VMware vSphere 7.0 ESXi Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must verify the DCUI.Access list.
<VulnDiscussion>Lockdown mode disables direct host access, requiring that administrators manage hosts from vCenter Server. However, if a host...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must verify the exception users list for lockdown mode.
<VulnDiscussion>While a host is in lockdown mode (strict or normal), only users on the "Exception Users" list are allowed access. These users...Rule Medium Severity -
SRG-OS-000032-VMM-000130
<GroupDescription></GroupDescription>Group -
Remote logging for ESXi hosts must be configured.
<VulnDiscussion>Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a c...Rule Medium Severity -
SRG-OS-000021-VMM-000050
<GroupDescription></GroupDescription>Group -
The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known ...Rule Medium Severity -
SRG-OS-000329-VMM-001180
<GroupDescription></GroupDescription>Group -
The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.
<VulnDiscussion>By enforcing a reasonable unlock timeout after multiple failed logon attempts, the risk of unauthorized access via user passw...Rule Medium Severity -
SRG-OS-000023-VMM-000060
<GroupDescription></GroupDescription>Group -
The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
<VulnDiscussion>Failure to display the DOD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized ac...Rule Medium Severity -
SRG-OS-000023-VMM-000060
<GroupDescription></GroupDescription>Group -
The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
<VulnDiscussion>Failure to display the DOD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized ac...Rule Medium Severity -
SRG-OS-000023-VMM-000060
<GroupDescription></GroupDescription>Group -
The ESXi host SSH daemon must be configured with the DOD logon banner.
<VulnDiscussion>The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attack...Rule Medium Severity -
SRG-OS-000033-VMM-000140
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
<VulnDiscussion>OpenSSH on the ESXi host ships with a FIPS 140-2 validated cryptographic module that is enabled by default. For backward comp...Rule Medium Severity -
SRG-OS-000107-VMM-000530
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must ignore ".rhosts" files.
<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can emulate...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication.
<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH's cryptogra...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not allow authentication using an empty password.
<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, ...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.
<VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations. Users must not be able t...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files.
<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on the system as another ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication.
<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could res...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports.
<VulnDiscussion>SSH Transmission Control Protocol (TCP) connection forwarding provides a mechanism to establish TCP connections proxied by th...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must be configured to not allow X11 forwarding.
<VulnDiscussion>X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attac...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not permit tunnels.
<VulnDiscussion>OpenSSH has the ability to create network tunnels (layer 2 and layer 3) over an SSH connection. This function can provide sim...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions.
<VulnDiscussion>Setting a timeout ensures that a user login will be terminated as soon as the "ClientAliveCountMax" is reached.</VulnDiscu...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions.
<VulnDiscussion>Automatically logging out idle users guards against compromises via hijacked administrative sessions.</VulnDiscussion>&...Rule Low Severity -
SRG-OS-000037-VMM-000150
<GroupDescription></GroupDescription>Group -
The ESXi host must produce audit records containing information to establish what type of events occurred.
<VulnDiscussion>Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events...Rule Medium Severity -
SRG-OS-000069-VMM-000360
<GroupDescription></GroupDescription>Group -
The ESXi host must be configured with a sufficiently complex password policy.
<VulnDiscussion>To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of comple...Rule Medium Severity -
SRG-OS-000077-VMM-000440
<GroupDescription></GroupDescription>Group -
The ESXi host must prohibit the reuse of passwords within five iterations.
<VulnDiscussion>If a user or root used the same password continuously or was allowed to change it back shortly after being forced to change i...Rule Medium Severity -
SRG-OS-000095-VMM-000480
<GroupDescription></GroupDescription>Group -
The ESXi host must disable the Managed Object Browser (MOB).
<VulnDiscussion>The MOB provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be c...Rule Medium Severity -
SRG-OS-000095-VMM-000480
<GroupDescription></GroupDescription>Group -
The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).
<VulnDiscussion>The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.