III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must configure the firewall to block network traffic by default.
<VulnDiscussion>In addition to service-specific firewall rules, ESXi has a default firewall rule policy to allow or deny incoming and outgoin...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
<VulnDiscussion>BPDU Guard and Portfast are commonly enabled on the physical switch to which the ESXi host is directly connected to reduce th...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must configure virtual switch security policies to reject forged transmits.
<VulnDiscussion>If the virtual machine (VM) operating system changes the Media Access Control (MAC) address, the operating system can send fr...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must configure virtual switch security policies to reject Media Access Control (MAC) address changes.
<VulnDiscussion>If the virtual machine (VM) operating system changes the MAC address, it can send frames with an impersonated source MAC addr...Rule High Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must configure virtual switch security policies to reject promiscuous mode requests.
<VulnDiscussion>When promiscuous mode is enabled for a virtual switch, all virtual machines (VMs) connected to the Portgroup have the potenti...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must restrict use of the dvFilter network application programming interface (API).
<VulnDiscussion>If the organization is not using products that use the dvFilter network API, the host should not be configured to send networ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must restrict the use of Virtual Guest Tagging (VGT) on standard switches.
<VulnDiscussion>When a port group is set to VLAN 4095, the vSwitch passes all network frames to the attached virtual machines (VMs) without m...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must have all security patches and updates installed.
<VulnDiscussion>Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities.</VulnD...Rule High Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.
<VulnDiscussion>Warnings that local or remote shell sessions are enabled alert administrators to activity they may not be aware of and need t...Rule Medium Severity -
SRG-OS-000480-VMM-002000
<GroupDescription></GroupDescription>Group -
The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.
<VulnDiscussion>The L1 Terminal Fault (L1TF) CPU vulnerabilities published in 2018 have patches and mitigations available in vSphere. However...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.