While I will admit that I’m a little bit behind on this one, I’ve finally put together my vRealize Operations compliance content for the VMware vSphere 6.7 STIG that was released by DISA earlier this year. The VMware vSphere 6.7 STIG release was quite different from the previous releases and includes 12 separate STIGs. Not only are there compliance checks related to Virtual Machines, ESXi hosts, and the vCenter Server application, there are also STIGs for various services that make up the vCenter Server Appliance (VCSA). Because vRealize Operations only has visibility into those items available through the vCenter Server APIs, my compliance content can only check settings applicable to Virtual Machines, ESXi hosts, Distributed vSwitches, and Distributed Port Groups.
Why Am I Creating This Compliance Content
So you might be asking why I’m creating this compliance content when vRealize Operations already includes the “DISA Security Standards” regulatory benchmark compliance data. Unfortunately, while VMware has included DISA Compliance content within the vRealize Operations product for quite some time (and previously as a separate download), I’ve found many issues with their compliance content. Here are a few examples:
- STIG/VUL IDs are not included in the Symptom data
- Severity is not included in the Symptom data
- No indication as to which DISA STIG is being utilized to create the compliance checks
- Some compliances checks are incorrect (the password complexity check has been incorrect since the very first release…and still is)
- The Alert recommendations reference the old DISA Information Assurance Support Environment (IASE) website which no longer exists and was replaced by the DoD Cyber Exchange
These issues have left me unable to use or trust the VMware-provided DISA Compliance content. As a result of these issues, I previously created my own compliance content for the vSphere 6.5 STIGs and provided it to others for download from my website. Now that the vSphere 6.7 STIG is available, I have updated my compliance content to complete several of the Virtual Machine, ESXi, and vCenter checks related to this STIG.
Compliance Content Included
My VMware vSphere 6.7 STIG compliance content is available to download as a single Compliance Custom Benchmark and as invidual sets of Alert content. They can be downloaded from the Downloads page.
The compliance content validates the following STIG items:
VMware vSphere 6.7 Virtual Machine Security Technical Implementation Guide :: Version 1, Release: 1
- VMCH-67-000001 - Copy operations must be disabled on the virtual machine.
- VMCH-67-000002 - Drag and drop operations must be disabled on the virtual machine.
- VMCH-67-000003 - Paste operations must be disabled on the virtual machine.
- VMCH-67-000004 - Virtual disk shrinking must be disabled on the virtual machine.
- VMCH-67-000005 - Virtual disk erasure must be disabled on the virtual machine.
- VMCH-67-000006 - Independent, non-persistent disks must be not be used on the virtual machine.
- VMCH-67-000007 - HGFS file transfers must be disabled on the virtual machine.
- VMCH-67-000008 - Unauthorized floppy devices must be disconnected on the virtual machine.
- VMCH-67-000009 - Unauthorized CD/DVD devices must be disconnected on the virtual machine.
- VMCH-67-000010 - Unauthorized parallel devices must be disconnected on the virtual machine.
- VMCH-67-000011 - Unauthorized serial devices must be disconnected on the virtual machine.
- VMCH-67-000012 - Unauthorized USB devices must be disconnected on the virtual machine.
- VMCH-67-000013 - Console connection sharing must be limited on the virtual machine.
- VMCH-67-000014 - Console access through the VNC protocol must be disabled on the virtual machine.
- VMCH-67-000015 - Informational messages from the virtual machine to the VMX file must be limited on the virtual machine.
- VMCH-67-000016 - Unauthorized removal, connection and modification of devices must be prevented on the virtual machine.
- VMCH-67-000017 - The virtual machine must not be able to obtain host information from the hypervisor.
- VMCH-67-000018 - Shared salt values must be disabled on the virtual machine.
- VMCH-67-000019 - Access to virtual machines through the dvfilter network APIs must be controlled.
- VMCH-67-000023 - 3D features on the virtual machine must be disabled when not required.
VMware vSphere 6.7 ESXi Security Technical Implementation Guide :: Version 1, Release: 1
- ESXI-67-000002 - The ESXi host must verify the DCUI.Access list.
- ESXI-67-000004 - Remote logging for ESXi hosts must be configured.
- ESXI-67-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
- ESXI-67-000006 - The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out.
- ESXI-67-000031 - The ESXi host must enforce password complexity by requiring that at least one uppercase character be used.
- ESXI-67-000034 - The ESXi host must disable the Managed Object Browser (MOB).
- ESXI-67-000035 - The ESXi host must be configured to disable nonessential capabilities by disabling SSH.
- ESXI-67-000036 - The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.
- ESXI-67-000037 - The ESXi host must use Active Directory for local user authentication.
- ESXI-67-000041 - The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes.
- ESXI-67-000042 - The ESXi host must terminate shell services after 10 minutes.
- ESXI-67-000043 - The ESXi host must log out of the console UI after two minutes.
- ESXI-67-000045 - The ESXi host must enable a persistent log location for all locally stored logs.
- ESXI-67-000046 - The ESXi host must configure NTP time synchronization.
- ESXI-67-000047 - The ESXi Image Profile and vSphere Installation Bundle (VIB) Acceptance Levels must be verified.
- ESXI-67-000053 - SNMP must be configured properly on the ESXi host.
- ESXI-67-000055 - The ESXi host must disable Inter-VM transparent page sharing.
- ESXI-67-000056 - The ESXi host must configure the firewall to restrict access to services running on the host.
- ESXI-67-000058 - The ESXi host must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
- ESXI-67-000059 - The virtual switch Forged Transmits policy must be set to reject on the ESXi host.
- ESXI-67-000060 - The virtual switch MAC Address Change policy must be set to reject on the ESXi host.
- ESXI-67-000061 - The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host.
- ESXI-67-000062 - The ESXi host must prevent unintended use of the dvFilter network APIs.
- ESXI-67-000074 - The ESXi host must exclusively enable TLS 1.2 for all endpoints.
- ESXI-67-100004 - The ESXi host must centrally review and analyze audit records from multiple components within the system by configuring remote logging.
VMware vSphere 6.7 vCenter Security Technical Implementation Guide :: Version 1, Release: 1
- VCTR-67-000012 - The vCenter Server must disable the distributed virtual switch health check.
- VCTR-67-000013 - The vCenter Server must set the distributed port group Forged Transmits policy to reject.
- VCTR-67-000014 - The vCenter Server must set the distributed port group MAC Address Change policy to reject.
- VCTR-67-000015 - The vCenter Server must set the distributed port group Promiscuous Mode policy to reject.
- VCTR-67-000020 - The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches. (Cisco Catalyst and Cisco Nexus switches)