The vCenter Server must disable the distributed virtual switch health check.

An XCCDF Rule

Description

Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that network health check be used for troubleshooting and turned off when troubleshooting is finished.

ID: SV-258934r961863_rule
Version: VCSA-80-000267
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

From the vSphere Client, go to "Networking".

Select a distributed switch >> Configure >> Settings >> Health Check.

Click "Edit".
Disable the "VLAN and MTU" and "Teaming and failover" checks.

Click "OK".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}

The vCenter Server must disable the distributed virtual switch health check.

Description

Remediation Templates

A Manual Procedure