Appendix A Security Configuration Settings¶
This appendix captures the security configuration settings (Common Configuration Enumerations [CCEs]). The following table lists the VMware products and their associated security configurations.
CCE ID |
Configuration(s) |
Built-In / Enhanced |
Product |
Audit Procedure |
Recommended Parameter Value |
|---|---|---|---|---|---|
CCE-84401-9 |
NIST80053-VI-ESXi-CFG-00001 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^Ciphers" /etc/ssh/sshd_config
If there is no output or the output is not |
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc |
CCE-84402-7 |
NIST80053-VI-ESXi-CFG-00002 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^Protocol" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
2 |
CCE-84403-5 |
NIST80053-VI-ESXi-CFG-00003 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^IgnoreRhosts" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
yes |
CCE-84404-3 |
NIST80053-VI-ESXi-CFG-00004 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^HostbasedAuthentication" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84405-0 |
NIST80053-VI-ESXi-CFG-00005 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^PermitRootLogin" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84406-8 |
NIST80053-VI-ESXi-CFG-00006 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^PermitEmptyPasswords" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84407-6 |
NIST80053-VI-ESXi-CFG-00007 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^PermitUserEnvironment" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84408-4 |
NIST80053-VI-ESXi-CFG-00008 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^MACs" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
hmac-sha1,hmac-sha2-256,hmac-sha2-512 |
CCE-84409-2 |
NIST80053-VI-ESXi-CFG-00009 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^GSSAPIAuthentication" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84410-0 |
NIST80053-VI-ESXi-CFG-00010 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^KerberosAuthentication" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84411-8 |
NIST80053-VI-ESXi-CFG-00011 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^StrictModes" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
yes |
CCE-84412-6 |
NIST80053-VI-ESXi-CFG-00012 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^Compression" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84413-4 |
NIST80053-VI-ESXi-CFG-00013 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^GatewayPorts" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84414-2 |
NIST80053-VI-ESXi-CFG-00014 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^X11Forwarding" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84415-9 |
NIST80053-VI-ESXi-CFG-00015 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^AcceptEnv" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
AcceptEnv |
CCE-84416-7 |
NIST80053-VI-ESXi-CFG-00016 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^PermitTunnel" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
no |
CCE-84417-5 |
NIST80053-VI-ESXi-CFG-00017 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^ClientAliveCountMax" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
3 |
CCE-84418-3 |
NIST80053-VI-ESXi-CFG-00018 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^ClientAliveInterval" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
200 |
CCE-84419-1 |
NIST80053-VI-ESXi-CFG-00019 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^MaxSessions" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
1 |
CCE-84420-9 |
NIST80053-VI-ESXi-CFG-00020 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^Ciphers" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc, aes256-cbc |
CCE-84421-7 |
NIST80053-VI-ESXi-CFG-00022 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.PasswordQualityControl
If Security.PasswordQualityControl is not set to |
similar=deny retry=3 min=disabled,disabled,disabled,disabled,15 |
CCE-84422-5 |
NIST80053-VI-ESXi-CFG-00028 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostFirewallException |
Where {$_.Name -eq 'SSH Server' -and $_.Enabled -eq $true} |
Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}}
If for an enabled service |
AllIPEnabled: False |
CCE-84423-3 |
NIST80053-VI-ESXi-CFG-00030 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.SuppressShellWarning
If UserVars.SuppressShellWarning is not set to 0, this is a finding. |
0 |
CCE-84424-1 |
NIST80053-VI-ESXi-CFG-00031 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.LockdownMode}}
If Lockdown Mode is disabled, this is a finding. For environments that do not use vCenter server to manage ESXi, this is not applicable. |
lockdownNormal |
CCE-84425-8 |
NIST80053-VI-ESXi-CFG-00034 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures
If Security.AccountLockFailures is not set to 3, this is a finding. |
3 |
CCE-84426-6 |
NIST80053-VI-ESXi-CFG-00038 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut
If UserVars.ESXiShellInteractiveTimeOut is not set to 600, this is a finding. |
600 |
CCE-84427-4 |
NIST80053-VI-ESXi-CFG-00039 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut
If UserVars.ESXiShellTimeOut is not set to 600, this is a finding. |
600 |
CCE-84428-2 |
NIST80053-VI-ESXi-CFG-00043 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU
If Net.BlockGuestBPDU is not set to 1, this is a finding. |
1 |
CCE-84429-0 |
NIST80053-VI-ESXi-CFG-00056 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli
$esxcli.system.coredump.network.get()
If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding. |
TRUE |
CCE-84430-8 |
NIST80053-VI-ESXi-CFG-00106 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHostFirewallDefaultPolicy
If the Incoming or Outgoing policies are True, this is a finding. |
FALSE |
CCE-84431-6 |
NIST80053-VI-ESXi-CFG-00107 |
Enhanced |
ESXi |
Log in to the host and run the following command: # ls -la /etc/ssh/keys-root/authorized_keys
If the authorized_keys file exists, this is a finding. |
File should not exist |
CCE-84432-4 |
NIST80053-VI-ESXi-CFG-00108 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHostSnmp | Select \*
or From a console or ssh session run the following command: Esxcli system snmp get
If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured from the |
FALSE |
CCE-84433-2 |
NIST80053-VI-ESXi-CFG-00109 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient
If the remember setting is not set or is not |
remember=5 |
CCE-84434-0 |
NIST80053-VI-ESXi-CFG-00110 |
Built-in |
ESXi |
Run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient
If sha512 is not listed, this is a finding. |
sha512 |
CCE-84435-7 |
NIST80053-VI-ESXi-CFG-00111 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"}
If the ESXi SSH service is running, this is a finding. |
Policy: Off and Running: False |
CCE-84436-5 |
NIST80053-VI-ESXi-CFG-00112 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"}
If the ESXi Shell service is running, this is a finding. |
Policy: Off and Running: False |
CCE-84437-3 |
NIST80053-VI-ESXi-CFG-00113 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"}
If the ESXi SSH service is running, this is a finding. |
Policy: Off and Running: False |
CCE-84438-1 |
NIST80053-VI-ESXi-CFG-00114 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication
For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If Directory Services Type is not set to “Active Directory”, this is a finding. |
sfo01.rainpole.local |
CCE-84439-9 |
NIST80053-VI-ESXi-CFG-00115 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ |
Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ |
Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}},
` @{N="JoinDomainMethod";E={(($_ |
Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory |
Select -ExpandProperty Policy |
Where {$_.Id-eq "JoinDomainMethodPolicy"}).Policyoption.Id}}
Verify if For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding. |
JoinADEnabled: True, JoinDomainMethod: FixedCAMConfigOption |
CCE-84440-7 |
NIST80053-VI-ESXi-CFG-00116 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication
For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the Directory Services Type is not set to “Active Directory”, this is a finding. |
sfo01.rainpole.local |
CCE-84441-5 |
NIST80053-VI-ESXi-CFG-00117 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ |
Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ |
Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}},
` @{N="JoinDomainMethod";E={(($_ |
Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory |
Select -ExpandProperty Policy |
Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}
Verify if For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding. |
sfo01.rainpole.local |
CCE-84442-3 |
NIST80053-VI-ESXi-CFG-00118 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication
For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If Directory Services Type is not set to “Active Directory”, this is a finding. |
sfo01.rainpole.local |
CCE-84443-1 |
NIST80053-VI-ESXi-CFG-00119 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ |
Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ |
Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}},
` @{N="JoinDomainMethod";E={(($_ |
Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory |
Select -ExpandProperty Policy |
Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}
Verify if For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding. |
sfo01.rainpole.local |
CCE-84444-9 |
NIST80053-VI-ESXi-CFG-00120 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostAuthentication
For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If Directory Services Type is not set to “Active Directory”, this is a finding. |
sfo01.rainpole.local |
CCE-84445-6 |
NIST80053-VI-ESXi-CFG-00121 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to vCenter run the following command: Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ |
Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ |
Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}},
` @{N="JoinDomainMethod";E={(($_ |
Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory |
Select -ExpandProperty Policy |
Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}
Verify if For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If vSphere Authentication Proxy is not used to join hosts to an Active Directory domain, this is a finding. |
sfo01.rainpole.local |
CCE-84446-4 |
NIST80053-VI-ESXi-CFG-00122 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage
Check for the login banner text (mentioned in the parameter value) based on the character limitations imposed by the system. An exact match of the text is required. If this banner is not displayed, this is a finding. |
This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. |
CCE-84447-2 |
NIST80053-VI-ESXi-CFG-00123 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.Etc.issue
If the Config.Etc.issue setting (/etc/issue file) does not contain the logon banner exactly as shown in the parameter value, this is a finding. |
This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. |
CCE-84448-0 |
NIST80053-VI-ESXi-CFG-00124 |
Enhanced |
ESXi |
Connect via SSH and run the following command: # grep -i "^Banner" /etc/ssh/sshd_config
If there is no output or the output is not exactly |
This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. |
CCE-84449-8 |
NIST80053-VI-ESXi-CFG-00125 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following script: $vmhost = Get-VMHost | Get-View
$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager
$lockdown.QueryLockdownExceptions()
If the exception users list contains accounts that do not require special permissions, this is a finding. Note: This list is not intended for system administrator accounts but for special circumstances such as a service account. |
Remove unnecessary users from the exception user list |
CCE-84450-6 |
NIST80053-VI-ESXi-CFG-00127 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Annotations.WelcomeMessage
Check for the login banner text (mentioned in the parameter value) based on the character limitations imposed by the system. An exact match of the text is required. If this banner is not displayed, this is a finding. |
This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. |
CCE-84451-4 |
NIST80053-VI-ESXi-CFG-00129 |
Enhanced |
ESXi |
If vCenter Update Manager is used on the network, it can scan all hosts for missing patches. From the vSphere Client, go to Hosts and Clusters >> Update Manager tab, and select Scan to view all hosts’ compliance status. If vCenter Update Manager is not used, a host’s compliance status must be manually determined by the build number. VMware KB 1014508 can be used to correlate patches with build numbers. If the ESXi host does not have the latest patches, this is a finding. If the ESXi host is not on a supported release, this is a finding. |
Apply latest patches and updates |
CCE-84452-2 |
NIST80053-VI-ESXi-CFG-00134 |
Enhanced |
ESXi |
The downloaded ISO, offline bundle, or patch hash must be verified against the vendor’s checksum to ensure the integrity and authenticity of the files. See the typical command line example for the sha1 hash check: # sha1sum <filename>.iso
If any of the system’s downloaded ISO, offline bundle, or system patch hashes cannot be verified against the vendor’s checksum, this is a finding. |
Compare the SHA1 sum output with the value posted on the VMware Web site. They should match. |
CCE-84453-0 |
NIST80053-VI-ESXi-CFG-00135 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost
If Syslog.global.logHost is not set to a site-specific syslog server, this is a finding. |
udp://sfo01vrli01.sfo01.rainpole.local:514 |
CCE-84454-8 |
NIST80053-VI-ESXi-CFG-00136 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logDir
If LocalLogOutputIsPersistent is not set to true, this is a finding. |
[] /scratch/log |
CCE-84455-5 |
NIST80053-VI-ESXi-CFG-00137 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup
For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If Config.HostAgent.plugins.hostsvc.esxAdminsGroup is set to “ESX Admins”, this is a finding. |
ug-SDDC-Admins |
CCE-84456-3 |
NIST80053-VI-ESXi-CFG-00138 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting
If Mem.ShareForceSalting is not set to 2, this is a finding. |
2 |
CCE-84457-1 |
NIST80053-VI-ESXi-CFG-00139 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHostFirewallDefaultPolicy
If the Incoming or Outgoing policies are True, this is a finding. |
N/A |
CCE-84458-9 |
NIST80053-VI-ESXi-CFG-00141 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost
If Syslog.global.logHost is not set to a site-specific syslog server, this is a finding. |
udp://sfo01vrli01.sfo01.rainpole.local:514 |
CCE-84459-7 |
NIST80053-VI-ESXi-CFG-00142 |
Enhanced |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup
For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If Config.HostAgent.plugins.hostsvc.esxAdminsGroup is set to “ESX Admins”, this is a finding. |
ug-SDDC-Admins |
CCE-84460-5 |
NIST80053-VI-ESXi-CFG-00143 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost
If Syslog.global.logHost is not set to a site-specific syslog server, this is a finding. |
udp://sfo01vrli01.sfo01.rainpole.local:514 |
CCE-84461-3 |
NIST80053-VI-ESXi-CFG-00145 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostNTPServer
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"}
If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding. |
ntp.lax01.rainpole.local, ntp.sfo01.rainpole.local |
CCE-84462-1 |
NIST80053-VI-ESXi-CFG-00157 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli
$esxcli.software.acceptance.get()
If the acceptance level is CommunitySupported, this is a finding. |
PartnerSupported |
CCE-84463-9 |
NIST80053-VI-ESXi-CFG-00158 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli
$esxcli.software.acceptance.get()
If the acceptance level is CommunitySupported, this is a finding. |
PartnerSupported |
CCE-84464-7 |
NIST80053-VI-ESXi-CFG-00159 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli
$esxcli.software.acceptance.get()
If the acceptance level is CommunitySupported, this is a finding. |
PartnerSupported |
CCE-84465-4 |
NIST80053-VI-ESXi-CFG-00160 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli
$esxcli.software.acceptance.get()
If the acceptance level is CommunitySupported, this is a finding. |
PartnerSupported |
CCE-84466-2 |
NIST80053-VI-ESXi-CFG-00161 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following commands: Get-VDSwitch | Get-VDSecurityPolicy
Get-VDPortGroup | Get-VDSecurityPolicy
If Forged Transmits is set to accept, this is a finding. |
FALSE |
CCE-84467-0 |
NIST80053-VI-ESXi-CFG-00162 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following commands: Get-VDSwitch | Get-VDSecurityPolicy
Get-VDPortGroup | Get-VDSecurityPolicy
If MAC Address Changes is set to accept, this is a finding. |
FALSE |
CCE-84468-8 |
NIST80053-VI-ESXi-CFG-00163 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name DCUI.Access
If DCUI.Access is not restricted to root, this is a finding. Note: This list is only for local user accounts and should only contain the root user. |
root |
CCE-84469-6 |
NIST80053-VI-ESXi-CFG-00164 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost
If Syslog.global.logHost is not set to a site-specific syslog server, this is a finding. |
udp://sfo01vrli01.sfo01.rainpole.local:514 |
CCE-84470-4 |
NIST80053-VI-ESXi-CFG-00165 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime
If Security.AccountUnlockTime is not set to 900, this is a finding. |
900 |
CCE-84471-2 |
NIST80053-VI-ESXi-CFG-00166 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob
If Config.HostAgent.plugins.solo.enableMob is not set to false, this is a finding. |
FALSE |
CCE-84472-0 |
NIST80053-VI-ESXi-CFG-00167 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup
For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If Config.HostAgent.plugins.hostsvc.esxAdminsGroup is set to “ESX Admins”, this is a finding. |
ug-SDDC-Admins |
CCE-84473-8 |
NIST80053-VI-ESXi-CFG-00168 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut
If UserVars.DcuiTimeOut is not set to 600, this is a finding. |
600 |
CCE-84474-6 |
NIST80053-VI-ESXi-CFG-00169 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress
If Net.DVFilterBindIpAddress is not blank and security appliances are not in use on the host, this is a finding. |
“” |
CCE-84475-3 |
NIST80053-VI-ESXi-CFG-00170 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost
If Syslog.global.logHost is not set to a site-specific syslog server, this is a finding. |
udp://sfo01vrli01.sfo01.rainpole.local:514 |
CCE-84476-1 |
NIST80053-VI-ESXi-CFG-00171 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut
If UserVars.DcuiTimeOut is not set to 600, this is a finding. |
600 |
CCE-84477-9 |
NIST80053-VI-ESXi-CFG-00172 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost
If Syslog.global.logHost is not set to a site-specific syslog server, this is a finding. |
udp://sfo01vrli01.sfo01.rainpole.local:514 |
CCE-84478-7 |
NIST80053-VI-ESXi-CFG-00173 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup
For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If the Config.HostAgent.plugins.hostsvc.esxAdminsGroup keyword is set to “ESX Admins”, this is a finding. |
ug-SDDC-Admins |
CCE-84479-5 |
NIST80053-VI-ESXi-CFG-00174 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost
If Syslog.global.logHost is not set to a site-specific syslog server, this is a finding. |
udp://sfo01vrli01.sfo01.rainpole.local:514 |
CCE-84480-3 |
NIST80053-VI-ESXi-CFG-00175 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup
For systems that do not use Active Directory and have no local user accounts, other than root, dcui, and/or vpxuser, this is not applicable. For systems that do not use Active Directory and do have local user accounts, other than root, dcui, and/or vpxuser, this is a finding. If Config.HostAgent.plugins.hostsvc.esxAdminsGroup is set to “ESX Admins”, this is a finding. |
ug-SDDC-Admins |
CCE-84481-1 |
NIST80053-VI-ESXi-CFG-00176 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost
If Syslog.global.logHost is not set to a site-specific syslog server, this is a finding. |
udp://sfo01vrli01.sfo01.rainpole.local:514 |
CCE-84482-9 |
NIST80053-VI-ESXi-CFG-00177 |
Built-in |
ESXi |
The vMotion VMkernel port group should be in a dedicated VLAN that can be on a common standard or distributed virtual switch as long as the vMotion VLAN is not shared by any other function and it is not routed to anything but ESXi hosts. The check for this will be unique per environment. From the vSphere Client, select the ESXi host and go to Configure > Networking > VMKernel adapters. Review the VLANs associated with the vMotion VMkernel(s) and verify they are dedicated for that purpose and logically separated from other functions. If long distance or cross vCenter vMotion is used, the vMotion network can be routable but must be accessible to only the intended ESXi hosts. If the vMotion port group is not on an isolated VLAN and/or is routable to systems other than ESXi hosts, this is a finding. For environments that do not use vCenter Server to manage ESXi, this is not applicable. |
vMotion VMKernel Port group should be in a dedicated VLAN. The check for this will Be unique per environment. |
CCE-84483-7 |
NIST80053-VI-ESXi-CFG-00178 |
Built-in |
ESXi |
The Management VMkernel port group should be in a dedicated VLAN that can be on a common standard or distributed virtual switch as long as the Management VLAN is not shared by any other function and it is not routed to anything other than management related functions such as vCenter. The check for this will be unique per environment. From the vSphere Client, select the ESXi host and go to Configure > Networking > VMKernel adapters. Review the VLANs associated with the Management VMkernel and verify they are dedicated for that purpose and logically separated from other functions. If the network segment is routed, except to networks where other management-related entities are located such as vCenter, this is a finding. If production virtual machine traffic is routed to this network, this is a finding. |
Management VMKernel Port group should be in a dedicated VLAN. The check for this will be unique per environment |
CCE-84484-5 |
NIST80053-VI-ESXi-CFG-00179 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level
If Config.HostAgent.log.level is not set to info, this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes. |
info |
CCE-84485-2 |
NIST80053-VI-ESXi-CFG-00180 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.log.level
If Config.HostAgent.log.level is not set to info, this is a finding. Note: Verbose logging level is acceptable for troubleshooting purposes. |
info |
CCE-84486-0 |
NIST80053-VI-ESXi-CFG-00181 |
Built-in |
ESXi |
From the vSphere Client, select the ESXi Host and go to Configure >> Networking >> VMKernel adapters. Review each VMkernel adapter that is defined and ensure it is enabled for only one type of management traffic. If any VMkernel is used for more than one type of management traffic, this is a finding. |
N/A |
CCE-84487-8 |
NIST80053-VI-ESXi-CFG-00182 |
Built-in |
ESXi |
From the vSphere Client, select the ESXi Host and go to Configure >> Networking >> TCP/IP Configuration. Review the default system TCP/IP stacks and verify they are configured with the appropriate IP address information. If any system TCP/IP stack is configured and not in use by a VMkernel adapter, this is a finding. |
N/A |
CCE-84488-6 |
NIST80053-VI-ESXi-CFG-00192 |
Built-in |
ESXi |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-VMHostNTPServer
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"}
If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding. |
Policy: On and Running: True |
CCE-84489-4 |
NIST80053-VI-ESXi-CFG-00184 |
Built-in |
ESXi |
This check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. Inspect the documentation and verify that the documentation is updated on a regular basis and/or whenever modifications are made to either ESXi hosts or the upstream physical switches. Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts. If the physical switch’s spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding. |
N/A |
CCE-84501-6 |
NIST80053-VI-NET-CFG-00251 |
Built-in |
NSX |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Policies >> Password Policy. |
NSX Manager Appliance - NSX Domain Service Account - Password (Dependent on Customer Configurations) |
CCE-84502-4 |
NIST80053-VI-NET-CFG-00252 |
Built-in |
NSX |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Policies >> Password Policy. |
Border Gateway Protocol Password (Dependent on Customer Configurations) |
CCE-84503-2 |
NIST80053-VI-NET-CFG-00253 |
Built-in |
NSX |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Policies >> Password Policy. |
Universal Distributed Logical Router Password (Dependent on Customer Configurations) |
CCE-84504-0 |
NIST80053-VI-NET-CFG-00281 |
Built-in |
NSX |
Log on to NSX Manager Virtual Appliance, then go to Backup & Restore. If “Audit Logs” or “System Events” are excluded (by default they are NOT excluded), this is a finding. |
Audit Logs and System Events are not excluded |
CCE-84505-7 |
NIST80053-VI-NET-CFG-00282 |
Built-in |
NSX |
Log on to NSX Manager Virtual Appliance, then go to Manage Appliance Settings and look under General Network Settings. If IPv6 is configured, this is a finding. |
IPv6 should be disabled |
CCE-84506-5 |
NIST80053-VI-NET-CFG-00283 |
Built-in |
NSX |
Log on to NSX Manager Virtual Appliance, then go to Manage Appliance Settings and look under DNS Servers. If IPv6 DNS is configured, this is a finding. |
IPv6 DNS should be disabled |
CCE-84507-3 |
NIST80053-VI-NET-CFG-00285 |
Built-in |
NSX |
Log on to NSX Manager Virtual Appliance, then go to Manage Appliance Settings and look under Time Settings. If any of the NTP Servers are not authorized or trusted, this is a finding. |
-OR-
|
CCE-84508-1 |
NIST80053-VI-NET-CFG-00286 |
Built-in |
NSX |
Log on to NSX Manager Virtual Appliance and go to Manage Appliance Settings. Verify syslog server configuration. |
Remote syslog server is configured |
CCE-84509-9 |
NIST80053-VI-NET-CFG-00287 |
Built-in |
NSX |
Log on to NSX Manager Virtual Appliance, then go to Manage Appliance Settings –> SSL Certificates. Click on the certificate and verify certificate details. |
|
CCE-84510-7 |
NIST80053-VI-NET-CFG-00288 |
Built-in |
NSX |
Access the deployment and try to reach NSX Manager on the standard network. NSX Manager should only be reachable using isolation mechanisms. |
Procedural |
CCE-84511-5 |
NIST80053-VI-NET-CFG-00289 |
Built-in |
NSX |
Log in to the VMware vSphere environment and inspect which users have access permissions to NSX Manager Virtual Appliance. If any user other than the intended administrator has access or is able to carry out any administrative actions, this is a finding. |
Procedural |
CCE-84512-3 |
NIST80053-VI-NET-CFG-00290 |
Built-in |
NSX |
Log in to the SFTP server and navigate to the backup directory. If the backup directory can be read from or written to by users other than the backup user, this is a finding. |
No read or write permissions on backup directory |
CCE-84513-1 |
NIST80053-VI-NET-CFG-00291 |
Built-in |
NSX |
Log on to NSX Manager Virtual Appliance, then go to Manage Appliance Settings and look under General network settings. If IPv4 DNS is not authorized or secure, this is a finding. |
IPv4 DNS is authorized and secure |
CCE-84514-9 |
NIST80053-VI-NET-CFG-00294 |
Built-in |
NSX |
Log on to NSX Manager Virtual Appliance, then look under Backup & Restore. Verify “FTP Server settings”. |
FTP Server settings (Dependent on Customer Configurations) |
CCE-84515-6 |
NIST80053-VI-NET-CFG-00295 |
Built-in |
NSX |
After downloading the media, use the SHA1 sum value to verify the integrity of the download. Compare the SHA1 hash output with the value posted on the VMware secure website. If the hash output does not match the website value, this is a finding. |
SHA1 hash should match |
CCE-84516-4 |
NIST80053-VI-NET-CFG-00296 |
Built-in |
NSX |
If the controller network is not deployed on a network that is not configured for or connected to other types of traffic, this is a finding. |
Procedural (Dependent on Customer Configurations) |
CCE-84517-2 |
NIST80053-VI-NET-CFG-00297 |
Built-in |
NSX |
Run this REST API call to get the properties of the controller node: https://<nsxmgr>/api/2.0/vdn/controller/node
Response: <controllerNodeConfig>
<ipSecEnabled>true</ipSecEnabled>
</controllerNodeConfig>
If ipSecEnabled is not true, this is a finding. |
<ipSecEnabled>true</ipSecEnabled > |
CCE-84518-0 |
NIST80053-VI-NET-CFG-00300 |
Built-in |
NSX |
Thoroughly review the deployment. If the virtual network is not isolated, this is a finding. |
Procedural (Dependent on Customer Configurations) |
CCE-84519-8 |
NIST80053-VI-NET-CFG-00301 |
Built-in |
NSX |
Do a thorough check on the infrastructure design and deployment network diagram. If there are any non-hypervisors on the logical network data plane or if any untrusted hypervisors are used, this is a finding. |
Procedural (Dependent on Customer Configurations) |
CCE-84520-6 |
NIST80053-VI-NET-CFG-00302 |
Built-in |
NSX |
Use the vSphere Web Client to connect to the vCenter Server. As administrator, go to Home > Inventory > Networking. Select “DSwitch” for distributed portgroups. Select each dvPortgroup connected to active VMs requiring securing. Go to tab Summary > Edit Settings > Policies > Security. If Forged Transmits is not set to Reject, this is a finding. |
Reject |
CCE-84521-4 |
NIST80053-VI-NET-CFG-00303 |
Built-in |
NSX |
Use the vSphere Web Client to connect to the vCenter Server. As administrator, go to Home > Inventory > Networking. Select “DSwitch” for distributed portgroups. Select each dvPortgroup connected to active VMs requiring securing. Go to tab Summary > Edit Settings > Policies > Security. If Mac Address Changes is not set to Reject, this is a finding. |
Reject |
CCE-84522-2 |
NIST80053-VI-NET-CFG-00304 |
Built-in |
NSX |
Use the vSphere Web Client to connect to the vCenter Server. As administrator, go to Home > Inventory > Networking. Select “DSwitch” for distributed portgroups. Select each dvPortgroup connected to active VMs requiring securing. Go to tab Summary > Edit Settings > Policies > Security. If Promiscuous Mode is not set to Reject, this is a finding. |
Reject |
CCE-84523-0 |
NIST80053-VI-NET-CFG-00306 |
Built-in |
NSX |
Log in to VMware vSphere Web Client. Navigate to Networking and Security –> Installation and Upgrade. Go to the “Host Preparation” tab. Under the “VXLAN” column, select “View Configuration”. If VMKNic Teaming Policy is not set to “Load Balance - SRCID”, this is a finding. |
Load Balance - SRCID |
CCE-84524-8 |
NIST80053-VI-NET-CFG-00308 |
Built-in |
NSX |
Log into the vCenter web interface with credentials authorized for administration. Navigate to Networking and Security >> Firewall. Expand “Default Section Layer 3” in Configuration. If the action for the Default Rule is “Allow”, this is a finding. |
Denied |
CCE-84525-5 |
NIST80053-VI-NET-CFG-00311 |
Built-in |
NSX |
Log on to vSphere Web Client with credentials authorized for administration. Navigate and select Networking and Security >> Users and Domains. View each role and verify the users and/or groups assigned to it. |
Procedural |
CCE-84526-3 |
NIST80053-VI-NET-CFG-00312 |
Built-in |
NSX |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. If Numeric Characters is not set to at least 1, this is a finding. |
1 |
CCE-84527-1 |
NIST80053-VI-NET-CFG-00313 |
Built-in |
NSX |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. If Special Characters is not set to at least 1, this is a finding. |
1 |
CCE-84528-9 |
NIST80053-VI-NET-CFG-00316 |
Built-in |
NSX |
Log on to vSphere Web Client with credentials authorized for administration. Navigate and select Networking and Security >> Users and Domains. View each role and verify the users and/or groups assigned to it. If any user or service account has more privileges than required, this is a finding. |
Procedural |
CCE-84529-7 |
NIST80053-VI-NET-CFG-00317 |
Built-in |
NSX |
Log into NSX Manager with built-in administrator account “admin” and default manufacturer password “default”. If the NSX Manager accepts the default password, this is a finding. |
Non-default password |
CCE-84530-5 |
NIST80053-VI-NET-CFG-00318 |
Built-in |
NSX |
Log into vSphere Web Client with credentials authorized for administration. Navigate to Networking and Security >> Firewall. Expand rule sections as necessary to view rules. If there are no rules configured to enforce authorizations, this is a finding. |
Procedural |
CCE-84531-3 |
NIST80053-VI-NET-CFG-00321 |
Built-in |
NSX |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. View the values of the password format requirements. If Lower-Case Characters is not set to at least 1, this is a finding. |
1 |
CCE-84532-1 |
NIST80053-VI-NET-CFG-00322 |
Built-in |
NSX |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. If Upper-Case Characters is not set to at least 1, this is a finding. |
1 |
CCE-84533-9 |
NIST80053-VI-NET-CFG-00323 |
Enhanced |
NSX |
Log into vSphere Web Client with credentials authorized for administration. Navigate and select Networking and Security >> Firewall tab to display a list of firewall rules deployed across the NSX environment. Click on the dropdown arrow to expand each firewall rule’s section. For each rule, select the pencil icon in the “Action” column. If the “Log” option has not been enabled for all rules, this is a finding. |
Log |
CCE-84534-7 |
NIST80053-VI-NET-CFG-00324 |
Enhanced |
NSX |
Log into vSphere Web Client with credentials authorized for administration. Navigate and select Networking and Security >> SpoofGuard. Check the Default policy of each NSX Manager. If the mode is disabled, this is a finding. |
Enabled |
CCE-84535-4 |
NIST80053-VI-NET-CFG-00328 |
Built-in |
NSX |
Log onto vSphere Web Client with credentials authorized for administration. Navigate and select Networking and Security >> and select the NSX Edges tab on the left-side menu. Double-click the Edge ID. Navigate to Manage >> Verify the configurations under Settings, Firewall, Routing, Bridging, and DHCP Relay are enabled only as necessary for the deployment. If unnecessary services are enabled, this is a finding. |
Enabled |
CCE-84536-2 |
NIST80053-VI-NET-CFG-00329 |
Built-in |
NSX |
If the built-in SSO administrator account is used for daily operations or there is no policy restricting its use, this is a finding. |
Procedural (Dependent on Customer Configurations) |
CCE-84537-0 |
NIST80053-VI-NET-CFG-00330 |
Built-in |
NSX |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. If Restrict Reuse is not set to “5” or more, this is a finding. |
5 |
CCE-84538-8 |
NIST80053-VI-NET-CFG-00340 |
Built-in |
NSX |
Go to the vSphere Web Client URL https://client-hostname/vsphere-client and verify the CA certificate is signed by an approved service provider. If a public key certificate from an appropriate certificate policy through an approved service provider is not used, this is a finding. |
Procedural |
CCE-84539-6 |
NIST80053-VI-NET-CFG-00343 |
Built-in |
NSX |
Log into vSphere Web Client with credentials authorized for administration. Navigate and select Networking and Security >> Firewall. If there are services enabled that should not be, this is a finding. |
Procedural |
CCE-84540-4 |
NIST80053-VI-NET-CFG-00344 |
Built-in |
NSX |
Log into vSphere Web Client with credentials authorized for administration. Navigate and select Networking and Security >> Firewall. If ports, protocols, and/or services are not disabled or restricted as required by the PPSM, this is a finding. |
Procedural |
CCE-84541-2 |
NIST80053-VI-NET-CFG-00360 |
Built-in |
NSX |
Log onto vSphere Web Client with credentials authorized for administration. Navigate and select Networking and Security >> and select the NSX Edges tab on the left-side menu. Double-click the EdgeID. Click on the Configure tab on the top of the new screen, then Interfaces. Check the “Connection Status” column for the associated interface. If any inactive router interfaces are not disabled, this is a finding. |
Procedural |
CCE-84542-0 |
NIST80053-VI-NET-CFG-00372 |
Built-in |
NSX |
Log on to NSX Manager with credentials authorized for administration. Navigate and select Backup and Restore >> Backup History. If backups are not being sent to a centralized location when changes occur or weekly, whichever is sooner, this is a finding. |
Procedural |
CCE-84301-1 |
NIST80053-VI-VC-CFG-00060 |
Enhanced |
vCenter |
Ask the system administrator if hardened, patched templates are used for VM creation with properly configured OS deployments, including applications both dependent and non-dependent on VM-specific configurations. If hardened, patched templates are not used for VM creation, this is a finding. The system must use templates to deploy VMs whenever possible. |
Hardened virtual machine templates to use for OS deployments |
CCE-84302-9 |
NIST80053-VI-ESXI-CFG-00061 |
Enhanced |
vCenter |
On the Home page of the vSphere Client, select Menu > Administration and click Roles. Select the VC from the Roles provider drop-down menu. Select the Virtual machine user (sample) role and click Privileges. If the Console Interaction privilege is assigned to the role, this is a finding. If SSH and/or terminal management services are exclusively used to perform management tasks, this is not a finding. |
Disable Console Interaction privilege |
CCE-84303-7 |
NIST80053-VI-ESXI-CFG-00065 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match ""parallel""}
If a virtual machine has a parallel device present, this is a finding. |
Disconnect unauthorized parallel devices |
CCE-84304-5 |
NIST80053-VI-ESXI-CFG-00066 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match ""serial""}
If a virtual machine has a serial device present, this is a finding. |
Disconnect unauthorized serial devices |
CCE-84305-2 |
NIST80053-VI-ESXI-CFG-00067 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM | Get-UsbDevice
If a virtual machine has any USB devices or USB controllers present, this is a finding. |
No USB device present |
CCE-84306-0 |
NIST80053-VI-ESXI-CFG-00068 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name sched.mem.pshare.salt
If sched.mem.pshare.salt exists, this is a finding. |
Remove the advanced setting sched.mem.pshare.salt |
CCE-84307-8 |
NIST80053-VI-ESXI-CFG-00070 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.copy.disable
If isolation.tools.copy.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84308-6 |
NIST80053-VI-ESXI-CFG-00071 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.dnd.disable
If isolation.tools.dnd.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84309-4 |
NIST80053-VI-ESXI-CFG-00072 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.setGUIOptions.enable
If isolation.tools.setGUIOptions.enable does not exist or is not set to false, this is a finding. |
FALSE |
CCE-84310-2 |
NIST80053-VI-ESXI-CFG-00073 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.paste.disable
If isolation.tools.paste.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84311-0 |
NIST80053-VI-ESXI-CFG-00074 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskShrink.disable
If isolation.tools.diskShrink.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84312-8 |
NIST80053-VI-ESXI-CFG-00075 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable
If isolation.tools.diskWiper.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84313-6 |
NIST80053-VI-ESXI-CFG-00076 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.hgfsServerSet.disable
If isolation.tools.hgfsServerSet.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84314-4 |
NIST80053-VI-ESXI-CFG-00077 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.ghi.autologon.disable
If isolation.tools.ghi.autologon.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84315-1 |
NIST80053-VI-ESXI-CFG-00078 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.bios.bbs.disable
If isolation.bios.bbs.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84316-9 |
NIST80053-VI-ESXI-CFG-00079 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.getCreds.disable
If isolation.tools.getCreds.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84317-7 |
NIST80053-VI-ESXI-CFG-00080 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.ghi.launchmenu.change
If isolation.tools.ghi.launchmenu.change does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84318-5 |
NIST80053-VI-ESXI-CFG-00081 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.memSchedFakeSampleStats.disable
If isolation.tools.memSchedFakeSampleStats.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84319-3 |
NIST80053-VI-ESXI-CFG-00082 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.ghi.protocolhandler.info.disable
If isolation.tools.ghi.protocolhandler.info.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84320-1 |
NIST80053-VI-ESXI-CFG-00083 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.ghi.host.shellAction.disable
If isolation.ghi.host.shellAction.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84321-9 |
NIST80053-VI-ESXI-CFG-00084 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.dispTopoRequest.disable
If isolation.tools.dispTopoRequest.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84322-7 |
NIST80053-VI-ESXI-CFG-00085 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.trashFolderState.disable
If isolation.tools.trashFolderState.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84323-5 |
NIST80053-VI-ESXI-CFG-00086 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.ghi.trayicon.disable
If isolation.tools.ghi.trayicon.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84324-3 |
NIST80053-VI-ESXI-CFG-00087 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.unity.disable
If isolation.tools.unity.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84325-0 |
NIST80053-VI-ESXI-CFG-00088 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.unityInterlockOperation.disable
If isolation.tools.unityInterlockOperation.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84326-8 |
NIST80053-VI-ESXI-CFG-00089 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.unity.push.update.disable
If isolation.tools.unity.push.update.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84327-6 |
NIST80053-VI-ESXI-CFG-00090 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.unity.taskbar.disable
If isolation.tools.unity.taskbar.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84328-4 |
NIST80053-VI-ESXI-CFG-00091 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.unityActive.disable
If isolation.tools.unityActive.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84329-2 |
NIST80053-VI-ESXI-CFG-00092 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.unity.windowContents.disable
If isolation.tools.unity.windowContents.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84330-0 |
NIST80053-VI-ESXI-CFG-00093 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.vmxDnDVersionGet.disable
If isolation.tools.vmxDnDVersionGet.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84331-8 |
NIST80053-VI-ESXI-CFG-00094 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.guestDnDVersionSet.disable
If isolation.tools.guestDnDVersionSet.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84332-6 |
NIST80053-VI-ESXI-CFG-00095 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.vixMessage.disable
If isolation.tools.vixMessage.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84333-4 |
NIST80053-VI-ESXI-CFG-00096 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name RemoteDisplay.maxConnections
If RemoteDisplay.maxConnections does not exist or is not set to 1, this is a finding. |
1 |
CCE-84334-2 |
NIST80053-VI-ESXI-CFG-00097 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name RemoteDisplay.vnc.enabled
If RemoteDisplay.vnc.enabled does not exist or is not set to false, this is a finding. |
FALSE |
CCE-84335-9 |
NIST80053-VI-ESXI-CFG-00098 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.tools.autoInstall.disable
If isolation.tools.autoInstall.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84336-7 |
NIST80053-VI-ESXI-CFG-00099 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.setinfo.sizeLimit
If tools.setinfo.sizeLimit does not exist or is not set to 1048576, this is a finding. |
1048576 |
CCE-84337-5 |
NIST80053-VI-ESXI-CFG-00100 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.edit.disable
If isolation.device.edit.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84338-3 |
NIST80053-VI-ESXI-CFG-00101 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable
If isolation.device.connectable.disable does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84339-1 |
NIST80053-VI-ESXI-CFG-00102 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo
If tools.guestlib.enableHostInfo does not exist or is not set to false, this is a finding. |
FALSE |
CCE-84340-9 |
NIST80053-VI-ESXI-CFG-00154 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-HardDisk | Select Parent, Name, Filename, DiskType, Persistence | FT -AutoSize
If the virtual machine has attached disks that are in independent nonpersistent mode, this is a finding. |
Persistent |
CCE-84341-7 |
NIST80053-VI-ESXI-CFG-00155 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState
If a virtual machine has a floppy drive present, this is a finding. |
Disconnect unauthorized floppy devices |
CCE-84342-5 |
NIST80053-VI-ESXI-CFG-00156 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent,Name
If a virtual machine has a CD/DVD drive connected other than temporarily, this is a finding. |
Disconnect unauthorized CD/DVD drives |
CCE-84343-3 |
NIST80053-VI-ESXI-CFG-00185 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VirtualPortGroup | Select Name, VLanID
If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding. |
Not 4095 |
CCE-84344-1 |
NIST80053-VI-NET-CFG-00341 |
Built-in |
vCenter |
If the vCenter server is not joined to an Active Directory domain and not configured for Single Sign-On Identity Source of the Active Directory domain, and Active Directory/CAC/PIV certificate-based accounts are not used for daily operations of the vCenter server, this is a finding. |
Procedural (Dependent on Customer Configurations) |
CCE-84345-8 |
NIST80053-VI-NET-CFG-00341 |
Built-in |
vCenter |
If the vCenter server is not joined to an Active Directory domain and not configured for Single Sign-On Identity Source of the Active Directory domain, and Active Directory/CAC/PIV certificate-based accounts are not used for daily operations of the vCenter server, this is a finding. |
Procedural (Dependent on Customer Configurations) |
CCE-84347-4 |
NIST80053-VI-VC-CFG-00402 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration
If any port group is configured with VLAN 4095 and is not documented as a needed exception, this is a finding. |
Not 4095 |
CCE-84348-2 |
NIST80053-VI-VC-CFG-00403 |
Built-in |
vCenter |
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. If Restrict Reuse is not set to 5 or more, this is a finding. |
5 |
CCE-84349-0 |
NIST80053-VI-VC-CFG-00404 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.log.level
If the level is not set to info, this is a finding. |
info |
CCE-84350-8 |
NIST80053-VI-VC-CFG-00405 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy
Get-VDPortgroup | Get-VDSecurityPolicy
If the Promiscuous Mode policy is set to accept, this is a finding. |
reject |
CCE-84351-6 |
NIST80053-VI-VC-CFG-00406 |
Built-in |
vCenter |
From the vSphere Web Client go to Administration >> Client Plug-Ins. View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, 3rd party (Partner), and/or site-specific (locally developed and site) approved plug-ins. If any Installed/Available plug-ins in the viewable list cannot be verified as vSphere Client plug-ins and/or authorized extensions from trusted sources, this is a finding. |
Authorized extensions from Trusted Sources |
CCE-84352-4 |
NIST80053-VI-VC-CFG-00407 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy
Get-VDPortgroup | Get-VDSecurityPolicy
If the MAC Address Changes policy is set to accept, this is a finding. |
reject |
CCE-84353-2 |
NIST80053-VI-VC-CFG-00408 |
Built-in |
vCenter |
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. If Upper-Case Characters is not set to at least 1, this is a finding. |
1 |
CCE-84354-0 |
NIST80053-VI-VC-CFG-00409 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-VDSwitch | select Name,@{N="NIOC Enabled";E={$_.ExtensionData.config.NetworkResourceManagementEnabled}}
If Network I/O Control is disabled, this is a finding. |
Enabled |
CCE-84355-7 |
NIST80053-VI-VC-CFG-00410 |
Enhanced |
vCenter |
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. If the Minimum Length is not set to at least 15, this is a finding. |
15 |
CCE-84356-5 |
NIST80053-VI-VC-CFG-00411 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the vCenter server run the following commands: $vds = Get-VDSwitch
$vds.ExtensionData.Config.HealthCheckConfig
If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding. |
FALSE |
CCE-84357-3 |
NIST80053-VI-VC-CFG-00412 |
Enhanced |
vCenter |
From the vSphere Client, select the vCenter server at the top of the hierarchy and go to Alarms >> Definitions. or From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-AlarmDefinition |
Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionUpdatedEvent"} |
Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}
If there is not an alarm created to alert on permission update events, this is a finding. |
Procedural |
CCE-84358-1 |
NIST80053-VI-VC-CFG-00413 |
Built-in |
vCenter |
From the vSphere Web Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. If Lower-Case Characters is not set to at least 1, this is a finding. |
1 |
CCE-84359-9 |
NIST80053-VI-VC-CFG-00414 |
Enhanced |
vCenter |
From the vSphere Client, select the vCenter server at the top of the hierarchy and go to Alarms >> Definitions. or From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-AlarmDefinition |
Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionAddedEvent"} |
Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}
If there is not an alarm created to alert on permission addition events, this is a finding. |
Procedural |
CCE-84360-7 |
NIST80053-VI-VC-CFG-00415 |
Built-in |
vCenter |
From the vSphere Web Client, go to Administration >> Access Control >> Roles. or From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto
Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding. |
Procedural (Dependent on Customer Configurations) |
CCE-84361-5 |
NIST80053-VI-VC-CFG-00416 |
Enhanced |
vCenter |
From the vSphere Client, select the vCenter server at the top of the hierarchy and go to Alarms >> Definitions. or From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-AlarmDefinition |
Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionRemovedEvent"} |
Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}
If there is not an alarm to alert on permission deletion events, this is a finding. |
Procedural |
CCE-84362-3 |
NIST80053-VI-VC-CFG-00417 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-VDPortgroup |
Select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}}
If NetFlow is configured and the collector IP is not known and is not enabled temporarily for troubleshooting purposes, this is a finding. |
Known IPs |
CCE-84363-1 |
NIST80053-VI-VC-CFG-00418 |
Enhanced |
vCenter |
If no clusters are enabled for VSAN, this is not applicable. From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Configure >> vSAN >> Internet Connectivity >> Status. If a proxy is not configured, this is a finding. |
Procedural |
CCE-84364-9 |
NIST80053-VI-VC-CFG-00419 |
Built-in |
vCenter |
From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-VIPermission | Sort Role | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto
Application service account and user required privileges should be documented. If any user or service account has more privileges than required, this is a finding. |
Procedural (Dependent on Customer Configurations) |
CCE-84365-6 |
NIST80053-VI-VC-CFG-00420 |
Built-in |
vCenter |
From the vSphere Web Client, go to Host and Clusters >> Select a Cluster >> Related Objects >> Datastores. Review the datastores. Identify any datastores with “vsan” as the datastore type. or From a PowerCLI command prompt, while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){
Write-Host "VSAN Enabled Cluster found"
Get-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match "vsan"}
}
Else{
Write-Host "VSAN is not enabled, this finding is not applicable"
}
If VSAN is enabled and the datastore is named “vsanDatastore”, this is a finding. |
No name with “vsanDatastore” |
CCE-84366-4 |
NIST80053-VI-VC-CFG-00421 |
Enhanced |
vCenter |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. If Maximum Lifetime is not set to 60, this is a finding. |
60 |
CCE-84367-2 |
NIST80053-VI-VC-CFG-00422 |
Enhanced |
vCenter |
On the system where vCenter is installed, locate the webclient.properties file. /etc/vmware/vsphere-client/ and /etc/vmware/vsphere-ui/ If session.timeout is not set to 10 (minutes), this is a finding. |
10 |
CCE-84368-0 |
NIST80053-VI-VC-CFG-00427 |
Enhanced |
vCenter |
Get-AdvancedSetting -Entity <vcenter server name> -Name config.vpxd.hostPasswordLength |
32 |
CCE-84369-8 |
NIST80053-VI-VC-CFG-00428 |
Built-in |
vCenter |
From the vSphere Web Client, go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Settings >> Advanced System Settings. or From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name VirtualCenter.VimPasswordExpirationInDays
If VirtualCenter.VimPasswordExpirationInDays is set to a value other than 30 or does not exist, this is a finding. |
FALSE |
CCE-84370-6 |
NIST80053-VI-VC-CFG-00429 |
Built-in |
vCenter |
Check the following conditions:
1. The Update Manager must be configured to use the Update Manager Download Server.
2. The use of physical media to transfer update files to the Update Manager server (air-gap model example: separate Update Manager Download Server which may source vendor patches externally via the internet versus an internal source) must be enforced with site policies.
To verify download settings, from the vSphere Client/vCenter Server system, click Update Manager. Select a Host and then click the Settings tab. In the Download Settings tab, find “Direct connection to Internet.” If “Direct connection to Internet” is configured, this is a finding.
If all of the above conditions are not met, this is a finding.
|
Procedural |
CCE-84371-4 |
NIST80053-VI-VC-CFG-00432 |
Built-in |
vCenter |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. If Special Characters is not set to at least 1, this is a finding. |
1 |
CCE-84372-2 |
NIST80053-VI-VC-CFG-00433 |
Built-in |
vCenter |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Password Policy. If Numeric Characters is not set to at least 1, this is a finding. |
1 |
CCE-84373-0 |
NIST80053-VI-VC-CFG-00434 |
Enhanced |
vCenter |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. If the Time interval between failures is not set to at least 900, this is a finding. |
900 |
CCE-84374-8 |
NIST80053-VI-VC-CFG-00435 |
Enhanced |
vCenter |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. If the Unlock time is not set to 0, this is a finding. |
0 |
CCE-84375-5 |
NIST80053-VI-VC-CFG-00436 |
Enhanced |
vCenter |
From the vSphere Web Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy. If the Maximum number of failed login attempts is not set to 3, this is a finding. |
3 |
CCE-84376-3 |
NIST80053-VI-VC-CFG-00437 |
Enhanced |
vCenter |
From the vSphere Web Client go to vCenter Inventory Lists >> vCenter Servers >> Select your vCenter Server >> Settings >> Advanced Settings. or From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-AdvancedSetting -Entity <vcenter server name> -Name config.nfc.useSSL
If config.nfc.useSSL is not set to true, this is a finding. |
TRUE |
CCE-84377-1 |
NIST80053-VI-VC-CFG-00439 |
Built-in |
vCenter |
If the built-in SSO administrator account is used for daily operations or there is no policy restricting its use, this is a finding. |
Procedural |
CCE-84378-9 |
NIST80053-VI-VC-CFG-00440 |
Enhanced |
vCenter |
From the vSphere Web Client, go to Networking >> Select a distributed port group >> Manage >> Settings >> Properties. View the Override port policies. or From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-VDPortgroup | Get-View |
Select Name,
@{N="VlanOverrideAllowed";E={$_.Config.Policy.VlanOverrideAllowed}},
@{N="UplinkTeamingOverrideAllowed";E={$_.Config.Policy.UplinkTeamingOverrideAllowed}},
@{N="SecurityPolicyOverrideAllowed";E={$_.Config.Policy.SecurityPolicyOverrideAllowed}},
@{N="IpfixOverrideAllowed";E={$_.Config.Policy.IpfixOverrideAllowed}},
@{N="BlockOverrideAllowed";E={$_.Config.Policy.BlockOverrideAllowed}},
@{N="ShapingOverrideAllowed";E={$_.Config.Policy.ShapingOverrideAllowed}},
@{N="VendorConfigOverrideAllowed";E={$_.Config.Policy.VendorConfigOverrideAllowed}},
@{N="TrafficFilterOverrideAllowed";E={$_.Config.Policy.TrafficFilterOverrideAllowed}},
@{N="PortConfigResetAtDisconnect";E={$_.Config.Policy.PortConfigResetAtDisconnect}} | Sort Name
Note: This was broken up into multiple lines for readability. Either paste as is into a PowerShell script or combine into one line and run. This does not apply to the reset port configuration on disconnect policy. If any port-level overrides are enabled and not documented, this is a finding. |
disabled |
CCE-84379-7 |
NIST80053-VI-VC-CFG-00442 |
Enhanced |
vCenter |
From the vSphere Client, select the vCenter server at the top of the hierarchy and go to Alarms >> Definitions. or From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-AlarmDefinition |
Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "esx.problem.vmsyslogd.remote.failure"} |
Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}
If there is no alarm created to alert if an ESXi host can no longer reach its syslog server, this is a finding. |
Enabled |
CCE-84380-5 |
NIST80053-VI-VC-CFG-00445 |
Built-in |
vCenter |
If IP-based storage is not used, this is not applicable. IP-based storage (iSCSI, NFS, VSAN) VMkernel port groups must be in a dedicated VLAN that can be on a common standard or distributed virtual switch that is logically separated from other traffic types. The check for this will be unique per environment. From the vSphere Client, select Networks >> Distributed Port Groups and review the VLANs associated with any IP-based storage VMkernels. If any IP-based storage networks are not isolated from other traffic types, this is a finding. |
Unique IP addresses |
CCE-84381-3 |
NIST80053-VI-VC-CFG-00447 |
Built-in |
vCenter |
Log in to the vCenter server and view the local administrators group membership. If the local administrators group contains users and/or groups that are not vCenter Administrators such as “Domain Admins”, this is a finding. |
Only necessary users and groups |
CCE-84382-1 |
NIST80053-VI-VC-CFG-00450 |
Built-in |
vCenter |
From the vSphere Client, go to Home >> Networking. Select a distributed port group, click Edit, then go to Security. or From a PowerCLI command prompt, while connected to the vCenter server run the following commands: Get-VDSwitch | Get-VDSecurityPolicy
Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy
If the Forged Transmits policy is set to accept for a non-uplink port, this is a finding. |
reject |
CCE-84383-9 |
NIST80053-VI-VC-CFG-00455 |
Enhanced |
vCenter |
If the vSphere Storage API - Data Protection (VADP) solution is not configured for performing backup and restore of the management components, this is a finding. |
vSphere Storage API - Data Protection (VADP) |
CCE-84384-7 |
NIST80053-VI-VC-CFG-00497 |
Built-in |
vCenter |
On the Edit port group - VM Network window, check for input 1611 for VLAN ID. If the vlan is 1611, this is a finding. |
Not 1611 |
CCE-84385-4 |
NIST80053-VI-VC-CFG-00555 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name svga.vgaonly
If svga.vgaonly does not exist or is not set to true, this is a finding. |
TRUE |
CCE-84386-2 |
NIST80053-VI-VC-CFG-00561 |
Enhanced |
vCenter |
From a PowerCLI command prompt, while connected to the ESXi host or vCenter server run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name pciPassthru*.present
If pciPassthru*.present does not exist or is not set to false, this is a finding. |
FALSE |
CCE-84601-4 |
NIST80053-VI-Storage-SDS-CFG-00178 |
Enhanced |
vSAN |
From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-VIPermission | Where {$_.Role -eq "Admin"} | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto
If there are any users other than Solution Users with the Administrator role that are not explicitly designated for cryptographic operations, this is a finding. |
No Cryptography Administrator |
CCE-84602-2 |
NIST80053-VI-Storage-SDS-CFG-00180 |
Built-in |
vSAN |
From a PowerCLI command prompt, while connected to the ESXi host run the following commands: Get-VMHost | Get-VMHostNTPServer
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"}
If the NTP service is not configured with authoritative DoD time sources and the service is not configured to start and stop with the host and is running, this is a finding. |
Correct date and timestamp |
CCE-84603-0 |
NIST80053-VI-Storage-SDS-CFG-00181 |
Built-in |
vSAN |
Log in to the vRealize Log Insight user interface. Click the configuration drop-down menu icon and select Content Packs. Under Content Pack Marketplace, select Marketplace. If the VMware - vSAN content pack does not appear in the Installed Content Packs list, this is a finding. |
VMware - vSAN |
CCE-84604-8 |
NIST80053-VI-Storage-SDS-CFG-00182 |
Built-in |
vSAN |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name UserVars.HostClientSessionTimeout
If UserVars.HostClientSessionTimeout is not set to 900, this is a finding. |
900 |
CCE-84605-5 |
NIST80053-VI-Storage-SDS-CFG-00183 |
Enhanced |
vSAN |
From the vSphere client, select the cluster. Click the Configure tab and under vSAN, click Services. If Encryption is not enabled or the KMS cluster is not configured, this is a finding. |
Enabled |
CCE-84606-3 |
NIST80053-VI-Storage-SDS-CFG-00184 |
Built-in |
vSAN |
Perform a compliance check on the inventory objects to make sure that you have all the latest security patches and updates applied. Use the vSphere Client to log in to a vCenter Server Appliance or to a vCenter Server system with which Update Manager is registered. If all the latest security patches and updates are not applied, this is a finding. |
Up-to-date patches and upgrades |
CCE-84607-1 |
NIST80053-VI-Storage-SDS-CFG-00185 |
Built-in |
vSAN |
From a PowerCLI command prompt, while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost
If Syslog.global.logHost is not set to a site-specific syslog server, this is a finding. |
udp://sfo01vrli01.sfo01.rainpole.local:514 |
CCE-84608-9 |
NIST80053-VI-Storage-SDS-CFG-00204 |
Enhanced |
vSAN |
From a PowerCLI command prompt, while connected to the vCenter server run the following command: Get-VIPermission | Where {$_.Role -eq "Admin"} | Select Role,Principal,Entity,Propagate,IsGroup | FT -Auto
If there are any users other than Solution Users with the Administrator role that are not explicitly designated for cryptographic operations, this is a finding. |
No Cryptography Administrator |
CCE-84609-7 |
NIST80053-VI-Storage-SDS-CFG-00207 |
Enhanced |
vSAN |
If VSAN Health Check is installed:
From the vSphere Client, go to Host and Clusters. Select a vCenter Server and go to Configure > vSAN > Internet Connectivity > Status.
If “Enable Internet access for this cluster” is enabled and a proxy is not configured, this is a finding. |
Proxy should be configured |
CCE-84610-5 |
NIST80053-VI-Storage-SDS-CFG-00208 |
Built-in |
vSAN |
From a PowerCLI command prompt, while connected to the vCenter server run the following command: If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){
Write-Host "VSAN Enabled Cluster found"
Get-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match "vsan"}
}
Else{
Write-Host "VSAN is not enabled, this finding is not applicable"
}
If VSAN is enabled and the datastore is named “vsanDatastore”, this is a finding. |
Datastore name is unique |
CCE-84611-3 |
NIST80053-VI-Storage-SDS-CFG-00179 |
Enhanced |
vSAN |
From a PowerCLI command prompt, while connected to the ESXi host run the following commands: $esxcli = Get-EsxCli
$esxcli.system.coredump.network.get()
If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding. |
TRUE |
CCE-84612-1 |
NIST80053-VI-Storage-SDS-CFG-00186 |
Enhanced |
vSAN |
Make sure you have sufficient capacity in the management vSAN cluster for the management virtual machines. If you do not have sufficient capacity, this is a finding. |
Procedural |
Appendix B List of Acronyms¶
AD |
Active Directory |
API |
Application Programming Interface |
BIOS |
Basic Input/Output System |
BOM |
Bill of Materials |
CA |
Certificate Authority |
CAC |
Common Access Card |
CAM |
Content Addressable Memory |
CCE |
Common Configuration Enumeration |
CLI |
Command Line Interface |
CRADA |
Cooperative Research and Development Agreement |
D@RE |
(Dell EMC Unity) Data at Rest Encryption |
DHCP |
Dynamic Host Configuration Protocol |
DISA |
Defense Information Systems Agency |
DNS |
Domain Name System |
DoD |
Department of Defense |
EFI |
Extensible Firmware Interface |
FIPS |
Federal Information Processing Standards |
FTP |
File Transfer Protocol |
GB |
Gigabyte |
Gb/s |
Gigabits per Second |
GHz |
Gigahertz |
GKH |
Good Known Host |
GUI |
Graphical User Interface |
HSM |
Hardware Security Module |
HTCC |
HyTrust CloudControl |
IaaS |
Infrastructure as a Service |
ICSV |
IBM Cloud Secure Virtualization |
IOPS |
Input/Output Operations per Second |
IP |
Internet Protocol |
IPsec |
Internet Protocol Security |
IT |
Information Technology |
KMS |
Key Management System |
LACP |
Link Aggregation Control Protocol |
LLDP |
Link Layer Discovery Protocol |
MAC |
Media Access Control |
MLE |
Measured Launch Environment |
MOB |
(vCenter) Managed Object Browser |
NCCoE |
National Cybersecurity Center of Excellence |
NFS |
Network File System |
NIC |
Network Interface Card |
NIST |
National Institute of Standards and Technology |
NISTIR |
National Institute of Standards and Technology Internal Report |
NSX-V |
NSX for vSphere |
NTLS |
Network Trust Links |
NTP |
Network Time Protocol |
OS |
Operating System |
OSPF |
Open Shortest Path First |
OU |
Organizational Unit |
OVA |
Open Virtual Appliance |
PDC |
Physical Data Center |
PIV |
Personal Identity Verification |
PSC |
Platform Services Controller |
PXE |
Preboot Execution Environment |
RAM |
Random Access Memory |
RPC |
Remote Procedure Call |
SAS |
Serial Attached SCSI |
SCSI |
Small Computer System Interface |
SDDC |
Software Defined Data Center |
SED |
Self-Encrypting Drive |
SFTP |
Secure File Transfer Protocol |
SHA |
Secure Hash Algorithm |
SLES |
SUSE Linux Enterprise Server |
SMTP |
Simple Mail Transfer Protocol |
SNMP |
Simple Network Management Protocol |
SP |
Special Publication, Storage Processor |
SSD |
Solid State Drive |
SSH |
Secure Shell |
SSO |
Single Sign-On |
STIG |
Security Technical Implementation Guide |
TB |
Terabyte |
TCP |
Transmission Control Protocol |
TLS |
Transport Layer Security |
TPM |
Trusted Platform Module |
TXT |
(Intel) Trusted Execution Technology |
UCR |
Unified Capabilities Requirements |
UEFI |
Unified Extensible Firmware Interface |
UI |
User Interface |
UMDS |
Update Manager Download Service |
URL |
Uniform Resource Locator |
USB |
Universal Serial Bus |
UUID |
Universally Unique Identifier |
VADP |
vSphere Storage APIs for Data Protection |
VCF |
VMware Cloud Foundation |
VCS |
vCenter Server |
VLAN |
Virtual Local Area Network |
VM |
Virtual Machine |
VMX |
Virtual Machine Extensions |
VPN |
Virtual Private Network |
vR |
vSphere Replication |
vRA |
vRealize Automation |
vRLI |
vRealize Log Insight |
vROPS |
vRealize Operations Manager |
VSAN |
Virtual Storage Area Network |
VSI |
Virtual Storage Integrator |
VT |
(Intel) Virtualization Technology |
VVD |
VMware Validated Design |
Appendix C Glossary¶
All significant technical terms used within this document are defined in other key documents, particularly National Institute of Standards and Technology Internal Report (NISTIR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. As a convenience to the reader, terms critical to understanding this volume are provided in this glossary.
Cloud workload |
A logical bundle of software and data that is present in, and processed by, a cloud computing technology. |
Geolocation |
Determining the approximate physical location of an object, such as a cloud computing server. |
Hardware root of trust |
An inherently trusted combination of hardware and firmware that maintains the integrity of information. |
Trusted compute pool |
A physical or logical grouping of computing hardware in a data center that is tagged with specific and varying security policies. Within a trusted compute pool, the access and execution of applications and workloads are monitored, controlled, audited, etc. Also known as a trusted pool. |