III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication.
<VulnDiscussion>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH's cryptogra...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not allow authentication using an empty password.
<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, ...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.
<VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations. Users must not be able t...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files.
<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on the system as another ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication.
<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could res...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports.
<VulnDiscussion>SSH Transmission Control Protocol (TCP) connection forwarding provides a mechanism to establish TCP connections proxied by th...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must be configured to not allow X11 forwarding.
<VulnDiscussion>X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attac...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must not permit tunnels.
<VulnDiscussion>OpenSSH has the ability to create network tunnels (layer 2 and layer 3) over an SSH connection. This function can provide sim...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions.
<VulnDiscussion>Setting a timeout ensures that a user login will be terminated as soon as the "ClientAliveCountMax" is reached.</VulnDiscu...Rule Low Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions.
<VulnDiscussion>Automatically logging out idle users guards against compromises via hijacked administrative sessions.</VulnDiscussion>&...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.