Skip to content
Log In

III - Administrative Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000027-VMM-000080

    Group
    Show

  • Access to the ESXi host must be limited by enabling lockdown mode.

    Enabling lockdown mode disables direct access to an ESXi host, requiring the host to be managed remotely from vCenter Server. This is done to ensure the roles and access controls implemented in vCe...
    Rule Medium Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host must verify the DCUI.Access list.

    Lockdown mode disables direct host access, requiring that administrators manage hosts from vCenter Server. However, if a host becomes isolated from vCenter, the administrator is locked out and can ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host must verify the exception users list for lockdown mode.

    While a host is in lockdown mode (strict or normal), only users on the "Exception Users" list are allowed access. These users do not lose their permissions when the host enters lockdown mode. The...
    Rule Medium Severity
    Show

  • SRG-OS-000032-VMM-000130

    Group
    Show

  • Remote logging for ESXi hosts must be configured.

    Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more easily monitor all hosts with a single tool. It...
    Rule Medium Severity
    Show

  • SRG-OS-000021-VMM-000050

    Group
    Show

  • The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.

    By limiting the number of failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Once the configured number of attempts is ...
    Rule Medium Severity
    Show

  • SRG-OS-000329-VMM-001180

    Group
    Show

  • The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.

    By enforcing a reasonable unlock timeout after multiple failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Users must w...
    Rule Medium Severity
    Show

  • SRG-OS-000023-VMM-000060

    Group
    Show

  • The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).

    Failure to display the DOD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. Satisfies: SRG-OS-000023-VMM-000060, SRG-OS-0...
    Rule Medium Severity
    Show

  • SRG-OS-000023-VMM-000060

    Group
    Show

  • The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).

    Failure to display the DOD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
    Rule Medium Severity
    Show

  • SRG-OS-000023-VMM-000060

    Group
    Show

  • The ESXi host SSH daemon must be configured with the DOD logon banner.

    The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should...
    Rule Medium Severity
    Show

  • SRG-OS-000033-VMM-000140

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.

    OpenSSH on the ESXi host ships with a FIPS 140-2 validated cryptographic module that is enabled by default. For backward compatibility reasons, this can be disabled so this setting can be audited a...
    Rule Medium Severity
    Show

  • SRG-OS-000107-VMM-000530

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must ignore ".rhosts" files.

    SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can emulate the behavior of the obsolete "rsh" command in allowing users to enable ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication.

    SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH's cryptographic host-based authentication is more secure than ".rhosts" authenticat...
    Rule Medium Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must not allow authentication using an empty password.

    Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
    Rule Low Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.

    SSH environment options potentially allow users to bypass access restriction in some configurations. Users must not be able to present environment options to the SSH daemon.
    Rule Medium Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files.

    If other users have access to modify user-specific SSH configuration files, they may be able to log on the system as another user.
    Rule Medium Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication.

    If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, pote...
    Rule Medium Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports.

    SSH Transmission Control Protocol (TCP) connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide convenience similar to a virtual...
    Rule Low Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must be configured to not allow X11 forwarding.

    X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection.
    Rule Medium Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must not permit tunnels.

    OpenSSH has the ability to create network tunnels (layer 2 and layer 3) over an SSH connection. This function can provide similar convenience to a virtual private network (VPN) with the similar ris...
    Rule Medium Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions.

    Setting a timeout ensures that a user login will be terminated as soon as the "ClientAliveCountMax" is reached.
    Rule Low Severity
    Show

  • SRG-OS-000480-VMM-002000

    Group
    Show

  • The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions.

    Automatically logging out idle users guards against compromises via hijacked administrative sessions.
    Rule Low Severity
    Show

  • SRG-OS-000037-VMM-000150

    Group
    Show

  • The ESXi host must produce audit records containing information to establish what type of events occurred.

    Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Satisfies: SRG-OS-000037-VMM-000150...
    Rule Medium Severity
    Show

  • SRG-OS-000069-VMM-000360

    Group
    Show

  • The ESXi host must be configured with a sufficiently complex password policy.

    To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain vali...
    Rule Medium Severity
    Show

  • SRG-OS-000077-VMM-000440

    Group
    Show

  • The ESXi host must prohibit the reuse of passwords within five iterations.

    If a user or root used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the oppo...
    Rule Medium Severity
    Show

  • SRG-OS-000095-VMM-000480

    Group
    Show

  • The ESXi host must disable the Managed Object Browser (MOB).

    The MOB provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed. This interface is meant to be used primarily for debugging the v...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules