VMware vSphere 7.0 ESXi Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000163-VMM-000700
<GroupDescription></GroupDescription>Group -
The ESXi host must terminate shell services after 10 minutes.
<VulnDiscussion>When the ESXi Shell or Secure Shell (SSH) services are enabled on a host, they will run indefinitely. To avoid having these s...Rule Medium Severity -
SRG-OS-000163-VMM-000700
<GroupDescription></GroupDescription>Group -
The ESXi host must log out of the console UI after two minutes.
<VulnDiscussion>When the Direct Console User Interface (DCUI) is enabled and logged in, it should be automatically logged out if left logged ...Rule Medium Severity -
SRG-OS-000341-VMM-001220
<GroupDescription></GroupDescription>Group -
The ESXi host must enable a persistent log location for all locally stored logs.
<VulnDiscussion>ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is li...Rule Medium Severity -
SRG-OS-000355-VMM-001330
<GroupDescription></GroupDescription>Group -
The ESXi host must configure NTP time synchronization.
<VulnDiscussion>To ensure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system...Rule Medium Severity -
SRG-OS-000366-VMM-001430
<GroupDescription></GroupDescription>Group -
The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified.
<VulnDiscussion>Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. ...Rule High Severity -
SRG-OS-000423-VMM-001700
<GroupDescription></GroupDescription>Group -
The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
<VulnDiscussion>While encrypted vMotion is available, vMotion traffic should still be sequestered from other traffic to further protect it fr...Rule Medium Severity -
SRG-OS-000423-VMM-001700
<GroupDescription></GroupDescription>Group -
The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
<VulnDiscussion>The vSphere management network provides access to the vSphere management interface on each component. Services running on the...Rule Medium Severity -
SRG-OS-000423-VMM-001700
<GroupDescription></GroupDescription>Group -
The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
<VulnDiscussion>Virtual machines (VMs) might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage incl...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
Simple Network Management Protocol (SNMP) must be configured properly on the ESXi host.
<VulnDiscussion>If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If S...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.
<VulnDiscussion>When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.