Skip to content

I - Mission Critical Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000095-VMM-000480

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.

    &lt;VulnDiscussion&gt;The ESXi Shell is an interactive command line environment available locally from the Direct Console User Interface (DCUI) or ...
    Rule Medium Severity
  • SRG-OS-000104-VMM-000500

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must use Active Directory for local user authentication.

    &lt;VulnDiscussion&gt;Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain multiple local user accounts. Usin...
    Rule Low Severity
  • SRG-OS-000104-VMM-000500

    <GroupDescription></GroupDescription>
    Group
  • ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.

    &lt;VulnDiscussion&gt;If a host is configured to join an Active Directory domain using Host Profiles and/or Auto Deploy, the Active Directory crede...
    Rule Medium Severity
  • SRG-OS-000104-VMM-000500

    <GroupDescription></GroupDescription>
    Group
  • Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.

    &lt;VulnDiscussion&gt;When adding ESXi hosts to Active Directory, all user/group accounts assigned to the Active Directory group \"ESX Admins\" wil...
    Rule Medium Severity
  • SRG-OS-000163-VMM-000700

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes.

    &lt;VulnDiscussion&gt;If a user forgets to log out of their local or remote ESXi Shell session, the idle connection will remain open indefinitely a...
    Rule Medium Severity
  • SRG-OS-000163-VMM-000700

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must terminate shell services after 10 minutes.

    &lt;VulnDiscussion&gt;When the ESXi Shell or Secure Shell (SSH) services are enabled on a host, they will run indefinitely. To avoid having these s...
    Rule Medium Severity
  • SRG-OS-000163-VMM-000700

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must log out of the console UI after two minutes.

    &lt;VulnDiscussion&gt;When the Direct Console User Interface (DCUI) is enabled and logged in, it should be automatically logged out if left logged ...
    Rule Medium Severity
  • SRG-OS-000341-VMM-001220

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must enable a persistent log location for all locally stored logs.

    &lt;VulnDiscussion&gt;ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is li...
    Rule Medium Severity
  • SRG-OS-000355-VMM-001330

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must configure NTP time synchronization.

    &lt;VulnDiscussion&gt;To ensure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system...
    Rule Medium Severity
  • SRG-OS-000366-VMM-001430

    <GroupDescription></GroupDescription>
    Group
  • The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified.

    &lt;VulnDiscussion&gt;Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. ...
    Rule High Severity
  • SRG-OS-000423-VMM-001700

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.

    &lt;VulnDiscussion&gt;While encrypted vMotion is available, vMotion traffic should still be sequestered from other traffic to further protect it fr...
    Rule Medium Severity
  • SRG-OS-000423-VMM-001700

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

    &lt;VulnDiscussion&gt;The vSphere management network provides access to the vSphere management interface on each component. Services running on the...
    Rule Medium Severity
  • SRG-OS-000423-VMM-001700

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

    &lt;VulnDiscussion&gt;Virtual machines (VMs) might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage incl...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Simple Network Management Protocol (SNMP) must be configured properly on the ESXi host.

    &lt;VulnDiscussion&gt;If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If S...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.

    &lt;VulnDiscussion&gt;When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both t...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing.

    &lt;VulnDiscussion&gt;Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure mem...
    Rule Low Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must configure the firewall to restrict access to services running on the host.

    &lt;VulnDiscussion&gt;Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce ...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must configure the firewall to block network traffic by default.

    &lt;VulnDiscussion&gt;In addition to service-specific firewall rules, ESXi has a default firewall rule policy to allow or deny incoming and outgoin...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.

    &lt;VulnDiscussion&gt;BPDU Guard and Portfast are commonly enabled on the physical switch to which the ESXi host is directly connected to reduce th...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • All port groups on standard switches must be configured to reject forged transmits.

    &lt;VulnDiscussion&gt;If the virtual machine (VM) operating system changes the Media Access Control (MAC) address, the operating system can send fr...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • All port groups on standard switches must be configured to reject guest Media Access Control (MAC) address changes.

    &lt;VulnDiscussion&gt;If the virtual machine (VM) operating system changes the MAC address, it can send frames with an impersonated source MAC addr...
    Rule High Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • All port groups on standard switches must be configured to reject guest promiscuous mode requests.

    &lt;VulnDiscussion&gt;When promiscuous mode is enabled for a virtual switch, all virtual machines (VMs) connected to the Portgroup have the potenti...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Use of the dvFilter network application programming interfaces (APIs) must be restricted.

    &lt;VulnDiscussion&gt;If the organization is not using products that use the dvfilter network API, the host should not be configured to send networ...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN).

    &lt;VulnDiscussion&gt;ESXi does not use the concept of native VLAN. Frames with a VLAN specified in the port group will have a tag, but frames with...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required.

    &lt;VulnDiscussion&gt;When a port group is set to VLAN 4095, the vSwitch passes all network frames to the attached virtual machines (VMs) without m...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules