I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000358
Group -
The vCenter Server must be configured to send logs to a central log server.
vCenter must be configured to send near real-time log data to syslog collectors so information will be available to investigators in the case of a security incident or to assist in troubleshooting.Rule Medium Severity -
SRG-APP-000360
Group -
The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Medium Severity -
SRG-APP-000371
Group -
The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
SRG-APP-000427
Group -
The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient secur...Rule Medium Severity -
SRG-APP-000428
Group -
The vCenter Server must enable data at rest encryption for vSAN.
Applications handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Data encryption...Rule Medium Severity -
SRG-APP-000516
Group -
The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
The VMware CEIP sends VMware anonymized system information that is used to improve the quality, reliability, and functionality of VMware products and services. For confidentiality purposes, this fe...Rule Medium Severity -
SRG-APP-000575
Group -
The vCenter server must enforce SNMPv3 security features where SNMP is required.
SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were...Rule Medium Severity -
SRG-APP-000575
Group -
The vCenter server must disable SNMPv1/2 receivers.
SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were...Rule Medium Severity -
SRG-APP-000345
Group -
The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
By requiring that Single Sign-On (SSO) accounts be unlocked manually, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. When the account unlo...Rule Medium Severity -
SRG-APP-000516
Group -
The vCenter Server must disable the distributed virtual switch health check.
Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that networ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.