maintenance mode.

From an ESXi shell, run the following command:

# esxcli system tls server set -p NIST_2024

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.tls.server.set.CreateArgs()
$arguments.profile = "NIST_2024"
$esxcli.system.tls.server.set.invoke($arguments)

A reboot is required to complete the process of changing profiles.