UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Virtual machines (VMs) must enable encryption for Fault Tolerance.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258717 VMCH-80-000204 SV-258717r959010_rule Medium
Description
Fault Tolerance log traffic can be encrypted. This could contain sensitive data from the protected machine's memory or CPU instructions. vSphere Fault Tolerance performs frequent checks between a primary VM and secondary VM so the secondary VM can quickly resume from the last successful checkpoint. The checkpoint contains the VM state that has been modified since the previous checkpoint. When Fault Tolerance is turned on, FT encryption is set to "Opportunistic" by default, which means it enables encryption only if both the primary and secondary host are capable of encryption.
STIG Date
VMware vSphere 8.0 Virtual Machine Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62457r933210_chk )
If the Virtual Machine does not have Fault Tolerance enabled, this is not applicable.

For each virtual machine do the following:

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM | Where {($_.ExtensionData.Config.FtEncryptionMode -ne "ftEncryptionOpportunistic") -and ($_.ExtensionData.Config.FtEncryptionMode -ne "ftEncryptionRequired")}

If the "Encrypted FT" setting does not have a value of "Opportunistic" or "Required", this is a finding.
Fix Text (F-62366r933211_fix)
For each virtual machine do the following:

From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Encryption.

For "Encrypted FT" set the value to "Opportunistic" or "Required". Click "OK".

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands:

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$spec.FTEncryption = New-Object VMware.Vim.VMware.Vim.VirtualMachineConfigSpecEncryptedFtModes
$spec.FT = ftEncryptionOpportunistic or ftEncryptionRequired
(Get-VM -Name ).ExtensionData.ReconfigVM($spec)