The ESXi host must use DOD-approved encryption to protect the confidentiality of network sessions.

An XCCDF Rule

Description

<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. In ESXi 8.0 Update 3 and newer TLS profiles are available to configure client and server TLS settings and must be configured to use only strong ciphers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-265974r1003578_rule
Severity: Medium
References: CCI-000068 CCI-002420 CCI-002422
Updated: 3 months ago

TLS Profiles can be configured with vSphere Configuration Profiles or manually on each host for clusters not using vSphere Configuration Profiles.

For ESXi hosts in clusters managed with vSphere Configuration Profiles do the following:

Note: These steps assume a vSphere Configuration Profile is already in use for the target cluster.
From the vSphere Client, go to Host and Clusters.

Select the vCenter Server >> Select the target cluster >> Configure >> Desired State >> Configuration >> Draft.

Click "Create Draft" or "Import from Host" if a draft does not exist.

Select system >> tls_server >> Configure Settings.

Select "NIST_2024" from the drop down for profile and click "Save".

Click "Apply Changes" and run through the pre-check to enforce the change.

Note: Updating this setting through a vSphere Configuration Profile will place hosts into maintenance mode and perform a rolling reboot of all hosts in the cluster.

For standalone hosts or clusters not managed with vSphere Configuration Profiles do the following:

Prior to changing the TLS profile it is highly recommended to place the host in maintenance mode.

From an ESXi shell, run the following command:

# esxcli system tls server set -p NIST_2024

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.tls.server.set.CreateArgs()
$arguments.profile = "NIST_2024"
$esxcli.system.tls.server.set.invoke($arguments)

A reboot is required to complete the process of changing profiles.

The ESXi host must use DOD-approved encryption to protect the confidentiality of network sessions.

Description

Remediation - Manual Procedure