#TRUSTED ab9fa035ac4dfafb1e94af2e7de5584d34c83d692f17607f0947c1e4409838440c9e5e488fe679bfb7a429151445216c82481874c4b4e6fab4cb863b080ddc8162c75997a1224159a3de5dd3fad6c11874af4ebf0f4c09154ce0b7454a0e8b1fd3c71eace1c94c913206069a44a9a57881006fbff45903a927938b95450cbf87f0462dc4df6ff113f82974ca65b5279a8d4d777144e68784a85b11d41b43db931fffbca6775b4d0ca2a425fc8bafe6606b4395c39d7f4a279102c13338cb9fa9fbfeed1e83438c526479a1cb17d8015e1ffc472ee2dd26b6ede2c2b108e10ccc9c191739d6562f05563f129a1e128a5345e3107b065afa80caa303960289c6fe99522e2550da231fc9eb9bf49f95bfb953cae0ae3acc1b5d08a5b71486e2728a3e15d075978b08f13f482ccc051c078338a771e2f0d71c1d4468fcdaa34185e0886b922dc5e3631e2cd550acc176949a12093fd3ca9b1edc0fc711344e7073521776b6bdea7de1b18b578200d600d0cb3077760d70a04b8604702f25ded4441f08dec1461ec163567fe42e541b18d29b6dfe30725092c6f2e01aa0e44d978776c4de0d2a20d6f211cfddda9e5dc64fca4d8d87c2b51066c5dd454878e0f5c95437ea91820642f1cfdb8f31fb5769cd5380fca8f3b96eea260b5d9654769ed6dcc0315a095141a3b2f3e7a91e9a549442bc08fab5e3fb3eca9f9660a9e0b55275
#TRUST-RSA-SHA256 25de8ee1569f92a4bfc5dd2a04fcf8c30827b19f8414fa83b8edd1385a7af23a78e3bba46d513b01ea51ee75b99350787cf1d749774281d6c036cf7ac635059ec65e57a3a2548d9a3672afd9393a06151163475aff688f3f8cdb039a66669b6d27b900c60fcac215bfb87f882029be7a3ce64ae41a932e0980cdcd26f8abc64708238f4ee0e69170fb037524712178d802506c5aecbb390df5431d483c14276aa2f08204983ceb3ea1b94c2037942fc7b5a98245a5aa16be35651c4ab73b8e69e723bec04db79b0b2ef732da41b6f8cc1e37305b39bd50fb05bb5ee793ccd40c26f647b2960ac01af581e0b23527790cce83646e0393a305680ded5ee59e8e63e2ed4e380da33a4664dd36cbb5f0902b0e3e22b4b057c98ea4c2ef652e81ba79262d00e492f579ee9031ed5c552317ded2dffdf5d14d55c7519bd3c9679527661490496ab1d49ef3afc1f00e2d0a4b2eee3e510cada90781f38b1744b2fc36993ce4afd74e547919d9004d3aefcaa51ad51188cdff8203ddb870edf1cbef43c7388f5631aa59ee6502a39dff78572a311409081537072663292780e3c822b57da57b8dbaf26d3401af020583d4b0765e64b785092c78cf51c372422d2d37eebc90629b2e94caa9e2d17d72c530376914ca67c1ce05e94fd3023c8806b014259963c55031c646a89ca5a205d2b5f5d00b30069c2f88e40bb57e8970867a16d45c
#
# This script is Copyright (C) 2004-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.1 $
# $Date: 2024/06/17 $
#
# description : This .audit is designed against the CIS VMware ESXi 8.0 Benchmark v1.1.0
#
#<ui_metadata>
#<display_name>Safeguards VMware ESXi 8.0 v1.1.0</display_name>
#<spec>
#  <type>CIS</type>
#  <name>VMware ESXi 8.0</name>
#  <profile>L1</profile>
#  <version>1.1.0</version>
#  <link>https://workbench.cisecurity.org/benchmarks/15784</link>
#</spec>
#<labels>cis,vmware_esxi_8.0</labels>
#<benchmark_refs>CSCv6,CSCv7,CSCv8,LEVEL</benchmark_refs>
#<variables>
#  <variable>
#    <name>NTP_SERVER</name>
#    <default>10.0.0.2</default>
#    <description>Network Time Server</description>
#    <info>Host address of the NTP server for the target.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>PASSWORD_MAX_DAYS</name>
#    <default>90</default>
#    <description>Maximum Password Age</description>
#    <info>Value of Security.PasswordMaxDays</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>BANNER_TEXT</name>
#    <default>All activities performed on this system will be monitored.</default>
#    <description>Banner Text</description>
#    <info>This is the text for the warning a user receives when logging onto the system.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>API_SESSION_TIMEOUT</name>
#    <default>30</default>
#    <description>API Session Timeout</description>
#    <info>Value of Config.HostAgent.vmacore.soap.sessionTimeout in seconds</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>AUDITLOG_DIR</name>
#    <default>\[Primary Datastore\] systemlogs</default>
#    <description>Audit record log dir</description>
#    <info>The path to the audit record log directory.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>AUDIT_EXCEPTION_USERS</name>
#    <default>root</default>
#    <description>Lockdown mode xception users</description>
#    <info>List of users who are exceptions to lockdown mode rules</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>AUDIT_LOG_RECORDING</name>
#    <default>TRUE</default>
#    <description>Audit log recording</description>
#    <info>Whether audit log recording should be enabled.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>AUDIT_LOG_CAPACITY</name>
#    <default>100</default>
#    <description>Audit log record capacity</description>
#    <info>Number of Audit Log Records to retain.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>BLOCK_GUEST_BDPU_PACKETS</name>
#    <default>1</default>
#    <description>Filter Bridge Protocol Data Unit (BPDU) packets</description>
#    <info>Whether to filter Bridge Protocol Data Unit (BPDU) packets on the ESXi host.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>DISABLED_PROTOCOLS</name>
#    <default>sslv3,tlsv1,tlsv1.1</default>
#    <description>Disabled SSL and TLS Versions</description>
#    <info>Versions of SSL and TLS disabled by ESXi.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>LOG_HOST</name>
#    <default>udp://192\.168\.0\.1:514</default>
#    <description>Remote syslog IP</description>
#    <info>The IP address of the centralized syslog server for your organization.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>LOG_LEVEL</name>
#    <default>info</default>
#    <description>System log level</description>
#    <info>The information level to be captured by system logging</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>LOG_FILTERING</name>
#    <default>FALSE</default>
#    <description>System log filtering</description>
#    <info>Whether system log filtering (to reduce repetitive entries) should be enabled</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>LOG_AUDITS_TO_REMOTE_HOST</name>
#    <default>TRUE</default>
#    <description>Transmit audit logs to a remote syslog host</description>
#    <info>Whether to transmit audit logs to the centralized syslog server for your organization.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>HOST_CLIENT_SESSION_TIMEOUT</name>
#    <default>900</default>
#    <description>Host Client Session Timeout</description>
#    <info>Value of UserVars.HostClientSessionTimeout in seconds</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>HYPERTHREAD_WARNING</name>
#    <default>0</default>
#    <description>Warn about hyperthreading vulnerabilities</description>
#    <info>Value of UserVars.SuppressHyperthreadWarning</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>PASSWORD_POLICY</name>
#    <default>retry=3 min=disabled,14,14,14,14 max=64 similar=deny passphrase=3</default>
#    <description>Password Quality Control</description>
#    <info>Value of the Security.PasswordQualityControl parameter</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>PASSWORD_HISTORY</name>
#    <default>[24-999]</default>
#    <description>Password history</description>
#    <info>How many passwords changes must occur before a password can be reused.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>SYSLOG_DIR</name>
#    <default>\[Primary Datastore\] systemlogs</default>
#    <description>System log dir</description>
#    <info>The path to the system log directory.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>MAX_LOGIN_ATTEMPTS</name>
#    <default>[1-3]</default>
#    <description>Max login attempts</description>
#    <info>Maximum number of login attempts before an account is locked.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>STRICT_X509_VERIFICATION</name>
#    <default>TRUE</default>
#    <description>Use strict x509 verification on log endpoints</description>
#    <info>Whether to use strict x509 verification on the TLS certificates of remote log server endpoints.</info>
#    <value_type>STRING</value_type>
#  </variable>
#  <variable>
#    <name>VERIFY_LOG_SERVER_CERTS</name>
#    <default>TRUE</default>
#    <description>Verify Log server TLS certificates</description>
#    <info>Whether to verify the TLS certificates of remote log server endpoints.</info>
#    <value_type>STRING</value_type>
#  </variable>
#</variables>
#</ui_metadata>

<check_type:"VMware">

<report type:"WARNING">
  description : "1.1 (L1) Host hardware must have auditable, authentic, and up to date system and device firmware"
  info        : "Hardware firmware is not immune to serious issues affecting confidentiality, integrity, or availability. Vulnerable system management controllers and management engines can provide places for attackers to establish persistence, in order to re-infect and re-compromise hosts after reboots and updates.

Ensure that the latest firmware updates are applied to all components of your systems and that the firmware is authentic and supplied by your hardware manufacturer.

To ensure the integrity, security, and optimal performance of server hardware, it is essential to maintain system and device firmware that is verifiable, genuine, and current.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

If you are a vSAN customer please ensure that storage device and controller firmware versions are certified."
  reference   : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv7|18.4,CSCv8|2.2,CSCv8|16.5,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1M"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "1.2 (L1) Host hardware must enable UEFI Secure Boot"
  info        : "UEFI Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) specification. Its primary purpose is to ensure that only signed and trusted boot loaders and operating system kernels are allowed to execute during the system startup. This helps protect systems from malware and unauthorized software that might try to run before the operating system loads. By verifying the digital signatures of bootable applications and drivers, Secure Boot prevents potentially harmful code from compromising the boot process.

Enabling UEFI Secure Boot on the ESXi host hardware helps prevent malware and untrusted configurations.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Enabling this after installation may render the host unbootable. Refer to the vSphere documentation for more information about enabling Secure Boot."
  reference   : "800-53|SA-13,800-53r5|SA-8,CSCv7|5.4,CSCv7|18.4,CSCv8|16.5,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SA-13,ITSG-33|SA-13a.,LEVEL|1M,NESA|T7.6.5"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "1.3 (L1) Host hardware must enable Intel TXT, if available"
  info        : "Intel Xeon Scalable Processor platforms have Trusted Execution Technology, or TXT, that help harden systems against malware, rootkits, BIOS and firmware attacks, and more. When enabled, ESXi will take advantage of security benefits offered by this technology.

Enabling Intel TXT (Trusted Execution Technology) on host hardware, when available, provides a hardware-based foundation for security.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

In early implementations, operations such as firmware updates and abrupt system shutdowns may activate attestation alarms in vCenter Server or cause boot failures. Typically, a cold system restart offers a temporary fix, while a system firmware update provides a permanent solution. Refer to KB 78243."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|5.1,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1M,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "1.4 (L1) Host hardware must enable and configure a TPM 2.0"
  info        : "ESXi can use Trusted Platform Modules (TPM) 2.0 to enable advanced security features that prevent malware, remove dependencies, and secure hardware lifecycle operations.

Enabling and configuring TPM 2.0 on host hardware ensures enhanced security by providing hardware-level cryptographic operations and secure storage for sensitive data and keys.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

No impact noted."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|5.4,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1M,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "1.5 (L1) Host integrated hardware management controller must be secure"
  info        : "Many servers have integrated hardware management controllers that can be extremely helpful when monitoring and updating hardware, settings, and firmware. These controllers should be checked to ensure that ALL unused functionality is disabled, ALL unused access methods are disabled, passwords and password controls are set, and firewalling and access control is in place so that the only access is from authorized access workstations for the virtualization administration team.

All \"first boot\" configuration options should be disabled, especially ones that reconfigure the system from USB devices that are inserted. Disable or protect USB ports attached to the management controllers. Where possible, USB ports should be set to only permit keyboards.

Default passwords for accounts should be changed.

External information displays should be secured to prevent information leakage. Power and information buttons should be secured against unauthorized use.

Many hardware management controllers provide mechanisms for alerting when hardware faults and configuration changes occur. You should consider those if you are not using another method for hardware monitoring.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Disablement of connection methods may mean that future monitoring and management efforts require changes to the hardware management controller configurations across your fleet of servers.

Most hardware management controllers have CLI and API management methods that can be scripted and used from a management workstation, in lieu of additional management software or applications. Learning these techniques saves time, avoids the additional effort of installing and maintaining additional tools, and allows for timely changes to configurations."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|5.4,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1M,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "1.6 (L1) Host integrated hardware management controller must enable time synchronization"
  info        : "Cryptography, audit logging, cluster operations, and incident response/forensics depend deeply on synchronized time. This recommendation extends to all devices in infrastructure. The recommendation for NTP is to have at least four sources.

Ensuring the host integrated hardware management controller enables time synchronization provides a consistent and accurate timestamp for logs and events, which is crucial for auditing, troubleshooting, and identifying security incidents.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

No impact noted."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|5.4,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1M,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "1.7 (L1) Host integrated hardware management controller must enable remote logging of events"
  info        : "The host's integrated hardware management controller provides critical out-of-band server oversight. For enhanced security, it is essential to configure this controller to log events remotely. This practice ensures that hardware-related logs are sent to an off-site location, protecting them from potential tampering and offering a centralized record of server health and activities.

Enabling remote logging of events on the integrated hardware management controller ensures that all hardware-level activities are securely recorded off-site, providing traceability, mitigating data tampering risks, and facilitating incident response.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

No impact noted."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv8|8.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "2.1 (L1) Host must run software that has not reached End of General Support status"
  info        : "The \"End of General Support\" (EOGS) status indicates that the software version has exceeded its primary support lifecycle, during which VMware provides new security patches, bug fixes, and technical assistance. When a product reaches this status, VMware no longer releases security updates for that version for customers outside of an extended support contract. Thus, systems still running software past its EOGS are potentially exposed to unpatched vulnerabilities and other security risks.

Running software beyond its EOGS can compromise the integrity, availability, and confidentiality of virtual environments. Keeping VMware ESXi software versions within the support period ensures that organizations have access to the latest security patches, critical updates, and vendor support.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Failing to update and maintain software versions within the support period can lead to potential security breaches, data losses, and reduced operational efficiency, as the software might become incompatible with newer technologies and lack support for emerging security threats."
  reference   : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv8|2.2,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1M"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "2.2 (L1) Host must have all software updates installed"
  info        : "Applying updates in a timely manner according to the severity of issues contributes greatly to the resilience of an environment. When applying updates, it is recommended to update vCenter Server first, if an update is available, and then proceed with updating ESXi. This sequence ensures that the management layer is updated before updating the ESXi hosts.

VMware publishes advisories on security vulnerabilities; for proactive notifications please subscribe to the mailing list at

https://www.vmware.com/security/advisories.html

Issues in software that impact confidentiality, integrity, and/or availability can only be removed through patching to a version that resolves the issue. Threat actors exploit known vulnerabilities when attempting to gain unauthorized access or elevate privileges on an ESXi host.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Use VMware Lifecycle Manager to update and upgrade hosts when ESXi is managed through VMware vCenter. For standalone hosts use esxcli or API-driven methods for applying updates.

Employ a process to keep ESXi hosts up to date with patches in accordance with industry standards and internal guidelines. Leverage the VMware Lifecycle Manager to test and apply patches as they become available.

Impact:

ESXi servers must be in Maintenance Mode to apply patches. This implies all VMs must be moved or powered off on the ESXi server, so the patching process may necessitate brief outages. ESXi hosts that are compatible with Quick Boot may be able to greatly minimize the host restart time.

VMware vSphere Update releases add and change system functionality, whereas Patch releases only resolve issues."
  reference   : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv8|7.3,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "2.3 (L1) Host must enable Secure Boot enforcement"
  info        : "Enabling Secure Boot enforcement ensures that the host only loads UEFI drivers and applications with valid digital signatures, as part of the UEFI firmware standard. It requires support from the server's BIOS and hypervisor boot loader, and mandates that all ESXi kernel modules, drivers, and VIBs be signed by VMware or a trusted partner subordinate.

Organizations should enable Secure Boot enforcement to enhance the security of their virtual environments. Requiring valid digital signatures for UEFI drivers and apps mitigates the risk of offline attacks, where an attacker could transfer the ESXi install drive to a non-Secure Boot host and boot it without detection. This control establishes a trusted boot process, reducing the risk of unauthorized access and maintaining the integrity of the ESXi host.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Failing to enable Secure Boot enforcement exposes the ESXi host to potential security breaches. Without this control, an attacker could compromise the ESXi host by booting it on a non-Secure Boot host, bypassing ESXi's protections. This could lead to unauthorized access, data breaches, and compromise of the virtual environment's integrity. Enabling Secure Boot enforcement is crucial for maintaining a secure and trusted ESXi host, mitigating potential negative impacts, and safeguarding the virtual infrastructure."
  reference   : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<custom_item>
  type        : AUDIT_ESX
  description : "2.5 (L1) Host must only run binaries delivered via signed VIB"
  info        : "The ESXi host is configured to only execute binaries originating from a valid, signed vSphere Installable Bundle (VIB) to enhance the integrity of the system. This measure thwarts attackers' attempts to use prebuilt toolkits on the host. The parameter governing this behavior is VMkernel.Boot.execInstalledOnly with a recommended setting of True.

Ensuring the execution of only signed binaries significantly mitigates the risk of running malicious or unverified code, thus enhancing the host's security posture."
  solution    : "Impact:

This security control may hinder the installation or execution of third-party unsigned software, potentially impacting the flexibility and extensibility of the ESXi host environment."
  reference   : "800-171|3.4.1,800-171|3.4.7,800-171|3.4.9,800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|CM-7(2),800-53|CM-8(3),800-53|CM-10,800-53|CM-11,800-53|SI-3,800-53r5|CM-7(2),800-53r5|CM-8(3),800-53r5|CM-10,800-53r5|CM-11,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.2(a),CN-L3|8.1.10.2(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|2.2,CSCv7|8.2,CSCv8|2.3,CSCv8|10.2,CSF|DE.CM-3,CSF|DE.CM-4,CSF|DE.CM-7,CSF|DE.DP-3,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7(2),ITSG-33|CM-8(3),ITSG-33|SI-3,LEVEL|1M,NESA|T1.2.1,NESA|T1.2.2,NIAv2|GS8a,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='VMkernel.Boot.execInstalledOnly']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='VMkernel.Boot.execInstalledOnly']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='VMkernel.Boot.execInstalledOnly']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>VMkernel.Boot.execInstalledOnly : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "VMkernel\.Boot\.execInstalledOnly : "
  expect      : "VMkernel\.Boot\.execInstalledOnly : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "2.6 (L1) Host must have reliable time synchronization sources"
  info        : "Ensuring reliable time synchronization is crucial as various functions like cryptography, audit logging, cluster operations, and incident response/forensics are heavily dependent on synchronized time. Utilizing at least four NTP sources is recommended for achieving reliable time synchronization. Alternatively, PTP can be employed for sub-millisecond time accuracy, with NTP configured as a backup to maintain time synchronization resilience in case of primary server failure.

Reliable time synchronization supports accurate auditing, cryptographic integrity, cluster operations, and effective incident response/forensics. Having multiple time sources enhances the reliability and accuracy of time synchronization, which is fundamental for secure and efficient system operations."
  solution    : "To enable and properly configure NTP synchronization, perform the following from the vSphere web client:

 - Select a host
 - Click Configure then expand System then select Time Configuration
 - Select Edit next to Network Time Protocol
 - Select the Enable box, then fill in the appropriate NTP Servers.
 - in the NTP Service Startup Policy drop down select Start and stop with host
 - Click OK

To implement the recommended configuration state, run the following PowerCLI command:

# Set the NTP Settings for all hosts
# If an internal NTP server is used, replace pool.ntp.org with
# the IP address or the Fully Qualified Domain Name (FQDN) of the internal NTP server
$NTPServers = \"pool.ntp.org\", \"pool2.ntp.org\"
Get-VMHost | Add-VmHostNtpServer $NTPServers

Impact:

Inadequate time synchronization may lead to erroneous system logs, compromised cryptographic operations, inefficient cluster operations, and hindered incident response efforts. The resilience and accuracy of time synchronization are vital for maintaining operational integrity and security posture."
  reference   : "800-171|3.3.6,800-171|3.3.7,800-53|AU-7,800-53|AU-8,800-53r5|AU-7,800-53r5|AU-8,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|6.1,CSCv8|8.4,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-7,ITSG-33|AU-8,LEVEL|1A,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"//audit:propSet/audit:val/audit:dateTimeInfo/audit:ntpConfig\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - NTP Server Pool: </xsl:text>"
  xsl_stmt    : "<xsl:for-each select=\"//audit:propSet/audit:val/audit:dateTimeInfo/audit:ntpConfig/audit:server\">"
  xsl_stmt    : "<xsl:value-of select=\"current()\"></xsl:value-of><xsl:if test=\"following::audit:server\"><xsl:text>, </xsl:text></xsl:if>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - NTP Server Pool: NOT found&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:template>"
  regex       : "NTP Server Pool: "
  expect      : "NTP Server Pool: @NTP_SERVER@$"
</custom_item>

<report type:"WARNING">
  description : "2.7 (L1) Host must have time synchronization services enabled and running"
  info        : "Ensure the host has time synchronization services enabled and operational as many functions such as cryptography, audit logging, cluster operations, and incident response/forensics depend on synchronized time. Services like NTP or PTP should be configured to start with the host and remain running to maintain time synchronization.

Having accurate time synchronization is crucial for the correct operation and auditing of the system. This will assist in incident response, forensics, and ensure that cryptographic functions operate correctly.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Failure to maintain time synchronization can lead to inaccurate logging, which could complicate incident response and forensic analysis. It may also affect the functioning of cluster operations and cryptographic protocols."
  reference   : "800-171|3.3.6,800-171|3.3.7,800-53|AU-7,800-53|AU-8,800-53r5|AU-7,800-53r5|AU-8,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|6.1,CSCv8|8.4,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-7,ITSG-33|AU-8,LEVEL|1M,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "2.8 (L1) Host must require TPM-based configuration encryption"
  info        : "The host should enforce TPM-based configuration encryption to secure its configuration files, notably within the /etc/ directory or other namespaces. From vSphere 7.0 Update 2 onwards, configuration files archived are encrypted, leveraging a Trusted Platform Module (TPM) to \"seal\" the configuration to the host, thereby enhancing security against offline attacks. This encryption, once enabled, is irreversible and utilizes the physical TPM present during installation or upgrade.

Implementing TPM-based configuration encryption significantly bolsters security by protecting configuration files from unauthorized access and alterations. This measure is crucial for safeguarding the integrity of host configurations and preventing potential offline attacks.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Enabling TPM-based configuration encryption alongside Secure Boot renders traditional root password recovery methods ineffective. It's imperative to ensure continued access to administrator accounts on ESXi to avoid access issues."
  reference   : "800-171|3.5.2,800-171|3.13.16,800-53|IA-5(1),800-53|SC-28,800-53|SC-28(1),800-53r5|IA-5(1),800-53r5|SC-28,800-53r5|SC-28(1),CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|14.8,CSCv8|3.11,CSF|PR.AC-1,CSF|PR.DS-1,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(d),HIPAA|164.312(e)(2)(ii),ITSG-33|IA-5(1),ITSG-33|SC-28,ITSG-33|SC-28a.,ITSG-33|SC-28(1),LEVEL|1M,NESA|T5.2.3,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|28.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<custom_item>
  type        : AUDIT_ESX
  description : "2.9 (L1) Host must not suppress warnings about unmitigated hyperthreading vulnerabilities"
  info        : "It is imperative to retain hyperthreading security warnings as they indicate unmitigated CPU vulnerabilities. The parameter governing this behavior is UserVars.SuppressHyperthreadWarning, with a recommended setting of 0.

Retaining these warnings ensures that potential CPU vulnerabilities are not overlooked, promoting a proactive approach towards addressing hardware-related security concerns."
  solution    : "Impact:

No functional impact is associated with this security control, however, ignoring hyperthreading warnings could obscure existing CPU vulnerabilities, potentially jeopardizing system security."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-11,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-11,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSCv8|8.10,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-11,ITSG-33|AU-12,LEVEL|1M,NESA|M5.2.3,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|SM7,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv3.2.1|10.7,PCI-DSSv4.0|10.2.2,PCI-DSSv4.0|10.5.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.SuppressHyperthreadWarning']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.SuppressHyperthreadWarning']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.SuppressHyperthreadWarning']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>UserVars.SuppressHyperthreadWarning : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "UserVars\.SuppressHyperthreadWarning : "
  expect      : "UserVars\.SuppressHyperthreadWarning : @HYPERTHREAD_WARNING@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "2.10 (L1) Host must restrict inter-VM transparent page sharing"
  info        : "Transparent Page Sharing (TPS) aids in optimizing memory usage among virtual machines but under certain circumstances can be exploited to access data on adjacent virtual machines unauthorizedly. By configuring the Mem.ShareForceSalting parameter, inter-VM TPS is restricted, enhancing isolation and security. The parameter governing this behavior is Mem.ShareForceSalting with a recommended setting of 2.

Restricting inter-VM TPS is crucial to prevent potential unauthorized access to data, ensuring an extra layer of isolation and security between virtual machines which is indispensable especially in a multi-tenant environment."
  solution    : "From the vSphere Web Client:

 - Select a host
 - Click Configure then expand System then select Advanced System settings
 - Click Edit then Filter for Mem.ShareForceSalting
 - Set the value to 2
 - Click OK

Additionally, the following PowerCLI command can be used:

Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2

Impact:

There is no noted functional impact, indicating that restricting inter-VM TPS does not adversely affect the system's performance or operations while bolstering security against potential data access exploits."
  reference   : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Mem.ShareForceSalting']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Mem.ShareForceSalting']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Mem.ShareForceSalting']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Mem.ShareForceSalting : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Mem\.ShareForceSalting : "
  expect      : "Mem\.ShareForceSalting : 2$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.1 (L1) Host should deactivate SSH"
  info        : "Secure Shell (SSH) provides remote access to the ESXi shell, enabling direct host console access or remote connectivity. Deactivating SSH is a security measure aimed at minimizing remote access channels to the ESXi host, restricting it to essential connections only through vSphere Client, vCLI/PowerCLI, or published APIs. The service status should be set to \"Stopped\", allowing manual start and stop for troubleshooting or diagnostic activities when necessary.

Limiting remote access by deactivating SSH reduces potential attack vectors, promoting a secure operating environment. Enabling SSH only for diagnostics or troubleshooting ensures controlled access, aligning with security best practices."
  solution    : "To disable SSH, perform the following:

 - From the vSphere Web Client, select the host.
 - Select Configure then expand System and select Services
 - Click on SSH then click Edit Startup Policy
 - Set the Startup Policy is set to Start and Stop Manually
 - Click OK
 - While ESXi Shell is still selected click Stop

Alternately, use the following PowerCLI command:

# Set SSH to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq \"TSM-SSH\" } | Set-VMHostService -Policy Off

Impact:

There is no functional impact noted; however, the measure requires alternative methods for remote management, such as vSphere Client or command-line tools, which may demand additional configurations or toolset proficiency."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='TSM-SSH']\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='TSM-SSH']/audit:label\"/> : running = <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='TSM-SSH']/audit:running\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>SSH : running = NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "SSH : running = "
  expect      : "SSH : running = FALSE$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.2 (L1) Host must deactivate the ESXi shell"
  info        : "The ESXi shell is an interactive command line environment available from the Direct Console User Interface (DCUI) or remotely via SSH. Activities performed from the ESXi Shell bypass all access controls, but are logged. The recommended setting for the ESXi shell is to be stopped and only started manually when needed, such as when running diagnostics or troubleshooting.

Ensuring non-essential services like the ESXi Shell are deactivated enhances the security posture."
  solution    : "To disable the ESXi shell, perform the following:

 - From the vSphere Web Client, select the host.
 - Select Configure then expand System and select Services
 - Click on ESXi Shell then click Edit Startup Policy
 - Set the Startup Policy is set to Start and Stop Manually
 - Click on OK

Alternately, use the following PowerCLI command:

# Set the ESXi shell to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq \"TSM\" } | Set-VMHostService -Policy Off

Impact:

No functional impact is recorded. However, if ESXi shell functionalities are needed, manual activation is required."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='TSM']\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='TSM']/audit:label\"/> : running = <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='TSM']/audit:running\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>ESXi Shell : running = NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "ESXi Shell : running ="
  expect      : "ESXi Shell : running = FALSE$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.3 (L1) Host must deactivate the ESXi Managed Object Browser (MOB)"
  info        : "The Managed Object Browser (MOB) is a web-based server application that lets you examine and change system objects and configurations. It is a prudent security measure to deactivate the MOB unless it's essential for operations. The parameter governing this behavior is Config.HostAgent.plugins.solo.enableMob with a recommended setting of False.

Deactivating non-essential services like MOB adheres to the principle of least functionality, reducing potential attack vectors."
  solution    : "To disabled MOB, perform the following from the vSphere Web Client:

 - Select a host
 - Click Configure then expand System then select Advanced System Settings
 - Click Edit then search for Config.HostAgent.plugins.solo.enableMob
 - Set the value to false
 - Click OK

Note: You cannot disable the MOB while a host is in lockdown mode.

Note 2: You must disable MOB from the vSphere interface not via the vim-cmd command.

Impact:

There is no specified functional impact; however, if MOB functionalities are needed later, manual reactivation is required."
  reference   : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|9.4,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Config.HostAgent.plugins.solo.enableMob']\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Config.HostAgent.plugins.solo.enableMob']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Config.HostAgent.plugins.solo.enableMob']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Config.HostAgent.plugins.solo.enableMob : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Config.HostAgent.plugins.solo.enableMob : "
  expect      : "Config.HostAgent.plugins.solo.enableMob : false"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.4 (L1) Host must deactivate SLP"
  info        : "The Service Location Protocol (SLP) is used for the discovery and selection of network services in local area networks, which simplifies configuration by allowing computers to find necessary services automatically. The practice of deactivating SLP when not in use aligns with the principle of minimizing the attack surface by shutting down non-essential services. The recommended setting is to have the SLP service stopped, with the ability to start and stop it manually as required.

Deactivating non-essential services like SLP minimizes potential vectors of attack, thereby enhancing the host's security posture."
  solution    : "Impact:

There is no functional impact noted, however, manual intervention is required to start the SLP service when needed."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='slpd']\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='slpd']/audit:label\"/> : running = <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='slpd']/audit:running\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>slpd : running = NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "slpd : running = "
  expect      : "slpd : running = FALSE$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.5 (L1) Host must deactivate CIM"
  info        : "Deactivating the Common Information Model (CIM) service, when not in use, aligns with the principle of minimizing the attack surface by disabling non-essential services. This action helps in reducing the potential vectors of attack, thus bolstering the host's security posture.

Deactivating non-essential services like CIM mitigates potential security risks associated with these services. This measure adheres to the principle of least functionality, which posits that only necessary services should be active to fulfill operational requirements."
  solution    : "Impact:

No functional impact has been specified. However, the deactivation of CIM might require administrators to manually start or stop the service when needed, potentially affecting operational workflows if CIM is required at a later stage."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='sfcbd-watchdog']\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='sfcbd-watchdog']/audit:label\"/> : running = <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='sfcbd-watchdog']/audit:running\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>CIM Server : running = NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "CIM Server : running = "
  expect      : "CIM Server : running = FALSE$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.6 (L1) Host should deactivate SNMP"
  info        : "Simple Network Management Protocol (SNMP) facilitates the management of networked devices. Minimize attack surface by disabling non-essential services. The recommended setting is to have the SNMP service stopped unless required and configured securely.

Deactivating SNMP when it's not needed reduces the attack surface, adhering to a minimalistic approach in service operation."
  solution    : "Impact:

While there isn't a direct functional impact, the absence of SNMP may require alternative methods for network management and monitoring."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='snmpd']\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='snmpd']/audit:label\"/> : running = <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:service/audit:service[audit:key='snmpd']/audit:running\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>SNMP Server : running = NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "SNMP Server : running = "
  expect      : "SNMP Server : running = FALSE$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.7 (L1) Host must automatically terminate idle DCUI sessions"
  info        : "By configuring a session timeout, unattended console sessions are automatically terminated, thereby reducing the potential security risks associated with lingering active sessions. The parameter governing this behavior is UserVars.DcuiTimeOut, with a recommended setting of 600 (10 minutes).

Automated termination of idle DCUI sessions enhances the security posture by minimizing the window of opportunity for unauthorized access through unattended sessions. It enforces a good security hygiene practice by ensuring that inactive sessions do not remain open indefinitely, which is in line with the principle of least privilege."
  solution    : "To correct the DCUI timeout setting, perform the following steps:

 - From the vSphere Web Client, select the host.
 - Click Configure then under System select Advanced System Settings
 - Select Edit then enter UserVars.DcuiTimeOut in the filter.
 - Click in the box for the current value, then set the value to 600 seconds or less.

Alternately, use the following PowerCLI command:

Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600

Impact:

While there's no functional impact specified, setting a timeout value that's too short may inconvenience users by terminating sessions prematurely, possibly interrupting workflow. Conversely, a timeout value that's too long may not adequately mitigate the risks associated with idle sessions. Hence, a balanced approach in configuring the session timeout value, aligned with the organizational security policy and user workflow, is crucial."
  reference   : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.DcuiTimeOut']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.DcuiTimeOut']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.DcuiTimeOut']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>UserVars.DcuiTimeOut : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "UserVars\.DcuiTimeOut : "
  expect      : "UserVars\.DcuiTimeOut : \b([1-9]|[1-9][0-9]|[1-5][0-9]{2}|600)\b"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.8 (L1) Host must automatically terminate idle shells"
  info        : "The host should be configured to automatically terminate idle shell sessions to prevent potential unauthorized access due to forgotten logouts. Setting a timeout for idle SSH connections ensures that any unattended sessions are closed, thereby reducing the security risk. The parameter governing this behavior is UserVars.ESXiShellInteractiveTimeOut with a recommended setting of 900.

Automatically terminating idle shells minimizes the risks associated with unattended sessions. It is a proactive measure to prevent potential unauthorized access to the host."
  solution    : "To set the timeout to the desired value, perform the following from the vSphere web client:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand System
 - Select Advanced System Settings then click Edit
 - Enter ESXiShellInteractiveTimeOut in the filter.
 - Set the value for this parameter is set to the appropriate value ( 300 seconds or less).
 - Click OK

Note: A value of 0 disables the ESXi ShellInteractiveTimeOut.

Alternately, use the following PowerCLI command:

# Set Remove UserVars.ESXiShellInteractiveTimeOut to 300 on all hosts
Get-VMHost | Get-AdvancedSetting -Name 'UserVars.ESXiShellInteractiveTimeOut' | Set-AdvancedSetting -Value \"300\"

Impact:

There is no identified negative impact associated with enforcing this control as it serves to bolster the host's security posture."
  reference   : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.ESXiShellInteractiveTimeOut']\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.ESXiShellInteractiveTimeOut']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.ESXiShellInteractiveTimeOut']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>UserVars.ESXiShellInteractiveTimeOut : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "UserVars\.ESXiShellInteractiveTimeOut : "
  expect      : "UserVars\.ESXiShellInteractiveTimeOut : \b([1-9]|[1-9][0-9]|[1-8][0-9]{2}|900)\b"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.9 (L1) Host must automatically deactivate shell services"
  info        : "Enabling the automatic deactivation of shell services minimizes the attack surface on the host. The time window for the ESXi Shell and SSH services' availability is defined by UserVars.ESXiShellTimeOut, after which these services are terminated. The recommended setting for this parameter is 600.

Automatically deactivating shell services after a defined time window helps in reducing the risk associated with potential unauthorized access, ensuring a more secure ESXi host environment."
  solution    : "To set the timeout to the desired value, perform the following from the vSphere web client:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand System
 - Select Advanced System Settings then click Edit
 - Enter ESXiShellTimeOut in the filter.
 - Set the value for this parameter is set to 3600 (1 hour) or less
 - Click OK

Note: A value of 0 disables the ESXiShellTimeOut.

Alternately, run the following PowerCLI command:

# Set UserVars.ESXiShellTimeOut to 3600 on all hosts
Get-VMHost | Get-AdvancedSetting -Name 'UserVars.ESXiShellTimeOut' | Set-AdvancedSetting -Value \"3600\"

Impact:

There's no negative functional impact identified with this control; it contributes towards enhancing the host's security posture by limiting the availability of shell services."
  reference   : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.ESXiShellTimeOut']\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.ESXiShellTimeOut']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.ESXiShellTimeOut']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>UserVars.ESXiShellTimeout : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "UserVars\.ESXiShellTimeout : "
  expect      : "UserVars\.ESXiShellTimeout : ([1-9]|[1-9][0-9]{1,2}|[12][0-9]{3}|3[0-5][0-9]{2}|3600)$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.10 (L1) Host must not suppress warnings that the shell is enabled"
  info        : "Having warnings for enabled SSH or ESXi Shell provides insight into potential security risks. Disabling such warnings can mask ongoing attacks. The parameter governing this behavior is UserVars.SuppressShellWarning with a recommended value of 0.

Maintaining visibility of shell service status through warnings is crucial for monitoring and early detection of unauthorized activities, helping in promptly addressing potential security threats."
  solution    : "Impact:

No negative functional impact is associated with this control; it enhances monitoring and response to potential security threats by ensuring warnings are visible and not suppressed."
  reference   : "800-171|3.14.6,800-171|3.14.7,800-53|SI-4,800-53r5|SI-4,CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CSCv7|6.3,CSCv8|13.11,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.DS-5,CSF|PR.IP-8,CSF|RS.AN-1,CSF|RS.CO-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|SI-4,LEVEL|1M,NESA|M1.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.SuppressShellWarning']\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.SuppressShellWarning']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.SuppressShellWarning']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>UserVars.SuppressShellWarning : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "UserVars\.SuppressShellWarning : "
  expect      : "UserVars\.SuppressShellWarning : 0$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.11 (L1) Host must enforce password complexity"
  info        : "The enforcement of password complexity is managed through the Security.PasswordQualityControl parameter, allowing configuration of password length, character set requirements, and failed logon attempt restrictions. The recommended setting is \"retry=3 min=disabled,15,15,15,15 max=64 similar=deny passphrase=3\".

Abiding by NIST 800-63B Section 5.1.1.2 guidelines, not enforcing traditional composition rules facilitates the adoption of longer, more secure passphrases, enhancing overall security."
  solution    : "To set the password complexity requirements, perform the following:

 - Login to the ESXi shell as a user with administrator privileges.
 - Open /etc./pam.d/passwd
 - Locate the following line:

password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4 <xhtml:ol start=\"4\"> - Set N0 to disabled
 - Set N1 to disabled
 - Set N2 to disabled
 - Set N3 to disabled
 - Set N4 to 14 or greater.

The above requires all passwords to be 14 or more characters long and comprised of at least one character from four distinct character sets.

Impact:

Altering password complexity via Security.PasswordQualityControl may cause installation issues with other products and services within the VMware ecosystem not expecting such changes."
  reference   : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1M,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Security.PasswordQualityControl']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.PasswordQualityControl']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.PasswordQualityControl']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Security.PasswordQualityControl : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Security\.PasswordQualityControl : "
  expect      : "Security\.PasswordQualityControl : @PASSWORD_POLICY@"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.12 (L1) Host must lock an account after a specified number of failed login attempts"
  info        : "The security control involves restricting account access following a specified number of failed login attempts, acting as a deterrent against brute-force attacks. This control is applicable for SSH and vSphere Web Services SDK access, though not for the Direct Console Interface (DCUI) and the ESXi Shell. A default setting allows five failed attempts before account lockout, with automatic unlock after 15 minutes. The parameter governing this behavior is Security.AccountLockFailures with a recommended setting of 3.

Implementing this control bolsters the host's resilience against unauthorized access attempts, safeguarding system integrity. By thwarting brute-force attacks, it significantly elevates the security posture, making unauthorized access more challenging."
  solution    : "To set the maximum failed login attempts correctly, perform the following steps:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand System
 - Select Advanced System Settings then click Edit
 - Enter Security.AccountLockFailures in the filter.
 - Set the value for this parameter to 5

Alternately, use the following PowerCLI command:

Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3

Impact:

A potential downside is the inadvertent denial-of-service scenario, especially with a low threshold for login failures. This could be exploited maliciously or trigger accidental lockouts, impacting system accessibility and possibly demanding additional administrative effort for account resets."
  reference   : "800-171|3.1.1,800-53|AC-1,800-53|AC-2,800-53|AC-2(1),800-53r5|AC-1,800-53r5|AC-2,800-53r5|AC-2(1),CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(e),CN-L3|8.1.10.6(c),CSCv7|16.7,CSCv8|6.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.1.1,ISO/IEC-27001|A.9.2.1,ITSG-33|AC-1,ITSG-33|AC-2,ITSG-33|AC-2(1),LEVEL|1A,NESA|M1.2.2,NIAv2|AM28,NIAv2|AM29,NIAv2|AM30,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Security.AccountLockFailures']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.AccountLockFailures']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.AccountLockFailures']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Security.AccountLockFailures : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Security\.AccountLockFailures : "
  expect      : "Security\.AccountLockFailures : \b@MAX_LOGIN_ATTEMPTS@\b"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.13 (L1) Host must unlock accounts after a specified timeout period"
  info        : "Ensuring that user accounts on the ESXi host are automatically unlocked after a specified period contributes to a balance between security and operational usability. This mechanism reactivates idle accounts promptly while mitigating potential unauthorized access risks. It's configured through a specific parameter which, when adjusted, defines the duration of the lockout period. The parameter governing this behavior is Security.AccountUnlockTime with a recommended setting of 900 seconds.

This setting reduces the inconvenience for benign users and the overhead on administrators, while also slowing down brute force credential stuffing attacks."
  solution    : "To set the account lockout to 15 minutes, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand System
 - Select Advanced System Settings then click Edit
 - Enter Security.AccountUnlockTime in the filter.
 - Set the value for this parameter to 900

Alternately, use the following PowerCLI command:

Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900

Impact:

No functional impact noted. The parameter's configuration ensures a security-usability balance, although misconfiguration could either expose the system to unauthorized access or disrupt user operations."
  reference   : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Security.AccountUnlockTime']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.AccountUnlockTime']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.AccountUnlockTime']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Security.AccountUnlockTime : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Security.AccountUnlockTime : "
  expect      : "Security.AccountUnlockTime : \b900\b"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.14 (L1) Host must configure the password history setting to restrict the reuse of passwords"
  info        : "The goal is to inhibit the reuse of past passwords, acting as a deterrent against potential security breaches stemming from the exploitation of old, compromised credentials. This is achieved by configuring the Security.PasswordHistory parameter, which specifies the number of unique passwords a user must cycle through before a previous password can be reused. The recommended setting for this parameter is 24.

By enforcing a password history policy, organizations make it harder for malicious actors to gain unauthorized access using old passwords. This in turn elevates the overall security posture."
  solution    : "To set the password history 5, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand System
 - Select Advanced System Settings then click Edit
 - Enter Security.PasswordHistory in the filter.
 - Set the value for this parameter is set to 24

Alternately, the following PowerCLI command may be used:

Get-VMHost | Get-AdvancedSetting Security.PasswordHistory | Set-AdvancedSetting -Value 24

Impact:

The impact of altering the Security.PasswordHistory parameter is dependent on the chosen value. A lower value might diminish security by allowing password reuse sooner, while a higher value increases security but may also increase the likelihood of user frustration."
  reference   : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1M,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Security.PasswordHistory']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.PasswordHistory']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.PasswordHistory']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Security.PasswordHistory : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Security\.PasswordHistory : "
  expect      : "Security\.PasswordHistory : @PASSWORD_HISTORY@"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.15 (L1) Host must be configured with an appropriate maximum password age"
  info        : "Implementing a maximum password age, as determined by the Security.PasswordMaxDays parameter, is aligned with modern password policies outlined in NIST 800-63B Section 5.1.1.2, which argue against forced periodic password changes provided that passwords have sufficient complexity. The parameter governing this behavior is Security.PasswordMaxDays with a recommended setting of 99999.

Aligning with modern security standards by configuring an appropriate maximum password age can help in maintaining a balance between security and usability. This setting negates the need for periodic password changes, which have not been shown to significantly enhance security."
  solution    : "Impact:

Adjusting the Security.PasswordMaxDays parameter may affect vSphere UIs, requiring an email address for alert configurations. This necessitates either the provision of an email address or the use of PowerCLI for configuration, with the latter also requiring the configuration of an SMTP server in vCenter Server for email alerts. Various regulatory compliance frameworks have differing opinions of this practice."
  reference   : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1M,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Security.PasswordMaxDays']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.PasswordMaxDays']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Security.PasswordMaxDays']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Security.PasswordMaxDays : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Security\.PasswordMaxDays : "
  expect      : "Security\.PasswordMaxDays : @PASSWORD_MAX_DAYS@"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.16 (L1) Host must configure a session timeout for the API"
  info        : "A designated timeout ensures that sessions are not left open indefinitely, thereby reducing the exposure window for potential security threats. The parameter governing this behavior is Config.HostAgent.vmacore.soap.sessionTimeout with a recommended setting of 30 seconds.

A session timeout ensures that potential security threats from unauthorized users or malicious software exploiting open sessions are significantly reduced."
  solution    : "Impact:

There is no functional impact noted when configuring this security control, making it a low-risk enhancement towards securing the ESXi environment."
  reference   : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-171|3.1.16,800-171|3.13.15,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53|AC-18,800-53|SC-23,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,800-53r5|AC-18,800-53r5|SC-23,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|1.7,CSCv8|4.3,CSCv8|12.6,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,ITSG-33|AC-18,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1M,NESA|T4.5.1,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|2.3,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Config.HostAgent.vmacore.soap.sessionTimeout']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Config.HostAgent.vmacore.soap.sessionTimeout']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Config.HostAgent.vmacore.soap.sessionTimeout']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Config.HostAgent.vmacore.soap.sessionTimeout : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Config.HostAgent\.vmacore\.soap\.sessionTimeout : "
  expect      : "Config.HostAgent\.vmacore\.soap\.sessionTimeout : @API_SESSION_TIMEOUT@"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.17 (L1) Host must automatically terminate idle host client sessions"
  info        : "Configuring the host to automatically terminate idle host client sessions helps mitigate security risks associated with unattended sessions, which could potentially be exploited. The recommended setting for this control is a timeout value of 900. The parameter governing this behavior is UserVars.HostClientSessionTimeout.

Automatic termination of idle sessions is crucial for preventing potential unauthorized access or exploitation of unattended sessions, thereby enhancing the host's security posture."
  solution    : "Impact:

There is no functional impact mentioned, but ensuring a balanced timeout value is essential to prevent inadvertent session terminations while maintaining security."
  reference   : "800-171|3.1.16,800-171|3.13.15,800-53|AC-18,800-53|SC-23,800-53r5|AC-18,800-53r5|SC-23,CSCv7|1.7,CSCv8|12.6,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1M,NESA|T4.5.1,QCSC-v1|5.2.1,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.HostClientSessionTimeout']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.HostClientSessionTimeout']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.HostClientSessionTimeout']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>UserVars.HostClientSessionTimeout : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "UserVars\.HostClientSessionTimeout : "
  expect      : "UserVars\.HostClientSessionTimeout : @HOST_CLIENT_SESSION_TIMEOUT@"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.18 (L1) Host must have an accurate DCUI.Access list"
  info        : "The DCUI.Access parameter in VMware ESXi is used to specify a list of users who are permitted to access the Direct Console User Interface (DCUI) of the ESXi host, especially when Lockdown Mode is enabled. This parameter helps in controlling and securing access to the ESXi host by allowing only authorized users to override Lockdown Mode and access the DCUI, particularly in scenarios where the host becomes isolated from vCenter. The parameter governing this behavior is DCUI.Access.

A properly configured DCUI.Access list ensures that only authorized users can override Lockdown Mode to access DCUI, providing a fail-safe against loss of management capability especially if the host loses connection to vCenter."
  solution    : "To set a trusted users list for DCUI, perform the following from the vSphere web client:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand System
 - Select Advanced System Settings then click Edit
 - Enter DCUI.Access in the filter.
 - Set the DCUI.Access attribute is set to a comma-separated list of the users who are allowed to override lockdown mode.

Impact:

Misconfiguration could lead to unauthorized access or potential lockout scenarios, making it crucial to validate the list and ensure the host's attachment to vCenter alongside correctly configured access and exception lists prior to Lockdown Mode activation."
  reference   : "800-171|3.1.1,800-171|3.4.8,800-53|AC-2,800-53|CM-7(5),800-53|CM-10,800-53r5|AC-2,800-53r5|CM-7(5),800-53r5|CM-10,CN-L3|7.1.3.2(d),CSCv7|14.6,CSCv7|16.6,CSCv8|2.5,CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,ITSG-33|AC-2,ITSG-33|CM-7,LEVEL|1M,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|2.3,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key=\'DCUI.Access\']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name=\'name\']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key=\'DCUI.Access\']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key=\'DCUI.Access\']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name=\'name\']/audit:val\"/> - <xsl:text>DCUI.Access : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "DCUI\.Access : "
  expect      : "DCUI\.Access : @AUDIT_EXCEPTION_USERS@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.19 (L1) Host must have an accurate Exception Users list"
  info        : "Establishing an accurate Exception Users list is essential for managing user privileges during lockdown mode. Users on this list retain their privileges, making it imperative to include only those necessary for direct host access like service accounts for third-party solutions. Ensuring a well-maintained list mitigates the risk associated with unauthorized actions, especially during host isolation scenarios in lockdown mode.

The Exception Users list is crucial for preserving necessary operational capabilities while maintaining a secure environment. By carefully managing this list, organizations can balance between security and functionality, ensuring that critical operations continue unhindered during lockdown mode."
  solution    : "To correct the membership of the Exception Users list, perform the following in the vSphere Web Client:

 - Select the host.
 - Click on Configure then expand System and select Security Profile
 - Select Edit next to Lockdown Mode
 - Click on Exception Users
 - Add or delete users as appropriate.
 - Click OK

Impact:

An improperly managed Exception Users list could potentially undermine the security posture by allowing unauthorized access, increasing the risk of malicious actions. It's vital to review and update this list regularly to align with the current operational and security requirements."
  reference   : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-2,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(d),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv7|16.6,CSCv8|3.3,CSCv8|5.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-2,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1M,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS13c,NIAv2|SS14e,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key=\'DCUI.Access\']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name=\'name\']/audit:val\"/> - Exception Users : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key=\'DCUI.Access\']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name=\'name\']/audit:val\"/> - <xsl:text>Exception Users : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Exception Users : "
  expect      : "Exception Users : @AUDIT_EXCEPTION_USERS@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.20 (L1) Host must enable normal lockdown mode"
  info        : "Implementing normal lockdown mode restricts direct access to ESXi hosts, mandating management via vCenter Server to uphold defined roles and access controls, mitigating risks associated with unauthorized or insufficiently audited activities. Exception Users list serves as an override mechanism, permitting specified users direct access even in lockdown mode. This mode offers a balanced approach between security and operational flexibility compared to the stricter lockdown mode which, if connectivity to vCenter Server is lost, necessitates host rebuilding.

Enabling normal lockdown mode enforces centralized management through vCenter Server, ensuring adherence to organizational access controls and auditing policies. This measure significantly lowers the risk of unauthorized activities by restricting direct host access, promoting a more controlled and auditable operational environment."
  solution    : "To enable lockdown mode, perform the following from the vSphere web client:

 - From the vSphere Web Client, select the host.
 - Select Configure then expand System and select Security Profile
 - Across from Lockdown Mode click on Edit
 - Click the radio button for Normal
 - Click OK

Alternately, run the following PowerCLI command:

# Enable lockdown mode for each host
Get-VMHost | Foreach { $_.EnterLockdownMode() }

Impact:

The activation of lockdown mode may impede direct host access for certain operations like backup and troubleshooting. Although temporary deactivation is an option, ensuring proper reactivation post-operation is crucial to maintain the intended security posture."
  reference   : "800-171|3.1.1,800-53|AC-2(1),800-53r5|AC-2(1),CN-L3|7.1.3.2(d),CSCv7|16.2,CSCv8|5.6,CSF|PR.AC-1,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2(1),LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:lockdownMode\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name=\'name\']/audit:val\"/> - Lockdown Mode : <xsl:value-of select=\"audit:propSet/audit:val/audit:lockdownMode\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name=\'name\']/audit:val\"/> - <xsl:text>Lockdown Mode : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Lockdown Mode : "
  expect      : "Lockdown Mode : (lockdownNormal|lockdownStrict)$"
</custom_item>

<report type:"WARNING">
  description : "3.22 (L1) Host must deny shell access for the dcui account"
  info        : "The dcui account, utilized for process isolation for the Direct Console User Interface (DCUI), possesses shell access which, when deactivated, minimizes the attack surface. This action is a proactive measure to enhance system security.

Deactivating shell access for the dcui account reduces the avenues of exploitation available to potential attackers. It is a prudent step towards a hardened security posture.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

There is no functional impact noted from denying shell access for the dcui account, making it a low-risk yet effective security control."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.4.8,800-53|CM-7,800-53|CM-7(1),800-53|CM-7(5),800-53|CM-10,800-53|SI-7,800-53|SI-7(1),800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-7(5),800-53r5|CM-10,800-53r5|SI-7,800-53r5|SI-7(1),CN-L3|7.1.3.5(b),CSCv7|2.7,CSCv7|2.8,CSCv7|2.9,CSCv8|2.5,CSCv8|2.7,CSF|DE.CM-3,CSF|PR.DS-6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(c)(1),HIPAA|164.312(c)(2),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|SI-7,ITSG-33|SI-7a.,ITSG-33|SI-7(1),LEVEL|1M,NESA|T3.4.1,NESA|T7.3.2,NESA|T7.3.3,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|10.5.5,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.2,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<custom_item>
  type        : AUDIT_ESX
  description : "3.24 (L1) Host must display a login banner for the DCUI and Host Client"
  info        : "Enabling a login banner on the Direct Console User Interface (DCUI) and the Host Client interfaces provides a mechanism to display legal notices or organizational announcements at login. The parameter governing this behavior is Annotations.WelcomeMessage, with the recommended value being a text string aligned with organizational or legal advisories.

A login banner serves as a first line of legal defense against unauthorized access and misuse, stating the terms and conditions of system use. It also aids in reinforcing organizational security policies among authorized users."
  solution    : "Impact:

Implementation masks the \"F2/F12\" options and IP address information on the DCUI, potentially requiring additional documentation or training to ensure users are aware of these changes."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|5.1,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1M,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Annotations.WelcomeMessage']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Annotations.WelcomeMessage']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Annotations.WelcomeMessage']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Annotations.WelcomeMessage : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Annotations\.WelcomeMessage : "
  expect      : "Annotations\.WelcomeMessage : @BANNER_TEXT@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.25 (L1) Host must display a login banner for SSH connections"
  info        : "ESXi facilitates the display of a login message, primarily aimed to deter unauthorized access and inform legitimate users regarding system usage obligations, particularly during SSH connections. The text for this display is defined by a specific parameter, which is advisable to be configured, especially when SSH is active, albeit it's recommended to keep SSH in a stopped state barring troubleshooting scenarios. The parameter governing this behavior is Config.Etc.Issue.

Displaying a login banner serves as a preliminary deterrent to unauthorized users while reinforcing legal and policy compliances for authorized users. It encapsulates a proactive security measure, alongside aligning with several compliance mandates that necessitate the use of login banners."
  solution    : "Impact:

There is no functional impact associated with this security control; however, the absence of a login banner might pose a risk in terms of legal protection and compliance adherence, especially during SSH connections where potential misuse could occur. It's prudent to consult with legal advisors to craft a banner text that aligns with organizational and legal requisites."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|5.1,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1M,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Config.Etc.issue']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Config.Etc.issue']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Config.Etc.issue']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Config.Etc.issue : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Config\.Etc\.issue : "
  expect      : "Config\.Etc\.issue : @BANNER_TEXT@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "3.26 (L1) Host must enable the highest version of TLS supported"
  info        : "The host should be configured to operate using the highest version of TLS supported to ensure secure communications. ESXi 8, by default, comes with TLS 1.2 enabled, although re-enabling other protocols is possible if required. Employing the highest version of TLS aids in protecting against known vulnerabilities present in older versions. The parameter governing this behavior is UserVars.ESXiVPsDisabledProtocols with the recommended setting of \"sslv3,tlsv1,tlsv1.1\".

Employing the highest version of TLS supported enhances the security posture by ensuring that communications are protected with modern encryption standards. This mitigates risks associated with known vulnerabilities in outdated TLS versions."
  solution    : "Impact:

Failure to enable the highest version of TLS supported may expose the host to vulnerabilities present in older versions, potentially compromising the confidentiality and integrity of communications."
  reference   : "800-171|3.5.2,800-171|3.13.16,800-53|IA-5(1),800-53|SC-28,800-53|SC-28(1),800-53r5|IA-5(1),800-53r5|SC-28,800-53r5|SC-28(1),CN-L3|8.1.4.7(b),CN-L3|8.1.4.8(b),CSCv7|14.8,CSCv8|3.11,CSF|PR.AC-1,CSF|PR.DS-1,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(a)(2)(iv),HIPAA|164.312(d),HIPAA|164.312(e)(2)(ii),ITSG-33|IA-5(1),ITSG-33|SC-28,ITSG-33|SC-28a.,ITSG-33|SC-28(1),LEVEL|1M,NESA|T5.2.3,PCI-DSSv3.2.1|3.4,PCI-DSSv4.0|3.3.2,PCI-DSSv4.0|3.5.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1,TBA-FIISB|28.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.ESXiVPsDisabledProtocols']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.ESXiVPsDisabledProtocols']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='UserVars.ESXiVPsDisabledProtocols']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>UserVars.ESXiVPsDisabledProtocols : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "UserVars.ESXiVPsDisabledProtocols : "
  expect      : "UserVars.ESXiVPsDisabledProtocols : @DISABLED_PROTOCOLS@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.1 (L1) Host must configure a persistent log location for all locally stored system logs"
  info        : "Configure the Syslog.global.logDir parameter to specify a persistent directory for system logs, ensuring they are retained across reboots. This can be set to a directory on mounted NFS or VMFS volumes, other than the default which is an in-memory filesystem that retains only a single day's worth of logs.

Storing logs persistently is crucial for auditing, monitoring events, and diagnosing issues. Without persistent logging, critical indicators of compromise and user activity logs are lost at each reboot, which can hinder incident response and forensic investigations."
  solution    : "To configure persistent logging properly, perform the following from the vSphere web client:

 - Select the host
 - Click Configure then expand System then select Advanced System Settings
 - Select Edit then enter Syslog.global.LogDir in the filter.
 - Set Syslog.global.logDir to a persistent location specified as [datastorename] path_to_file where the path is relative to the datastore. For example, [datastore1] /systemlogs.
 - Click OK

Alternatively, run the following PowerCLI command:

# Set Syslog.global.logDir for each host
Get-VMHost | Foreach { Set-AdvancedConfiguration -VMHost $_ -Name Syslog.global.logDir -Value \"<NewLocation>\" }

Impact:

There is no specified functional impact, however, consideration should be given to storage capacity as increased log retention will require more storage space. If the only local, non-vSAN storage is unreliable SD or USB media, configuring a remote logging host is advised."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(a),CN-L3|8.1.4.3(b),CSCv7|6.2,CSCv7|6.3,CSCv8|8.2,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.6.2,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logDir']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logDir']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logDir']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.logDir : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.logDir : "
  expect      : "Syslog\.global\.logDir : @SYSLOG_DIR@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.2 (L1) Host must transmit system logs to a remote log collector"
  info        : "Transmitting system logs to a remote log collector ensures that ESXi logs are stored in a secure and centralized manner. This centralization not only allows for the streamlined monitoring of all hosts through a single tool but also facilitates aggregate analysis and searching capabilities.

Centralizing log storage on a remote log collector greatly enhances the ability to monitor, search, and analyze logs across multiple hosts. This central repository ensures that logs are protected from potential tampering, while also providing a robust long-term audit trail. By analyzing these logs, coordinated attacks or anomalies that might go unnoticed on individual hosts can be detected."
  solution    : "To configure remote logging properly, perform the following from the vSphere web client:

 - Select the host
 - Click Configure then expand System then select Advanced System Settings
 - Select Edit then enter Syslog.global.logHost in the filter.
 - Set the Syslog.global.logHost to the hostname or IP address of the central log server.
 - Click OK

Alternately, run the following PowerCLI command:

# Set Syslog.global.logHost for each host
Get-VMHost | Foreach { Set-AdvancedSetting -VMHost $_ -Name Syslog.global.logHost -Value \"<NewLocation>\" }

Note: When setting a remote log host, it is also recommended to set the \"Syslog.global.logDirUnique\" to true. You must configure the syslog settings for each host.

Impact:

There is no immediate functional impact when transmitting logs to a remote log collector. However, it is essential to ensure that the remote log collector is adequately secured and has sufficient storage capacity."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.5,800-171|3.3.6,800-53|AU-2,800-53|AU-3,800-53|AU-3(1),800-53|AU-6(3),800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-6(3),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(d),CN-L3|8.1.4.3(a),CN-L3|8.1.4.3(b),CSCv7|6.2,CSCv7|6.3,CSCv7|6.5,CSCv8|8.2,CSCv8|8.5,CSCv8|8.9,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|DE.DP-4,CSF|PR.PT-1,CSF|RS.AN-1,CSF|RS.AN-3,CSF|RS.CO-2,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-6(3),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.2.5,NESA|M5.5.1,NESA|T3.6.2,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logHost']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logHost']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logHost']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.logHost : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.logHost : "
  expect      : "Syslog\.global\.logHost : @LOG_HOST@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.3 (L1) Host must log sufficient information for events"
  info        : "Set the Syslog.global.logLevel parameter to \"info\" to ensure that audit logs capture sufficient information for diagnosing issues and investigating security events. This setting strikes a balance between log verbosity and storage utilization. The parameter governing this behavior is Syslog.global.logLevel with a recommended setting of info.

Adequate log data is crucial for identifying indicators of compromise, enabling timely and effective response to cybersecurity incidents. The \"info\" level provides essential details without excessively consuming storage resources."
  solution    : "Impact:

More verbose logging levels will demand additional storage space while potentially burying critical entries under less significant data. Conversely, less verbose levels might miss capturing crucial information, hindering effective diagnostics and incident response."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logLevel']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logLevel']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logLevel']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.logLevel : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.logLevel : "
  expect      : "Syslog\.global\.logLevel : @LOG_LEVEL@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.4 (L1) Host must set the logging informational level to info"
  info        : "Set the logging informational level to \"info\" via the Config.HostAgent.log.level parameter to ensure audit logs contain adequate data for diagnostics and forensics. This level provides a balanced amount of detail, suitable for routine analysis and investigation. The parameter governing this behavior is Config.HostAgent.log.level with a recommended setting of info.

The \"info\" level balances the detail in logs, aiding in diagnostics and forensics without overwhelming storage resources."
  solution    : "Impact:

A more verbose log level increases data volume, demanding additional storage, while a less verbose level may lack crucial information for effective diagnostics and forensics."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-4,800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-4,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv7|6.4,CSCv8|8.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.DS-4,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-4,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|T3.3.1,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Config.HostAgent.log.level']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Config.HostAgent.log.level']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Config.HostAgent.log.level']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Config.HostAgent.log.level : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Config\.HostAgent\.log\.level : "
  expect      : "Config\.HostAgent\.log\.level : @LOG_LEVEL@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.5 (L1) Host must deactivate log filtering"
  info        : "Log filtering can be employed to diminish the frequency of repetitive log entries and to preclude specific log events entirely. By employing the Syslog.global.logFilters configuration parameter, one can stipulate filtering criteria, which when met, will cause the designated log events to be excluded from the system logs. The control aids in maintaining a clean, informative logging environment by filtering out unwanted or redundant log entries. The parameter governing this behavior is Syslog.global.logFiltersEnable with a recommended setting of FALSE.

Comprehensive logging is crucial for understanding and monitoring system behavior. By deactivating log filtering, administrators can capture all log events, regardless of their frequency or perceived importance. This guarantees a complete record of system activity, which can be invaluable for incident response and post-incident analysis."
  solution    : "Impact:

There is no direct functional impact from deactivating log filtering. However, it may result in increased storage requirements for log files due to the additional log entries being stored. Organizations should ensure adequate storage space is available for logs and consider adjusting log retention policies if necessary."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-4,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-4,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.3,CSCv7|14.9,CSCv8|8.2,CSCv8|8.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.DS-4,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-4,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|M1.2.2,NESA|M5.5.1,NESA|T3.3.1,NESA|T3.6.2,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logFiltersEnable']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logFiltersEnable']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.logFiltersEnable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.logFiltersEnable : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.logFiltersEnable : "
  expect      : "Syslog\.global\.logFiltersEnable : @LOG_FILTERING@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.6 (L1) Host must enable audit record logging"
  info        : "Enabling audit record logging on ESXi hosts ensures the local storage of audit records, providing a trail of activities performed on the host. This measure is pivotal for accountability, troubleshooting, and security investigations. The parameter governing this behavior is Syslog.global.auditRecord.storageEnable with a recommended setting of TRUE.

Enabling audit record logging is crucial for maintaining a secure and compliant operational environment. It provides visibility into host activities, aiding in identifying and investigating unauthorized or malicious actions."
  solution    : "Impact:

While beneficial for security and compliance, enabling audit record logging consumes additional storage space on the host, which may necessitate enhanced storage management practices to ensure optimal performance."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.3,CSCv7|6.4,CSCv8|8.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.storageEnable']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.storageEnable']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.storageEnable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.auditRecord.storageEnable : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.auditRecord\.storageEnable : "
  expect      : "Syslog\.global\.auditRecord\.storageEnable : @AUDIT_LOG_RECORDING@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.7 (L1) Host must configure a persistent log location for all locally stored audit records"
  info        : "Configuring a persistent log location for locally stored audit records on ESXi hosts is critical to ensure audit continuity. When the \"/scratch\" directory is linked to \"/tmp/scratch\", only a day's worth of records are retained, and they are reinitialized upon each reboot, creating a security risk. A persistent datastore, except a vSAN datastore, should be designated for audit record logging to preserve records across reboots. The parameter governing this behavior is Syslog.global.auditRecord.storageDirectory.

A persistent log location safeguards audit records, enhancing the auditability and diagnosability of system events. This setup helps in adhering to compliance requirements and facilitating future audits."
  solution    : "Impact:

Implementing this control will consume additional storage space for logs, necessitating a balanced approach to storage management, especially when local non-vSAN storage options are limited."
  reference   : "800-171|3.3.1,800-171|3.3.5,800-53|AU-6(3),800-53r5|AU-6(3),CN-L3|7.1.3.3(d),CSCv7|6.5,CSCv8|8.9,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.DP-4,CSF|PR.PT-1,CSF|RS.AN-1,CSF|RS.CO-2,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-6(3),LEVEL|1M,NESA|M5.2.5,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.storageDirectory']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.storageDirectory']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.storageDirectory']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.auditRecord.storageDirectory : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.auditRecord\.storageDirectory : "
  expect      : "Syslog\.global\.auditRecord\.storageDirectory : @AUDITLOG_DIR@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.8 (L1) Host must store one week of audit records"
  info        : "Ensuring a local storage capacity for a week's worth of audit records is imperative, especially when a remote audit record storage facility is used. This provision is critical during anticipated interruptions in record delivery to the remote facility, preventing loss or overwriting of audit records. The parameter governing this behavior is Syslog.global.auditRecord.storageCapacity with a recommended setting of 100.

Storing a week of audit records locally safeguards against data loss during interruptions with remote storage facilities, maintaining compliance and audit trail continuity."
  solution    : "Impact:

This security control entails additional storage space consumption for logs, requiring possible adjustments in storage management."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.5,800-171|3.3.6,800-53|AU-2,800-53|AU-6(3),800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-6(3),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(d),CN-L3|8.1.4.3(a),CSCv7|6.5,CSCv8|8.2,CSCv8|8.9,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|DE.DP-4,CSF|PR.PT-1,CSF|RS.AN-1,CSF|RS.AN-3,CSF|RS.CO-2,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-6(3),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|M1.2.2,NESA|M5.2.5,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.storageCapacity']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.storageCapacity']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.storageCapacity']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.auditRecord.storageCapacity : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.auditRecord\.storageCapacity : "
  expect      : "Syslog\.global\.auditRecord\.storageCapacity : @AUDIT_LOG_CAPACITY@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.9 (L1) Host must transmit audit records to a remote log collector"
  info        : "This control enables the forwarding of audit records from the ESXi host to a designated log collector, aiding in real-time monitoring and analysis. The parameter governing this behavior is Syslog.global.auditRecord.remoteEnable with a recommended setting of TRUE.

Centralized logging facilitates a consolidated view of activities across ESXi hosts, enhancing the monitoring and rapid detection of unauthorized or anomalous activities."
  solution    : "Impact:

There is no noted functional impact from enabling this control; however, proper configuration is crucial to ensure reliable log transmission and to maintain the integrity and availability of audit records."
  reference   : "800-171|3.3.1,800-171|3.3.5,800-53|AU-6(3),800-53r5|AU-6(3),CN-L3|7.1.3.3(d),CSCv7|6.5,CSCv8|8.9,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.DP-4,CSF|PR.PT-1,CSF|RS.AN-1,CSF|RS.CO-2,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-6(3),LEVEL|1M,NESA|M5.2.5,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.remoteEnable']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.remoteEnable']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.auditRecord.remoteEnable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.auditRecord.remoteEnable : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.auditRecord\.remoteEnable : "
  expect      : "Syslog\.global\.auditRecord\.remoteEnable : @LOG_AUDITS_TO_REMOTE_HOST@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.10 (L1) Host must verify certificates for TLS remote logging endpoints"
  info        : "When engaging in remote logging activities, it is of utmost importance to ensure that the logging endpoint is genuine and secure. To achieve this, hosts should verify the TLS certificates of these endpoints. This verification provides assurance that the endpoint is both authentic and trustworthy, mitigating the risk of transmitting logs to potentially malicious or untrusted entities. The parameter governing this behavior is Syslog.global.certificate.checkSSLCerts with a recommended setting of TRUE.

Ensuring the authenticity and trustworthiness of remote logging endpoints is crucial for maintaining the security and integrity of the transmitted log data. By verifying the TLS certificates of these endpoints, the potential risk of man-in-the-middle attacks, data breaches, or unintended exposure of sensitive log information is significantly reduced."
  solution    : "Impact:

There is no direct functional impact when verifying certificates for TLS remote logging endpoints. However, it is essential to ensure that the certificates used by the logging endpoints are valid and up-to-date. If not, there might be interruptions in log transmissions or potential trust issues, necessitating certificate management and regular updates."
  reference   : "800-171|3.1.1,800-171|3.1.2,800-171|3.1.12,800-171|3.13.1,800-171|3.13.5,800-171|3.14.6,800-171|3.14.7,800-53|AC-17,800-53|AC-17(1),800-53|SC-7,800-53|SI-4,800-53r5|AC-17,800-53r5|AC-17(1),800-53r5|SC-7,800-53r5|SI-4,CN-L3|7.1.3.5(a),CN-L3|8.1.4.4(c),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CN-L3|8.1.10.6(i),CN-L3|8.1.10.6(j),CSCv7|1.8,CSCv8|13.5,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.AC-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-8,CSF|PR.PT-4,CSF|RS.AN-1,CSF|RS.CO-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.13.1.3,ITSG-33|AC-17,ITSG-33|AC-17(1),ITSG-33|SC-7,ITSG-33|SI-4,LEVEL|1M,NESA|M1.2.2,NESA|T4.5.4,NESA|T5.4.4,NESA|T5.4.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.6,TBA-FIISB|43.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.certificate.checkSSLCerts']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.certificate.checkSSLCerts']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.certificate.checkSSLCerts']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.certificate.checkSSLCerts : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.certificate\.checkSSLCerts : "
  expect      : "Syslog\.global\.certificate\.checkSSLCerts : @VERIFY_LOG_SERVER_CERTS@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "4.11 (L1) Host must use strict x509 verification for TLS-enabled remote logging endpoints"
  info        : "When employing remote logging with TLS-enabled endpoints, it is essential to ensure the utmost integrity and authenticity of the certificates in use. The \"x509-strict\" option provides a higher level of security by performing additional validity checks on CA root certificates during the verification process. This increased scrutiny ensures that only genuinely authenticated and trusted certificates are accepted, minimizing potential vulnerabilities. The parameter governing this behavior is Syslog.global.certificate.strictX509Compliance with a recommended setting of TRUE.

Ensuring stringent verification of CA root certificates provides a higher level of trust and security in the remote logging process. Adopting the \"x509-strict\" option minimizes the risk of accepting compromised or malicious certificates, thereby reducing the potential for data breaches, man-in-the-middle attacks, or other security compromises."
  solution    : "Impact:

There is no immediate functional impact from using strict x509 verification for TLS-enabled remote logging endpoints. However, organizations must ensure that their CA root certificates meet the strict criteria set by this option. If certificates do not meet these criteria, there may be disruptions in log transmissions, necessitating adjustments or updates to the certificates in use."
  reference   : "800-171|3.1.1,800-171|3.1.2,800-171|3.1.12,800-171|3.13.1,800-171|3.13.5,800-171|3.14.6,800-171|3.14.7,800-53|AC-17,800-53|AC-17(1),800-53|SC-7,800-53|SI-4,800-53r5|AC-17,800-53r5|AC-17(1),800-53r5|SC-7,800-53r5|SI-4,CN-L3|7.1.3.5(a),CN-L3|8.1.4.4(c),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CN-L3|8.1.10.6(i),CN-L3|8.1.10.6(j),CSCv7|1.8,CSCv8|13.5,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.AC-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-8,CSF|PR.PT-4,CSF|RS.AN-1,CSF|RS.CO-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.13.1.3,ITSG-33|AC-17,ITSG-33|AC-17(1),ITSG-33|SC-7,ITSG-33|SI-4,LEVEL|1M,NESA|M1.2.2,NESA|T4.5.4,NESA|T5.4.4,NESA|T5.4.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.6,TBA-FIISB|43.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.certificate.strictX509Compliance']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.certificate.strictX509Compliance']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Syslog.global.certificate.strictX509Compliance']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Syslog.global.certificate.strictX509Compliance : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Syslog\.global\.certificate\.strictX509Compliance : "
  expect      : "Syslog\.global\.certificate\.strictX509Compliance : @STRICT_X509_VERIFICATION@$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "5.1 (L1) Host firewall must only allow traffic from authorized networks"
  info        : "The host's firewall is designed to block all incoming and outgoing network traffic by default, unless exceptions are explicitly made, thus minimizing the attack surface and barring unauthorized access. The firewall settings, while simplistic, are akin to router ACLs, and might require reflexive rules to be configured for certain network scenarios. Through the VMware Host Client, restrictions can be placed on a per-IP basis to only allow traffic from authorized networks, aligning with the security control's recommended value of permitting connections solely from authorized infrastructure and administration workstations.

Implementing a policy where only traffic from authorized networks is allowed, significantly enhances the host's security posture. It not only minimizes the attack surface but also helps in maintaining a clean network traffic flow, which is crucial for organizational security and operational efficiency.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
  solution    : "To properly restrict access to services running on an ESXi host, perform the following from the vSphere web client:

 - Select a host
 - Click Configure then expand System then select Firewall
 - Click Edit to view services which are enabled (indicated by a check).
 - For each enabled service, (e.g., ssh, vSphere Web Access, http client) provide a list of allowed IP addresses.
 - Click OK

Impact:

While this security control is instrumental in preventing unauthorized access, its simplistic firewall may necessitate additional configuration like reflexive rules, depending on the network setup. This could potentially require more administrative effort for correct configuration and management, ensuring that necessary communications are not inadvertently blocked."
  reference   : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|9.4,CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1M,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"//audit:returnval\">"
  xsl_stmt    : "  <xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "  <xsl:for-each select=\"//audit:firewall\">"
  xsl_stmt    : "    <xsl:for-each select=\"//audit:ruleset\">"
  xsl_stmt    : "      <xsl:choose>"
  xsl_stmt    : "        <xsl:when test=\"audit:enabled='true'\">"
  xsl_stmt    : "          <xsl:value-of select=\"audit:label\"/> (Port <xsl:value-of select=\"audit:rule/audit:port\"/>)<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "        </xsl:when>"
  xsl_stmt    : "      </xsl:choose>"
  xsl_stmt    : "    </xsl:for-each>"
  xsl_stmt    : "  </xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  expect      : "^Manual Review Required$"
  severity    : MEDIUM
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "5.2 (L1) Host must block network traffic by default"
  info        : "By default, the host is configured to block all incoming and outgoing network traffic, except for the traffic pertaining to services enabled in the host security profile. This configuration is pivotal in reducing the attack surface and averting unauthorized access to the host. Even though there isn't a specific configuration parameter provided, the firewall settings are manageable through the VMware Host Client, wherein rules can be specified to allow or deny traffic for each service on a per-IP basis, ensuring only authorized networks have access.

Adhering to a policy of blocking network traffic by default significantly minimizes the risk of unauthorized access and potential external attacks. This posture promotes a principle of least privilege on the network level, ensuring only explicitly allowed traffic can communicate with the host, thereby enhancing the security posture."
  solution    : "Impact:

There is no functional impact mentioned for this security control. However, overly restrictive configurations might impede necessary communications if not properly managed, potentially affecting service availability and operational efficiency. Therefore, careful consideration and testing are advised when adjusting firewall settings to ensure essential traffic is not inadvertently blocked."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.4.8,800-53|CM-7,800-53|CM-7(1),800-53|CM-7(5),800-53|CM-10,800-53|SI-7,800-53|SI-7(1),800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-7(5),800-53r5|CM-10,800-53r5|SI-7,800-53r5|SI-7(1),CN-L3|7.1.3.5(b),CSCv7|2.7,CSCv7|2.9,CSCv8|2.5,CSCv8|2.7,CSF|DE.CM-3,CSF|PR.DS-6,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(c)(1),HIPAA|164.312(c)(2),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.12.5.1,ISO/IEC-27001|A.12.6.2,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|SI-7,ITSG-33|SI-7a.,ITSG-33|SI-7(1),LEVEL|1M,NESA|T3.4.1,NESA|T7.3.2,NESA|T7.3.3,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,PCI-DSSv3.2.1|10.5.5,QCSC-v1|3.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.3,SWIFT-CSCv1|6.2,TBA-FIISB|44.2.2,TBA-FIISB|49.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"//audit:returnval\">"
  xsl_stmt    : "  <xsl:variable name=\"addr\" select=\"audit:propSet[audit:name='name']/audit:val\"/>"
  xsl_stmt    : "  <xsl:for-each select=\"//audit:firewall\">"
  xsl_stmt    : "      <xsl:choose>"
  xsl_stmt    : "        <xsl:when test=\"audit:defaultPolicy/audit:incomingBlocked='true' and audit:defaultPolicy/audit:outgoingBlocked='true'\">"
  xsl_stmt    : "          <xsl:value-of select=\"$addr\"/> - incoming/outgoing - Default policy drops network traffic : TRUE<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "        </xsl:when>"
  xsl_stmt    : "        <xsl:otherwise>"
  xsl_stmt    : "          <xsl:value-of select=\"$addr\"/> - incoming - Default policy drops network traffic : <xsl:value-of select=\"audit:defaultPolicy/audit:incomingBlocked\"/> <xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "          <xsl:value-of select=\"$addr\"/> - outgoing - Default policy drops network traffic : <xsl:value-of select=\"audit:defaultPolicy/audit:outgoingBlocked\"/> <xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "        </xsl:otherwise>"
  xsl_stmt    : "      </xsl:choose>"
  xsl_stmt    : "  </xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Default policy drops network traffic"
  expect      : "Default policy drops network traffic : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "5.3 (L1) Host must restrict use of the dvFilter network API"
  info        : "The Net.DVFilterBindIpAddress parameter controls the use of the dvFilter network API, allowing network information to be sent to a specified IP address. If enabled with a compromised IP address, unauthorized network access to other virtual machines on the host could occur. It's essential to keep this parameter unconfigured, unless required by a product like VMware NSX. The parameter governing this behavior is Net.DVFilterBindIpAddress with a recommended setting of \"\".

Limiting the use of the dvFilter network API by keeping the Net.DVFilterBindIpAddress parameter unconfigured helps in reducing potential security risks. This restriction aids in maintaining secure network communication and minimizes the attack surface."
  solution    : "To remove the configuration for the dvfilter network API, perform the following from the vSphere web client:

 - From the vSphere web client, select the host and click Configure then expand System
 - Click on Advanced System Settings then Edit
 - Search for Net.DVFilterBindIpAddress in the filter.
 - Set Net.DVFilterBindIpAddress has an empty value.
 - If an appliance is being used, make sure the value of this parameter is set to the proper IP address.
 - Enter the proper IP address.
 - Click OK

To implement the recommended configuration state, run the following PowerCLI command:

# Set Net.DVFilterBindIpAddress to null on all hosts
Get-VMHost HOST1 | Foreach { Set-AdvancedSetting -VMHost $_ -Name Net.DVFilterBindIpAddress -IPValue \"\" }

Impact:

No functional impact is identified when restricting the dvFilter network API. However, incorrect configuration can lead to insecure network communication, posing a risk to the network security of virtual machines on the host."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.15,800-53|CM-6,800-53|CM-7,800-53|SC-23,800-53r5|CM-6,800-53r5|CM-7,800-53r5|SC-23,CSCv7|9.2,CSCv8|12.3,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1M,NESA|T4.5.1,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.1,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Net.DVFilterBindIpAddress']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Net.DVFilterBindIpAddress']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Net.DVFilterBindIpAddress']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Net.DVFilterBindIpAddress : NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Net\.DVFilterBindIpAddress : "
  expect      : "Net\.DVFilterBindIpAddress : NOT configured"
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "5.4 (L1) Host must filter Bridge Protocol Data Unit (BPDU) packets"
  info        : "To prevent cascading lockout of uplink interfaces from the ESXi host, the Net.BlockGuestBPDU parameter can be set to 1, enabling BPDU Filter to drop BPDU packets sent from virtual machines to the physical switch. This is crucial as ESXi's Standard and Distributed Virtual Switches do not support STP, making them prone to network loops if BPDUs are unfiltered. The parameter governing this behavior is Net.BlockGuestBPDU with a recommended setting of 1.

Configuring Net.BlockGuestBPDU aids in maintaining network stability by preventing potential disruptions caused by BPDU packets. This configuration is vital for avoiding unintended network lockouts and ensuring robust network communications."
  solution    : "Impact:

While beneficial for network stability, enabling BPDU filtering could block legitimate BPDU packets from network-oriented workloads. Ensure no legitimate BPDU packets are generated by virtual machines on the ESXi host before enabling this control."
  reference   : "800-171|3.13.1,800-53|SC-7(3),800-53|SC-7(4),800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|8.1.10.6(j),CSCv7|7.4,CSCv8|9.3,CSF|PR.AC-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1M,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val/audit:option[audit:key='Net.BlockGuestBPDU']/audit:value/text()\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Net.BlockGuestBPDU']/audit:key\"/> : <xsl:value-of select=\"audit:propSet/audit:val/audit:option[audit:key='Net.BlockGuestBPDU']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>Net.BlockGuestBPDU : NOT found</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Net\.BlockGuestBPDU : "
  expect      : "Net\.BlockGuestBPDU : @BLOCK_GUEST_BDPU_PACKETS@$"
</custom_item>

<if>
  <condition auto:"FAILED" type:"AND">
    <custom_item>
      type        : AUDIT_ESX
      description : "portgroup - forgedTransmits"
      xsl_stmt    : "<xsl:template match=\"/\">"
      xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
      xsl_stmt    : "<xsl:choose>"
      xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
      xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
      xsl_stmt    : "<xsl:value-of select=\"../../../../audit:propSet[audit:name='name']/audit:val\"/> (<xsl:value-of select=\"audit:key\"/>) - forgedTransmits = <xsl:value-of select=\"audit:spec/audit:policy/audit:security/audit:forgedTransmits\"/><xsl:text>&#10;</xsl:text>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:when>"
      xsl_stmt    : "<xsl:otherwise>"
      xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - forgedTransmits = FALSE</xsl:text>"
      xsl_stmt    : "</xsl:otherwise>"
      xsl_stmt    : "</xsl:choose>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:template>"
      regex       : "forgedTransmits ="
      not_expect  : "forgedTransmits = TRUE$"
    </custom_item>

    <custom_item>
      type        : AUDIT_ESX
      description : "vswitch - forgedTransmits"
      xsl_stmt    : "<xsl:template match=\"/\">"
      xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
      xsl_stmt    : "<xsl:choose>"
      xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:vswitch\">"
      xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:vswitch\">"
      xsl_stmt    : "<xsl:value-of select=\"../../../../audit:propSet[audit:name='name']/audit:val\"/> (<xsl:value-of select=\"audit:key\"/>) - forgedTransmits = <xsl:value-of select=\"audit:spec/audit:policy/audit:security/audit:forgedTransmits\"/><xsl:text>&#10;</xsl:text>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:when>"
      xsl_stmt    : "<xsl:otherwise>"
      xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - forgedTransmits = FALSE</xsl:text>"
      xsl_stmt    : "</xsl:otherwise>"
      xsl_stmt    : "</xsl:choose>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:template>"
      regex       : "forgedTransmits ="
      expect      : "forgedTransmits = FALSE$"
    </custom_item>
  </condition>

  <then>
    <report type:"PASSED">
      description : "5.6 (L1) Host should reject forged transmits on standard virtual switches and port groups"
      info        : "Setting the \"Forged transmits\" option to \"Reject\" helps prevent MAC impersonation by comparing the source MAC address from the guest operating system with the effective MAC address of its virtual machine adapter. If there's a mismatch, the packet is dropped, preventing potential malicious activities through impersonated MAC addresses.

Rejecting forged transmits enhances network security by preventing unauthorized network access and malicious activities stemming from MAC impersonation. This setting upholds network integrity by ensuring only authorized communications occur within the network."
      solution    : "To set the policy to reject forged transmissions, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand Networking
 - Select Virtual switches then click Edit
 - Click on Security
 - Set Forged transmits to Reject in the dropdown.
 - Click on OK

Alternately, the following ESXi shell command may be used:

# esxcli network vswitch standard policy security set -v vSwitch2 -f false

Impact:

This setting may affect workloads like clustered applications and network devices/functions that rely on MAC address modifications. Creating a separate port group for authorized virtual machines that require such behavior is recommended to balance operational needs with network security."
      reference   : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|12.4,CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
      see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
      show_output : YES
    </report>
  </then>
</if>

<if>
  <condition auto:"FAILED" type:"AND">
    <custom_item>
      type        : AUDIT_ESX
      description : "portgroup - macChanges"
      xsl_stmt    : "<xsl:template match=\"/\">"
      xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
      xsl_stmt    : "<xsl:choose>"
      xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
      xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
      xsl_stmt    : "<xsl:value-of select=\"../../../../audit:propSet[audit:name='name']/audit:val\"/> (<xsl:value-of select=\"audit:key\"/>) - macChanges = <xsl:value-of select=\"audit:spec/audit:policy/audit:security/audit:macChanges\"/><xsl:text>&#10;</xsl:text>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:when>"
      xsl_stmt    : "<xsl:otherwise>"
      xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - macChanges = FALSE</xsl:text>"
      xsl_stmt    : "</xsl:otherwise>"
      xsl_stmt    : "</xsl:choose>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:template>"
      regex       : "macChanges ="
      not_expect  : "macChanges = TRUE$"
    </custom_item>

    <custom_item>
      type        : AUDIT_ESX
      description : "vswitch - macChanges"
      xsl_stmt    : "<xsl:template match=\"/\">"
      xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
      xsl_stmt    : "<xsl:choose>"
      xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:vswitch\">"
      xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:vswitch\">"
      xsl_stmt    : "<xsl:value-of select=\"../../../../audit:propSet[audit:name='name']/audit:val\"/> (<xsl:value-of select=\"audit:key\"/>) - macChanges = <xsl:value-of select=\"audit:spec/audit:policy/audit:security/audit:macChanges\"/><xsl:text>&#10;</xsl:text>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:when>"
      xsl_stmt    : "<xsl:otherwise>"
      xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - macChanges = FALSE</xsl:text>"
      xsl_stmt    : "</xsl:otherwise>"
      xsl_stmt    : "</xsl:choose>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:template>"
      regex       : "macChanges ="
      expect      : "macChanges = FALSE$"
    </custom_item>
  </condition>

  <then>
    <report type:"PASSED">
      description : "5.7 (L1) Host should reject MAC address changes on standard virtual switches and port groups"
      info        : "Enforcing MAC address stability on standard virtual switches and port groups prevents MAC impersonation by disallowing changes to the MAC address by virtual machines. This mitigates the risk of malicious activities initiated by impersonating authorized network adapters.

Preventing MAC address changes hinders unauthorized network access and potential malicious acts, contributing to a more secure network environment. This control aids in maintaining network integrity by ensuring only authorized network communications occur."
      solution    : "To set the policy to reject, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand Networking
 - Select Virtual switches then click Edit
 - Click on Security
 - Set MAC address changes to Reject in the dropdown.
 - Click on OK

Alternately, perform the following using the ESXi shell:

# esxcli network vswitch standard policy security set -v vSwitch2 -m false

Impact:

Certain workloads and operations reliant on MAC address modifications could be affected. Creating a separate port group for authorized virtual machines that require MAC address changes is recommended to balance operational and security needs."
      reference   : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|12.4,CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
      see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
      show_output : YES
    </report>
  </then>
</if>

<if>
  <condition auto:"FAILED" type:"AND">
    <custom_item>
      type        : AUDIT_ESX
      description : "vswitch - allowPromiscuous"
      xsl_stmt    : "<xsl:template match=\"/\">"
      xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
      xsl_stmt    : "<xsl:choose>"
      xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:vswitch\">"
      xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:vswitch\">"
      xsl_stmt    : "<xsl:value-of select=\"../../../../audit:propSet[audit:name='name']/audit:val\"/> (<xsl:value-of select=\"audit:key\"/>) - allowPromiscuous = <xsl:value-of select=\"audit:spec/audit:policy/audit:security/audit:allowPromiscuous\"/><xsl:text>&#10;</xsl:text>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:when>"
      xsl_stmt    : "<xsl:otherwise>"
      xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - allowPromiscuous = FALSE</xsl:text>"
      xsl_stmt    : "</xsl:otherwise>"
      xsl_stmt    : "</xsl:choose>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:template>"
      regex       : "allowPromiscuous ="
      expect      : "allowPromiscuous = FALSE$"
    </custom_item>

    <custom_item>
      type        : AUDIT_ESX
      description : "portgroup - allowPromiscuous"
      xsl_stmt    : "<xsl:template match=\"/\">"
      xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
      xsl_stmt    : "<xsl:choose>"
      xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
      xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
      xsl_stmt    : "<xsl:value-of select=\"../../../../audit:propSet[audit:name='name']/audit:val\"/> (<xsl:value-of select=\"audit:key\"/>) - allowPromiscuous = <xsl:value-of select=\"audit:spec/audit:policy/audit:security/audit:allowPromiscuous\"/><xsl:text>&#10;</xsl:text>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:when>"
      xsl_stmt    : "<xsl:otherwise>"
      xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - allowPromiscuous = FALSE</xsl:text>"
      xsl_stmt    : "</xsl:otherwise>"
      xsl_stmt    : "</xsl:choose>"
      xsl_stmt    : "</xsl:for-each>"
      xsl_stmt    : "</xsl:template>"
      regex       : "allowPromiscuous ="
      not_expect  : "allowPromiscuous = TRUE$"
    </custom_item>
  </condition>

  <then>
    <report type:"PASSED">
      description : "5.8 (L1) Host should reject promiscuous mode requests on standard virtual switches and port groups"
      info        : "Enabling promiscuous mode allows all virtual machines in a port group to read all packets transmitted across it, regardless of the intended recipient. Rejecting promiscuous mode requests on standard virtual switches and port groups prevents unauthorized packet inspection, enhancing network isolation and data privacy.

Rejecting promiscuous mode requests helps maintain network isolation and data privacy by ensuring packets reach only their intended recipients. This control minimizes the risk of data interception or unauthorized packet inspection."
      solution    : "To set the policy to reject, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand Networking
 - Select Virtual switches then click Edit
 - Click on Security
 - Set Promiscuous mode to Reject in the dropdown.
 - Click on OK

Alternately, perform the following via the ESXi shell:

# esxcli network vswitch standard policy security set -v vSwitch2 -p false

Impact:

Some workloads like DHCP servers or security monitoring may require promiscuous mode. In such cases, a separate port group allowing this behavior, with only authorized virtual machines connected, is advisable to balance operational needs with security controls."
      reference   : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|12.4,CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
      see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
      show_output : YES
    </report>
  </then>
</if>

<custom_item>
  type        : AUDIT_ESX
  description : "5.9 (L1) Host must restrict access to a default or native VLAN on standard virtual switches"
  info        : "ESXi does not use the concept of native VLAN, so do not configure port groups to use the native VLAN ID. If the default value of 1 for the native VLAN is being used, the ESXi Server virtual switch port groups should be configured with any value between 2 and 4094. Otherwise, ensure that the port group is not configured to use whatever value is set for the native VLAN.

Frames with VLAN specified in the port group will have a tag, but frames without a VLAN specified in the port group are not tagged and therefore will end up as belonging to the native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a \"1\"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a \"1\" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
  solution    : "To stop using the native VLAN ID for port groups, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand Networking
 - Select Virtual switches
 - Expand the Standard vSwitch.
 - View the topology diagram of the switch, which shows the various port groups associated with that switch.
 - For each port group on the vSwitch, verify and record the VLAN IDs used.
 - If a VLAN ID change is needed, click the name of the port group in the topology diagram of the virtual switch.
 - Click the Edit settings option.
 - In the Properties section, enter an appropriate name in the Network label field.
 - In the VLAN ID dropdown select or type a new VLAN.
 - Click OK"
  reference   : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv7|12.4,CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
  xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
  xsl_stmt    : "<xsl:value-of select=\"../../../../audit:propSet[audit:name='name']/audit:val\"/> (<xsl:value-of select=\"audit:spec/audit:name\"/>) - vlanId = <xsl:value-of select=\"audit:spec/audit:vlanId\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - vlanId = NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  severity    : MEDIUM
</custom_item>

<custom_item>
  type        : AUDIT_ESX
  description : "5.10 (L1) Host must restrict the use of Virtual Guest Tagging (VGT) on standard virtual switches"
  info        : "When a port group is set to VLAN 4095 on standard virtual switches, it enables Virtual Guest Tagging (VGT), letting all network frames pass to the attached virtual machines (VMs) without altering the VLAN tags. This requires VMs to process VLAN information themselves via an 802.1Q driver. Only authorized and capable VMs should be allowed to use VGT to prevent potential network issues like denial of service or unauthorized VLAN traffic interaction.

Restricting VGT use helps maintain network security by ensuring controlled VLAN tag management. It mitigates risks associated with denial of service or unauthorized VLAN interactions, contributing to a stable network environment."
  solution    : "To set port groups to values other than 4095 and 0 unless VGT is required, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand Networking
 - Select Virtual switches
 - Expand the Standard vSwitch.
 - View the topology diagram of the switch, which shows the various port groups associated with that switch.
 - For each port group on the vSwitch, verify and record the VLAN IDs used.
 - If a VLAN ID change is needed, click the name of the port group in the topology diagram of the virtual switch.
 - Click the Edit settings option.
 - In the Properties section, enter an appropriate name in the Network label field.
 - In the VLAN ID dropdown select or type a new VLAN.
 - Click OK

Impact:

Incorrect VGT configuration can lead to denial of service or unauthorized VLAN traffic interaction. Restricting VGT may require alternative configurations for VMs needing independent VLAN tag management, potentially affecting network operation."
  reference   : "800-171|3.13.1,800-171|3.13.5,800-171|3.13.6,800-53|CA-9,800-53|SC-7,800-53|SC-7(5),800-53r5|CA-9,800-53r5|SC-7,800-53r5|SC-7(5),CN-L3|7.1.2.2(c),CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv7|12.4,CSCv8|4.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,ITSG-33|SC-7(5),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|GS7b,NIAv2|NS25,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
  xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:network/audit:portgroup\">"
  xsl_stmt    : "<xsl:value-of select=\"../../../../audit:propSet[audit:name='name']/audit:val\"/> (<xsl:value-of select=\"audit:spec/audit:name\"/>) - vlanId = <xsl:value-of select=\"audit:spec/audit:vlanId\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet[audit:name='name']/audit:val\"/><xsl:text> - vlanId = NOT configured</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "vlanId ="
  not_expect  : "vlanId = (4095|NOT configured)$"
</custom_item>

<report type:"WARNING">
  description : "5.11 (L1) Host must isolate management communications"
  info        : "Ensure that only vmk interfaces designated for management purposes have management services enabled to uphold network isolation and security. Incorrect configuration may undermine security efforts by breaching network isolation principles.

Restricting management services to designated vmk interfaces minimizes the attack surface and ensures that management communications are isolated from other traffic, adhering to network segmentation best practices.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

This control may affect third-party managed solutions requiring specific configurations. Configurations may need to be tailored based on the particular environment and third-party solutions in use."
  reference   : "800-171|3.1.14,800-53|AC-17(3),800-53|SI-7,800-53r5|AC-17(3),800-53r5|SI-7,CN-L3|8.1.4.4(c),CN-L3|8.1.10.6(i),CSCv7|4.6,CSCv8|12.8,CSF|PR.AC-3,CSF|PR.DS-6,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(c)(1),HIPAA|164.312(c)(2),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ITSG-33|AC-17(3),ITSG-33|SI-7,ITSG-33|SI-7a.,LEVEL|1M,NESA|T3.4.1,NESA|T5.4.6,NESA|T7.3.2,NESA|T7.3.3,PCI-DSSv3.2.1|10.5.5,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "6.1.1 (L1) Host CIM services, if enabled, must limit access"
  info        : "The Common Information Model (CIM) system allows for hardware-level management from remote applications through standard APIs. Ensuring only minimal access necessary to these applications is imperative to prevent potential security compromises. A dedicated service account, specific to each CIM application, should be created to limit access and privileges.

Restricting access to CIM services is essential to prevent unauthorized or over-privileged access, which could lead to potential security vulnerabilities. This practice adheres to the principle of least privilege, promoting a more secure environment.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "To limit CIM access, perform the following:

 - Create a limited-privileged service account for CIM and other third-party applications.
 - This account should access the system via vCenter.
 - Give the account the CIM Interaction privilege only. This will enable the account to obtain a CIM ticket, which can then be used to perform both read and write CIM operations on the target host. If an account must connect to the host directly, this account must be granted the full \"Administrator\" role on the host. This is not recommended unless required by the monitoring software being used.

Alternately, run the following PowerCLI command:

# Create a new host user account -Host Local connection required-
New-VMHostAccount -ID ServiceUser -Password <password> -UserAccount

Impact:

If improper access is granted to CIM-based hardware monitoring tools or other third-party applications, they may not function as expected or could be exploited to compromise the host's security."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|4.3,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "6.2.1 (L1) Host must isolate storage communications"
  info        : "Isolating storage communications through zoning and Logical Unit Number (LUN) masking is instrumental in segregating Storage Area Network (SAN) activity. Zoning defines the connections between host bus adapters (HBAs) and targets, ensuring devices outside a zone remain invisible to the devices within, thus facilitating the independent management of zones such as testing and production. On the other hand, LUN masking controls the visibility and accessibility of LUNs to different hosts, further enhancing the granularity of access control within the storage network. By implementing these measures, the attack surface of the SAN is reduced, non-ESXi systems are prevented from accessing the SAN, and separation of environments like test and production is achieved.

Employing zoning and LUN masking to isolate storage communications is vital to reduce the risk of unauthorized access and potential cross-contamination between different operational environments. It allows for a more structured and secure management of storage resources, ensuring that unauthorized or incompatible systems are prevented from interacting with or accessing the SAN, thus contributing to the overall security and operational integrity of the environment.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "The remediation procedures to properly segregate SAN activity are SAN vendor or product-specific.

In general, with ESXi hosts, use a single-initiator zoning or a single-initiator-single-target zoning. The latter is a preferred zoning practice. Using the more restrictive zoning prevents problems and misconfigurations that can occur on the SAN.

Impact:

Failing to isolate storage communications can lead to an increased risk of unauthorized access to storage resources, potential data leakage, or interference between different operational zones. The lack of segregation might also pose challenges in managing and troubleshooting storage network activities, leading to operational inefficiencies and potential security risks."
  reference   : "800-171|3.13.4,800-53|SC-4,800-53r5|SC-4,CSCv7|14.1,CSCv7|14.2,CSCv8|3.12,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-4,ITSG-33|SC-4a.,LEVEL|1M"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "6.2.2 (L1) Host must ensure all datastores have unique names"
  info        : "Ensuring unique naming for datastores is crucial to avoid potential errors that could affect the integrity and availability of data. A descriptive and unique name for each datastore facilitates better identification and management. Although there's no specific parameter to enforce this, manual or automated naming conventions should be adhered to.

Unique and descriptive naming for datastores minimizes the risk of errors, improves manageability, and aids in quicker identification, especially in environments with numerous datastores. It's a proactive measure to maintain order and avoid issues that arise from the default names given to VMFS and vSAN datastores.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Not adhering to a unique naming convention can lead to confusion, misconfiguration, or incorrect data access. While renaming datastores could have downstream effects on systems like automation, monitoring, and backup, the benefits of unique naming conventions outweigh the potential negatives."
  reference   : "800-171|3.13.4,800-53|SC-4,800-53r5|SC-4,CSCv7|14.7,CSCv8|3.12,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SC-4,ITSG-33|SC-4a.,LEVEL|1M"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<custom_item>
  type        : AUDIT_ESX
  description : "6.3.1 (L1) Host iSCSI client, if enabled, must employ bidirectional/mutual CHAP authentication"
  info        : "Implementing bidirectional CHAP authentication for iSCSI connections elevates security by necessitating mutual verification between the initiator (client) and target (server), ensuring data integrity during transmission. Configuration involves setting the iSCSI storage adapter authentication to \"Use bidirectional CHAP\" and providing the requisite credentials. This setup ensures that all communication between the client and server remains secure and unaltered, significantly reducing the risk of data interception by unauthorized entities. The parameter governing this behavior is set iSCSI storage adapter authentication to \"Use bidirectional CHAP\" with a recommended setting of Enabled.

Employing bidirectional CHAP authentication significantly minimizes risks associated with data interception or alteration by unauthorized entities during transmissions between the initiator and target. This additional layer of security is crucial in maintaining data integrity and confidentiality in iSCSI connections."
  solution    : "To enable bidirectional CHAP authentication for iSCSI traffic, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand Storage
 - Select Storage Adapters then select the iSCSI Adapter.
 - Under Properties click on Edit next to Authentication
 - Next to Authentication Method select Use bidirectional CHAP from the dropdown.
 - Specify the outgoing CHAP name.

 - Make sure that the name you specify matches the name configured on the storage side.
 - To set the CHAP name to the iSCSI adapter name, select \"Use initiator name\".
 - To set the CHAP name to anything other than the iSCSI initiator name, deselect \"Use initiator name\" and type a name in the Name text box.

<xhtml:ol start=\"8\"> - Enter an outgoing CHAP secret to be used as part of authentication. Use the same secret as your storage side secret.
 - Specify incoming CHAP credentials. Make sure your outgoing and incoming secrets do not match.
 - Click OK
 - Click the second to last symbol labeled Rescan Adapter

Alternately, run the following PowerCLI command:

# Set the Chap settings for the Iscsi Adapter
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq \"Iscsi\"} | Set-VMHostHba # Use desired parameters here

Impact:

No functional impact is anticipated upon the implementation of this control. However, it's imperative to ensure correct configuration to avoid potential communication disruptions between the iSCSI client and server."
  reference   : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|16.5,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:storageDevice/audit:hostBusAdapter[contains (@xsi:type,'HostInternetScsiHba')]\">"
  xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='HostConfigInfo']/audit:storageDevice/audit:hostBusAdapter[contains (@xsi:type,'HostInternetScsiHba')]\">"
  xsl_stmt    : "<xsl:value-of select=\"../../../../audit:propSet[audit:name='name']/audit:val\"/> (<xsl:value-of select=\"audit:device\"/>) - MutualChapAuthenticationType : <xsl:value-of select=\"audit:authenticationProperties/audit:mutualChapAuthenticationType\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"//audit:propSet[audit:name='name']/audit:val\"/> - <xsl:text>MutualChapAuthenticationType : No iSCSI devices found</xsl:text><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "MutualChapAuthenticationType : "
  not_expect  : "MutualChapAuthenticationType : chapProhibited$"
</custom_item>

<report type:"WARNING">
  description : "6.3.2 (L1) Host iSCSI client, if enabled, must employ unique CHAP authentication secrets"
  info        : "Challenge-Handshake Authentication Protocol (CHAP) requires both client and host to know a secret to establish a connection. It is essential to employ unique CHAP authentication secrets for each iSCSI session to ensure secure communications. The parameter governing this behavior is outlined in the iSCSI or iSER storage adapter configuration under CHAP settings.

Utilizing unique CHAP authentication secrets for each iSCSI session promotes secure data transmission and mitigates the risk of unauthorized access.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "To change the values of CHAP secrets so they are unique, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand Storage
 - Select Storage Adapters then select the iSCSI Adapter.
 - Under Properties click on Edit next to Authentication
 - Next to Authentication Method specify the authentication method from the dropdown.
 - None
 - Use unidirectional CHAP if required by target
 - Use unidirectional CHAP unless prohibited by target
 - Use unidirectional CHAP
 - Use bidirectional CHAP

 - Specify the outgoing CHAP name.

 - Make sure that the name you specify matches the name configured on the storage side.
 - To set the CHAP name to the iSCSI adapter name, select \"Use initiator name\".
 - To set the CHAP name to anything other than the iSCSI initiator name, deselect \"Use initiator name\" and type a name in the Name text box.

<xhtml:ol start=\"8\"> - Enter an outgoing CHAP secret to be used as part of authentication. Use the same secret as your storage side secret.
 - If configuring with bidirectional CHAP, specify incoming CHAP credentials.

 - Make sure your outgoing and incoming secrets do not match.

<xhtml:ol start=\"10\"> - If configuring with bidirectional CHAP, specify incoming CHAP credentials.

 - Make sure your outgoing and incoming secrets do not match.

<xhtml:ol start=\"11\"> - Click OK
 - Click the second to last symbol labeled Rescan Adapter

Impact:

While enhancing security, misconfiguration or sharing of CHAP secrets across sessions could potentially lead to connectivity issues or unauthorized access."
  reference   : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1M,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<custom_item>
  type        : AUDIT_VM
  description : "7.1 (L1) Virtual machines must enable Secure Boot"
  info        : "Enable Secure Boot on virtual machines to ensure that only authenticated code runs from the firmware up through the operating system, thus providing a fundamental security measure against boot-time malware and unauthorized code execution. Supported by all modern guest operating systems, Secure Boot employs public key cryptography to validate the firmware, boot loader, drivers, and OS kernel at boot time.

By enforcing Secure Boot, organizations can mitigate the risk of boot-time malware and unauthorized code execution, which is crucial for maintaining the integrity and trustworthiness of the system from the first instruction."
  solution    : "The following PowerCLI command may be used:

$VMobj = (Get-VM -Name $VM)
$ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$bootOptions = New-Object VMware.Vim.VirtualMachineBootOptions
$bootOptions.EfiSecureBootEnabled = $true
$ConfigSpec.BootOptions = $bootOptions
$task = $VMobj.ExtensionData.ReconfigVM_Task($ConfigSpec)

Impact:

Activation of Secure Boot post guest OS installation may entail more than merely enabling a setting; consult the respective guest OS documentation for detailed instructions. This may introduce additional steps in the setup process, potentially extending the deployment time."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|5.1,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1M,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:bootOptions/audit:efiSecureBootEnabled\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - efiSecureBootEnabled : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:bootOptions/audit:efiSecureBootEnabled\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - efiSecureBootEnabled : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:bootOptions/audit:efiSecureBootEnabled\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - efiSecureBootEnabled : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - efiSecureBootEnabled : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "efiSecureBootEnabled : "
  expect      : "efiSecureBootEnabled : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.2 (L1) Virtual machines must require encryption for vMotion"
  info        : "Requiring encryption for vMotion ensures the secure transfer of data among virtual machines. While the default 'opportunistic' encryption setting generally provides encryption due to prevalent AES-NI support, enforcing 'required' encryption eradicates the possibility of unencrypted transfers. The parameter governing this behavior is VM Configuration with the recommended setting being required.

Enforcing encryption for vMotion is crucial to prevent potential data leakage or unauthorized data access during data transfer processes, thereby bolstering the overall security infrastructure."
  solution    : "The following PowerCLI command may be used:

$VMview = Get-VM -Name $VM | Get-View
$ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$ConfigSpec.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes
$ConfigSpec.MigrateEncryption = \"required\"
$VMview.ReconfigVM_Task($ConfigSpec)

Impact:

There is no functional impact noted."
  reference   : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1M,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:migrateEncryption\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - migrateEncryption : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:migrateEncryption\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - migrateEncryption : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:migrateEncryption\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - migrateEncryption : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - migrateEncryption : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "migrateEncryption : "
  expect      : "migrateEncryption : required$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.3 (L1) Virtual machines must require encryption for Fault Tolerance"
  info        : "Requiring encryption for Fault Tolerance in virtual machines is critical for ensuring secure data transmission between primary and secondary VMs, especially in environments where sensitive data is processed. While the default setting 'opportunistic' may result in encryption due to widespread AES-NI support in vSphere-compatible hardware, enforcing the 'required' setting for encryption guarantees that no unencrypted operations occur. The parameter governing this behavior is VM Configuration with a recommended setting of ftEncryptionRequired.

By enforcing encryption for Fault Tolerance, organizations bolster the security posture of their virtual environments against potential data interception or leakage during transmission. This requirement is vital for maintaining data integrity and confidentiality."
  solution    : "The following PowerCLI command may be used:

$VMview = Get-VM -Name $VM | Get-View
$ConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$ConfigSpec.FtEncryptionMode = New-object VMware.Vim.VirtualMachineConfigSpecEncryptedFtModes
$ConfigSpec.FtEncryptionMode = \"ftEncryptionRequired\"
$VMview.ReconfigVM_Task($ConfigSpec)

Impact:

There are no identified negative impacts associated with enforcing encryption for Fault Tolerance, and it's instrumental in enhancing the security of data transmission within virtual environments."
  reference   : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1M,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:ftEncryptionMode\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - ftEncryptionMode : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:ftEncryptionMode\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - ftEncryptionMode : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:ftEncryptionMode\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - ftEncryptionMode : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - ftEncryptionMode : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "ftEncryptionMode : "
  expect      : "ftEncryptionMode : ftEncryptionRequired$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.5 (L1) Virtual machines must be configured to lock when the last console connection is closed"
  info        : "Configuring virtual machines to lock upon closing the last console connection enhances security by mitigating the risk of unauthorized access via open console sessions. This configuration is particularly useful in environments where multiple users have access to the console. The parameter governing this behavior is tools.guest.desktop.autolock with the recommended setting being TRUE.

Implementing this control provides an additional layer of security by ensuring that open console sessions do not remain accessible after the last connection is closed, thus reducing the potential for unauthorized access."
  solution    : "The following PowerCLI command may be used:

Get-VM -Name $VM | Remove-AdvancedSetting -Name tools.guest.desktop.autolock

Impact:

No functional impact is associated with this control; it serves as a proactive measure to prevent unauthorized access through open console sessions."
  reference   : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-171|3.1.16,800-171|3.13.15,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53|AC-18,800-53|SC-23,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,800-53r5|AC-18,800-53r5|SC-23,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|1.7,CSCv8|4.3,CSCv8|12.6,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,ITSG-33|AC-18,ITSG-33|SC-23,ITSG-33|SC-23a.,LEVEL|1M,NESA|T4.5.1,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|2.3,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='tools.guest.desktop.autolock']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - tools.guest.desktop.autolock : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='tools.guest.desktop.autolock']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - tools.guest.desktop.autolock : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='tools.guest.desktop.autolock']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - tools.guest.desktop.autolock : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - tools.guest.desktop.autolock : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "tools\.guest\.desktop\.autolock : "
  expect      : "tools\.guest\.desktop\.autolock : (TRUE|NOT configured)$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.6 (L1) Virtual machines must limit console sharing."
  info        : "By default, remote console sessions can be connected to by more than one user at a time. Permit only one remote console connection to a VM at a time. Other attempts will be rejected until the first connection disconnects.

When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a non-administrator in the VM can connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a VM. For example, if a jump box is being used for an open console session, and the admin loses a connection to that box, the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Click on ADD CONFIGURATION PARAMS then input RemoteDisplay.maxConnections with a value of 1
 - Click OK then OK again.

Alternatively, run the following PowerCLI command for VMs that do not specify the setting:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"RemoteDisplay.maxConnections\" -value 1

Run the following PowerCLI command for VMs that specify the setting but have the wrong value for it:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"RemoteDisplay.maxConnections\" -value 1 -Force"
  reference   : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|9.2,CSCv7|14.7,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='RemoteDisplay.maxConnections']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - RemoteDisplay.maxConnections : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='RemoteDisplay.maxConnections']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - RemoteDisplay.maxConnections : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='RemoteDisplay.maxConnections']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - RemoteDisplay.maxConnections : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - RemoteDisplay.maxConnections : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "RemoteDisplay\.maxConnections : "
  expect      : "RemoteDisplay\.maxConnections : 1$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.7 (L1) Virtual machines must limit PCI/PCIe device passthrough functionality"
  info        : "DirectPath I/O features provide virtual machines the ability to directly access system hardware, which while advantageous for performance, can impact risk mitigation tools like vMotion, DRS, and High Availability. It also opens up a potential attack vector for privileged hardware access. It is crucial to ensure that only necessary VMs have this privilege and that compensatory measures are taken within the guest OS to enhance security.

Limiting PCI/PCIe device passthrough functionality is essential for minimizing potential attack vectors and ensuring that risk mitigation tools function as intended. Moreover, audit and documentation of the business need for these VMs are critical for maintaining a secure and compliant environment."
  solution    : "The following PowerCLI command can be used:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"pciPassthru*.present\" -value \"\"

Impact:

Passthrough devices, like GPUs, may be adversely affected if disconnected. It's imperative to audit and document the business rationale for VMs requiring this functionality to understand the associated risks and ensure adequate compensatory controls are in place."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:variable name=\"ipaddress\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>"
  xsl_stmt    : "<xsl:variable name=\"vmname\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/>"
  xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig\">"
  xsl_stmt    : "<xsl:value-of select=\"$vmname\"/> (<xsl:value-of select=\"$ipaddress\"/>) - <xsl:value-of select=\"audit:key\"/> : <xsl:value-of select=\"audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "pciPassthru(.+)\.present :"
  not_expect  : "pciPassthru(.+)\.present : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.8 (L1) Virtual machines must prevent unauthorized modification of devices"
  info        : "In a virtual machine, users and processes without root or administrator privileges can connect devices, such as network adapters and CD-ROM drives. This should be prevented.

Disabling unauthorized connection of devices helps prevents unauthorized changes within the guest operating system, which could be used to gain unauthorized access, cause denial of service conditions, and otherwise negatively affect the security of the guest operating system."
  solution    : "To prevent unauthorized device connections, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"isolation.device.connectable.disable\" -value $true"
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.device.connectable.disable']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.device.connectable.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.device.connectable.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.device.connectable.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.device.connectable.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.device.connectable.disable : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.device.connectable.disable : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "isolation\.device\.connectable\.disable : "
  expect      : "isolation\.device\.connectable\.disable : True$"
</custom_item>

<report type:"WARNING">
  description : "7.9 (L1) Virtual machines must remove unnecessary audio devices"
  info        : "Removing unnecessary devices from virtual machines minimizes the attack surface and reduces potential pathways for data exfiltration or unauthorized data capture. This practice aligns with the principle of least functionality, ensuring that VMs have only the essential components required to perform their designated functions.

Eliminating unnecessary devices reduces attack surface and streamlines the virtual machine configuration, promoting a cleaner, more manageable, and less vulnerable setup.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Careful analysis and understanding of the virtual machine's requirements and dependencies are crucial before implementing this security control to avoid unintended disruptions or degradation of service."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "7.10 (L1) Virtual machines must remove unnecessary AHCI devices"
  info        : "Removing unnecessary devices from virtual machines minimizes the attack surface and reduces potential pathways for data exfiltration or unauthorized data capture. This practice aligns with the principle of least functionality, ensuring that VMs have only the essential components required to perform their designated functions.

Eliminating unnecessary devices reduces attack surface and streamlines the virtual machine configuration, promoting a cleaner, more manageable, and less vulnerable setup.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Careful analysis and understanding of the virtual machine's requirements and dependencies are crucial before implementing this security control to avoid unintended disruptions or degradation of service."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<custom_item>
  type        : AUDIT_VM
  description : "7.11 (L1) Virtual machines must remove unnecessary USB/XHCI devices"
  info        : "Removing unnecessary devices from virtual machines minimizes the attack surface and reduces potential pathways for data exfiltration or unauthorized data capture. This practice aligns with the principle of least functionality, ensuring that VMs have only the essential components required to perform their designated functions.

Eliminating unnecessary devices reduces attack surface and streamlines the virtual machine configuration, promoting a cleaner, more manageable, and less vulnerable setup."
  solution    : "To disconnect all USB devices from VMs, run the following PowerCLI command:

# Remove all USB Devices attached to VMs
Get-VM | Get-USBDevice | Remove-USBDevice

The VM will need to be powered off for this change to take effect.

Impact:

Careful analysis and understanding of the virtual machine's requirements and dependencies are crucial before implementing this security control to avoid unintended disruptions or degradation of service."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:variable name=\"ipaddress\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>"
  xsl_stmt    : "<xsl:variable name=\"vmname\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/>"
  xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig\">"
  xsl_stmt    : "<xsl:value-of select=\"$vmname\"/> (<xsl:value-of select=\"$ipaddress\"/>) - <xsl:value-of select=\"audit:key\"/> : <xsl:value-of select=\"audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "usb(.+)\.present :"
  not_expect  : "usb(.+)\.present : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.12 (L1) Virtual machines must remove unnecessary serial port devices"
  info        : "Removing unnecessary devices from virtual machines minimizes the attack surface and reduces potential pathways for data exfiltration or unauthorized data capture. This practice aligns with the principle of least functionality, ensuring that VMs have only the essential components required to perform their designated functions.

Eliminating unnecessary devices reduces attack surface and streamlines the virtual machine configuration, promoting a cleaner, more manageable, and less vulnerable setup."
  solution    : "To disconnect all serial ports from VMs, run the following PowerCLI command:

# In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html
# Remove all Serial Ports attached to VMs
Get-VM | Get-SerialPort | Remove-SerialPort

The VM will need to be powered off for this change to take effect.

Impact:

Careful analysis and understanding of the virtual machine's requirements and dependencies are crucial before implementing this security control to avoid unintended disruptions or degradation of service."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:variable name=\"ipaddress\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>"
  xsl_stmt    : "<xsl:variable name=\"vmname\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/>"
  xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig\">"
  xsl_stmt    : "<xsl:value-of select=\"$vmname\"/> (<xsl:value-of select=\"$ipaddress\"/>) - <xsl:value-of select=\"audit:key\"/> : <xsl:value-of select=\"audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "serial(.+)\.present :"
  not_expect  : "serial(.+)\.present : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.13 (L1) Virtual machines must remove unnecessary parallel port devices"
  info        : "Removing unnecessary devices from virtual machines minimizes the attack surface and reduces potential pathways for data exfiltration or unauthorized data capture. This practice aligns with the principle of least functionality, ensuring that VMs have only the essential components required to perform their designated functions.

Eliminating unnecessary devices reduces attack surface and streamlines the virtual machine configuration, promoting a cleaner, more manageable, and less vulnerable setup."
  solution    : "To disconnect all parallel ports from VMs, run the following PowerCLI command:

# In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html
# Remove all Parallel Ports attached to VMs
Get-VM | Get-ParallelPort | Remove-ParallelPort

The VM will need to be powered off for this change to take effect.

Impact:

Careful analysis and understanding of the virtual machine's requirements and dependencies are crucial before implementing this security control to avoid unintended disruptions or degradation of service."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:variable name=\"ipaddress\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>"
  xsl_stmt    : "<xsl:variable name=\"vmname\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/>"
  xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig\">"
  xsl_stmt    : "<xsl:value-of select=\"$vmname\"/> (<xsl:value-of select=\"$ipaddress\"/>) - <xsl:value-of select=\"audit:key\"/> : <xsl:value-of select=\"audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "parallel(.+)\.present :"
  not_expect  : "parallel(.+)\.present : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.15 (L1) Virtual machines must remove unnecessary floppy devices"
  info        : "Removing unnecessary devices from virtual machines minimizes the attack surface and reduces potential pathways for data exfiltration or unauthorized data capture. This practice aligns with the principle of least functionality, ensuring that VMs have only the essential components required to perform their designated functions.

Eliminating unnecessary devices reduces attack surface and streamlines the virtual machine configuration, promoting a cleaner, more manageable, and less vulnerable setup."
  solution    : "To disconnect all floppy drives from VMs, run the following PowerCLI command:

# Remove all Floppy drives attached to VMs
Get-VM | Get-FloppyDrive | Remove-FloppyDrive

The VM will need to be powered off for this change to take effect.

Impact:

Careful analysis and understanding of the virtual machine's requirements and dependencies are crucial before implementing this security control to avoid unintended disruptions or degradation of service."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:hardware/audit:device[@xsi:type='VirtualFloppy']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - Virtual Floppy : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:hardware/audit:device[@xsi:type='VirtualFloppy']/audit:deviceInfo/audit:label\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - Virtual Floppy : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:hardware/audit:device[@xsi:type='VirtualFloppy']/audit:deviceInfo/audit:label\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - Virtual Floppy : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - Virtual Floppy : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "Virtual Floppy :"
  expect      : "Virtual Floppy : NOT found$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.16 (L1) Virtual machines must deactivate console drag and drop operations"
  info        : "VM console drag and drop operations should be disabled.

VM console drag and drop operations are disabled by default (not explicitly specified); however, explicitly disabling this feature enables audit controls to check that this setting is correct."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Click on ADD CONFIGURATION PARAMS then input isolation.tools.dnd.disable with a value of TRUE
 - Click OK then OK again.

To explicitly disable VM console drag and drop operations, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM -Name $VM | Remove-AdvancedSetting -Name isolation.tools.dnd.disable"
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.dnd.disable']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.dnd.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.dnd.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.dnd.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.dnd.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.dnd.disable : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.dnd.disable : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "isolation\.tools\.dnd\.disable : "
  expect      : "isolation\.tools\.dnd\.disable : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.17 (L1) Virtual machines must deactivate console copy operations"
  info        : "Deactivating console copy operations is critical for preventing data transfer between the virtual machine and the local client, irrespective of the access method, whether via Web Console, VMRC, or others. The parameter governing this behavior is isolation.tools.copy.disable with a recommended setting of TRUE or Undefined.

Deactivating console copy operations minimizes the risk of unauthorized data access or leakage, enforcing a higher level of data security and integrity across the virtual environment."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Click on ADD CONFIGURATION PARAMS then input isolation.tools.copy.disable with a value of TRUE
 - Click OK then OK again.

To explicitly disable VM console copy operations, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"isolation.tools.copy.disable\" -value $true

Impact:

There is no identified functional impact; however, this restriction enhances data security by minimizing unauthorized data transfer channels."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.copy.disable']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.copy.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.copy.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.copy.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.copy.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.copy.disable : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.copy.disable : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "isolation\.tools\.copy\.disable : "
  expect      : "isolation\.tools\.copy\.disable : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.18 (L1) Virtual machines must deactivate console paste operations"
  info        : "Disabling console paste operations on virtual machines obstructs data transfer from the local client to the VM, irrespective of the access method - be it Web Console, VMRC, or another console. This security measure aims to curtail potential avenues for unauthorized data transfer into the virtual environment. The parameter governing this behavior is isolation.tools.paste.disable with a recommended setting of TRUE or Undefined.

By disabling console paste operations, organizations add a layer of security that helps in preventing unauthorized data introduction into the VM, which could potentially lead to various security risks."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Click on ADD CONFIGURATION PARAMS then input isolation.tools.paste.disable with a value of TRUE
 - Click OK then OK again.

To explicitly disable VM console paste operations, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"isolation.tools.paste.disable\" -value $true

Impact:

There is no functional impact identified. The control simply enhances the security posture by reducing possible data transfer channels into the VM."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.paste.disable']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.paste.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.paste.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.paste.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.paste.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.paste.disable : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.paste.disable : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "isolation\.tools\.paste\.disable : "
  expect      : "isolation\.tools\.paste\.disable : TRUE$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.19 (L1) Virtual machines must limit access through the \"dvfilter\" network API"
  info        : "The dvFilter interface facilitates network traffic filtering and inspection, predominantly via tools like NSX. It's vital to allow only authorized tools to access this interface to uphold network security. Unauthorized access could lead to illicit network traffic inspection or misuse. The parameter governing this behavior is ethernet*.filter*.name with a recommended setting of Not Present.

Limiting access through the \"dvfilter\" network API to authorized tools is essential for preserving network integrity and security. This restriction curtails the risk of unauthorized data inspection and potential network vulnerabilities."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Remove the value from ethernet0.filter1.name = dv-filter

 - Parameters are removed when no value is present

<xhtml:ol start=\"5\"> - Click OK

You may also configure a VM to allow dvfilter access via the following method in the VMX file:

 - Configure the following in the VMX file: ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM.

 - If dvfilter access should not be permitted: Remove the following from its VMX file: ethernet0.filter1.name = dv-filter1

<xhtml:ol start=\"2\"> - Set the name of the data path kernel correctly.

Impact:

While enhancing security by restricting access to the dvFilter interface, this control may hinder the functionality of legitimate network tools like NSX, which necessitate access to the \"dvfilter\" network API for proper operation."
  reference   : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|9.2,CSCv7|12.4,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1M,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:variable name=\"ipaddress\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>"
  xsl_stmt    : "<xsl:variable name=\"vmname\" select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/>"
  xsl_stmt    : "<xsl:for-each select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig\">"
  xsl_stmt    : "<xsl:value-of select=\"$vmname\"/> (<xsl:value-of select=\"$ipaddress\"/>) - <xsl:value-of select=\"audit:key\"/> : <xsl:value-of select=\"audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "ethernet[\d]+\.filter[\d]+\.name"
  not_expect  : "ethernet[\d]+\.filter[\d]+\.name : (.+)$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.20 (L1) Virtual machines must deactivate virtual disk shrinking operations"
  info        : "Disabling virtual disk shrinking on virtual machines prevents potential disk unavailability issues. This operation is usually restricted for non-administrative users within the guest environment. The parameter governing this behavior is isolation.tools.diskShrink.disable with a recommended setting of TRUE or Undefined.

Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes -- that is, users and processes without root or administrator privileges -- within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so you should disable this feature. Repeated disk shrinking can make a virtual disk unavailable. This capability is available to nonadministrative users in the guest."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Click on ADD CONFIGURATION PARAMS then input isolation.tools.diskShrink.disable with a value of TRUE
 - Click OK then OK again.

To implement the recommended configuration state, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"isolation.tools.diskShrink.disable\" -value $true

Impact:

There is no functional impact noted."
  reference   : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.diskShrink.disable']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.diskShrink.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.diskShrink.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.diskShrink.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.diskShrink.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.diskShrink.disable : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.diskShrink.disable : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "isolation\.tools\.diskShrink\.disable : "
  not_expect  : "isolation\.tools\.diskShrink\.disable : (FALSE|NOT configured)$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.21 (L1) Virtual machines must deactivate virtual disk wiping operations"
  info        : "Wiping a virtual disk reclaims all unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. If virtual disk wiping is done repeatedly, it can cause the virtual disk to become unavailable while wiping occurs. In most datacenter environments, disk wiping is not needed, but normal users and processes--without administrative privileges--can issue disk wipes unless the feature is disabled.

Deactivating virtual disk wiping operations contributes to maintaining disk availability, which is vital for continuous system operations."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Click on ADD CONFIGURATION PARAMS then input isolation.tools.diskWiper.disable with a value of TRUE
 - Click OK then OK again.

To disable virtual disk wiping, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"isolation.tools.diskWiper.disable\" -value $true

Impact:

There isn't a functional impact noted"
  reference   : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|9.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.diskWiper.disable']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.diskWiper.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.diskWiper.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.diskWiper.disable : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='isolation.tools.diskWiper.disable']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - isolation.tools.diskWiper.disable : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - isolation.tools.diskWiper.disable : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "isolation\.tools\.diskWiper\.disable : "
  expect      : "isolation\.tools\.diskWiper\.disable : True$"
</custom_item>

<report type:"WARNING">
  description : "7.22 (L1) Virtual machines must restrict sharing of memory pages with other VMs"
  info        : "Configuring virtual machines with the sched.mem.pshare.salt option restricts Transparent Page Sharing (TPS) among different VMs, mitigating the risk of unauthorized data access under certain conditions. By doing so, each VM operates with a distinct memory sharing pool, thereby enhancing isolation and security. The parameter governing this behavior is sched.mem.pshare.salt.

Restricting memory page sharing among VMs minimizes the potential for unauthorized data access, thus aligning with best practices of data isolation and security. This configuration is a proactive measure to mitigate vulnerabilities associated with memory sharing.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

There is no functional impact associated with this security control as it serves to bolster the security posture of the VMs without affecting their operational performance or functionality."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<custom_item>
  type        : AUDIT_VM
  description : "7.23 (L1) Virtual machines must not be able to obtain host information from the hypervisor"
  info        : "Configure VMware Tools to disable host information from being sent to guests unless a particular VM requires this information for performance monitoring purposes.

By enabling a VM to get detailed information about the physical host, an adversary could potentially use this information to inform further attacks on the host."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Click on ADD CONFIGURATION PARAMS then input tools.guestlib.enableHostInfo with a value of FALSE
 - Click OK then OK again.

To prevent host information from being sent to guests, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"tools.guestlib.enableHostInfo\" -value $false"
  reference   : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|13.3,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='tools.guestlib.enableHostInfo']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - tools.guestlib.enableHostInfo : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='tools.guestlib.enableHostInfo']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - tools.guestlib.enableHostInfo : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='tools.guestlib.enableHostInfo']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - tools.guestlib.enableHostInfo : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - tools.guestlib.enableHostInfo : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "tools\.guestlib\.enableHostInfo : "
  expect      : "tools\.guestlib\.enableHostInfo : FALSE$"
</custom_item>

<report type:"WARNING">
  description : "7.24 (L1) Virtual machines must enable diagnostic logging"
  info        : "Enabling diagnostic logging on virtual machines facilitates forensic analysis and troubleshooting by collecting necessary operational data. The parameter governing this behavior is Enable Logging with a recommended setting of TRUE.

Diagnostic logging is crucial for identifying and analyzing issues that may arise within a virtual machine environment. It supports timely resolution of problems, thus maintaining system integrity and operational efficiency.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

There is no negative functional impact identified for enabling diagnostic logging. This control significantly aids in issue resolution, enhancing overall system reliability and performance."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<custom_item>
  type        : AUDIT_VM
  description : "7.25 (L1) Virtual machines must limit the number of retained diagnostic logs"
  info        : "Limiting the number of retained diagnostic logs in virtual machines helps in managing datastore space effectively without hampering diagnostic capabilities. The parameter governing this behavior is log.keepOld with a recommended setting of 10 or Undefined.

Maintaining a sensible limit on the number of diagnostic logs retained helps in avoiding potential issues related to datastore space exhaustion, while still retaining a useful set of recent logs for troubleshooting purposes."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Click on ADD CONFIGURATION PARAMS then input log.keepOld with a value of 10
 - Click OK then OK again.

To set the number of log files to be used to 10 run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"log.keepOld\" -value \"10\"

Impact:

There is no negative functional impact."
  reference   : "800-53|AU-4,800-53r5|AU-4,CSCv7|6.4,CSCv8|8.3,CSF|PR.DS-4,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-4,LEVEL|1A,NESA|T3.3.1,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|13.2"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='log.keepOld']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - log.keepOld : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='log.keepOld']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - log.keepOld : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='log.keepOld']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - log.keepOld : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - log.keepOld : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "log\.keepOld : "
  expect      : "log\.keepOld : (10|NOT found)$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.26 (L1) Virtual machines must limit the size of diagnostic logs"
  info        : "Limiting the size of diagnostic logs on virtual machines ensures efficient utilization of datastore space, particularly beneficial for long-running VMs. This control assists in maintaining an optimal balance between diagnostic capabilities and storage resources. The parameter governing this behavior is log.rotateSize.

Setting a limit on the size of diagnostic logs helps in preventing excessive space consumption, thus ensuring that ample storage remains available for other essential operations."
  solution    : "To set this configuration utilize the vSphere interface as follows:

 - Select the VM then select Actions followed by Edit Settings
 - Click on the VM Options tab then expand Advanced
 - Click on EDIT CONFIGURATION
 - Click on ADD CONFIGURATION PARAMS then input log.rotateSize with a value of 1024000
 - Click OK then OK again.

To properly limit the maximum log file size, run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name \"log.rotateSize\" -value \"1024000\"

Impact:

There is no negative functional impact identified by limiting the size of diagnostic logs. This control facilitates proficient management of storage resources, ensuring other vital functions are not compromised due to space exhaustion."
  reference   : "800-53|AU-4,800-53r5|AU-4,CSCv7|6.4,CSCv8|8.3,CSF|PR.DS-4,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-4,LEVEL|1A,NESA|T3.3.1,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|13.2"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='log.rotateSize']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - log.rotateSize : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='log.rotateSize']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - log.rotateSize : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='log.rotateSize']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - log.rotateSize : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - log.rotateSize : NOT found<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "log\.rotateSize : "
  expect      : "log\.rotateSize : (?:[1-9]|[1-9][0-9]{1,5}|10[01][0-9]{4}|102[0-3][0-9]{3}|1024000)$"
</custom_item>

<custom_item>
  type        : AUDIT_VM
  description : "7.27 (L1) Virtual machines must limit informational messages from the virtual machine to the VMX file"
  info        : "Limit the number of informational messages from the virtual machine to the VMX file to prevent the file from exceeding its default size of 1MB, thereby avoiding potential denial of service situations due to a full datastore. The parameter governing this behavior is tools.setInfo.sizeLimit with a recommended setting of 1048576 or Undefined.

This control helps in maintaining a clutter-free VMX file, ensuring the datastore operates optimally without being overwhelmed by excessive informational messages, which in turn supports system reliability and performance."
  solution    : "Impact:

No negative functional impact identified."
  reference   : "800-53|AU-4,800-53r5|AU-4,CSCv7|6.4,CSCv8|8.3,CSF|PR.DS-4,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-4,LEVEL|1M,NESA|T3.3.1,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|13.2"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
  xsl_stmt    : "<xsl:template match=\"/\">"
  xsl_stmt    : "<xsl:for-each select=\"//audit:returnval\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='tools.setInfo.sizeLimit']\">"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - tools.setInfo.sizeLimit : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='tools.setInfo.sizeLimit']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - tools.setInfo.sizeLimit : <xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:extraConfig[audit:key='tools.setInfo.sizeLimit']/audit:value\"/><xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:choose>"
  xsl_stmt    : "<xsl:when test=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\">"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:ipAddress\"/>) - tools.setInfo.sizeLimit : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:when>"
  xsl_stmt    : "<xsl:otherwise>"
  xsl_stmt    : "<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineConfigInfo']/audit:name\"/> (<xsl:value-of select=\"audit:propSet/audit:val[@xsi:type='VirtualMachineSummary']/audit:guest/audit:toolsStatus\"/>) - tools.setInfo.sizeLimit : NOT configured<xsl:text>&#10;</xsl:text>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:otherwise>"
  xsl_stmt    : "</xsl:choose>"
  xsl_stmt    : "</xsl:for-each>"
  xsl_stmt    : "</xsl:template>"
  regex       : "tools.setInfo.sizeLimit : "
  expect      : "tools.setInfo.sizeLimit : (1048576|NOT configured)$"
</custom_item>

<report type:"WARNING">
  description : "8.1 (L1) VMware Tools must be a version that has not reached End of General Support status"
  info        : "Ensuring VMware Tools is running a version that has not reached its End of General Support (EOGS) status is imperative for maintaining a secure and supported environment. A version within its support period guarantees regular updates, security patches, and vendor support. It's advisable to have a procedure in place for regular checking and updating of VMware Tools to a supported version.

Running a supported version of VMware Tools ensures that the environment benefits from the latest security patches and updates, thereby reducing the risk of vulnerabilities. It also ensures that the organization can receive necessary support from the vendor when needed.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Using a version of VMware Tools that has reached its EOGS can expose the environment to security risks due to lack of updates and patches. It also may lead to compliance issues and lack of vendor support which could result in operational inefficiencies."
  reference   : "800-53|SA-22,800-53r5|SA-22,CSCv7|2.2,CSCv8|2.2,GDPR|32.1.b,HIPAA|164.306(a)(1),LEVEL|1M"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.2 (L1) VMware Tools must have all software updates installed"
  info        : "Ensuring that all software updates are installed on VMware Tools is crucial for maintaining a healthy and secure virtual environment. These updates provide essential drivers, enable effective management of guest operating systems, and offer features necessary for VM deployment and customization. It's vital to run a supported version compatible with the guest OS, be it Linux or Microsoft Windows, and keep it updated to benefit from the latest enhancements and security patches.

Keeping VMware Tools updated ensures that the virtual machines are running efficiently with the latest drivers and features, which in turn supports operational effectiveness. Additionally, updated software mitigates potential security risks, ensuring a more secure environment.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Neglecting to update VMware Tools could result in outdated drivers, lack of new features, and potential security vulnerabilities, which may hinder the performance and security of the virtual environment."
  reference   : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|11.4,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.3 (L1) VMware Tools should configure automatic upgrades as appropriate for the environment"
  info        : "Automatic upgrades of VMware Tools can be managed via vSphere, ensuring VMware Tools versions remain current. This functionality is advisable unless alternative management and update mechanisms are in place. It is recommended to have automatic updates enabled to minimize administrative overhead and maintain up-to-date features and security patches. The parameter governing this behavior is autoupgrade allow-upgrade with a recommended setting of true.

Enabling automatic upgrades via vSphere ensures a streamlined process for keeping VMware Tools updated, reducing the administrative burden. It also ensures that VMs are running the latest versions with necessary security patches and updated features.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Disabling automatic upgrades necessitates alternative methods for updating and reconfiguring VMware Tools, which could increase administrative overhead and potentially leave VMs with outdated versions, posing security risks and operational inefficiencies."
  reference   : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.5,CSCv8|7.4,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1M,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.4 (L1) VMware Tools on deployed virtual machines must prevent being recustomized"
  info        : "Preventing re-customization of deployed virtual machines is essential to mitigate the risk of adversarial access through cloning and subsequent customization. Once a VM is deployed, it should be safeguarded against further customization to maintain the integrity of its configurations and data. The parameter governing this behavior is deployPkg enable-customization with a recommended setting of false.

This control mitigates the risk of unauthorized access and potential data exposure that may arise from cloning and re-customizing a VM. By adhering to this control, organizations uphold the integrity and security of deployed virtual machines.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Disabling re-customization on deployed VMs may affect disaster recovery processes that necessitate IP address modifications. Such processes, facilitated by VMware Site Recovery Manager or VMware Cloud Disaster Recovery, will require alternative strategies for IP address management in recovery scenarios."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|5.1,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1M,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.5 (L1) VMware Tools must limit the automatic addition of features"
  info        : "Limit the automatic addition of features during VMware Tools upgrade processes to maintain the desired security profile of the guest operating system from vSphere. This control can be managed by setting the configuration parameter to a specified value. The parameter governing this behavior is autoupgrade allow-add-feature with a recommended setting of false.

Restricting the automatic addition of features through VMware Tools upgrade processes helps in preserving the security configurations and minimizes the potential introduction of vulnerabilities.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

With this control enforced, administrators will need to employ alternative methods to update and reconfigure VMware Tools as required, which might necessitate additional administrative effort and oversight."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.6 (L1) VMware Tools must limit the automatic removal of features"
  info        : "Limiting the automatic removal of features by VMware Tools during upgrade processes is crucial to maintain the intended security profile of the guest OS from vSphere. The automatic upgrade could potentially remove essential features, impacting the security posture inadvertently. The parameter governing this behavior is autoupgrade allow-remove-feature with a recommended setting of false.

Restricting automatic removal of features ensures that the security configurations and other essential features remain intact during upgrades, thus maintaining a consistent security posture.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

With this control, administrators would need to employ alternative methods for updating and reconfiguring VMware Tools, which might necessitate additional administrative effort."
  reference   : "800-171|3.4.6,800-171|3.4.7,800-171|3.7.5,800-53|CM-7,800-53|MA-4,800-53r5|CM-7,800-53r5|MA-4,CSCv7|5.1,CSCv8|4.6,CSF|PR.IP-1,CSF|PR.MA-2,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-7,ITSG-33|MA-4,LEVEL|1M,NESA|T2.3.4,NESA|T5.4.4,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3,TBA-FIISB|45.2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.7 (L1) VMware Tools must deactivate GlobalConf unless required"
  info        : "The GlobalConf feature within VMware Tools facilitates the delivery of tools.conf configurations to virtual machines, simplifying configuration management. However, if not necessary, it's advisable to deactivate this feature to reduce potential security risks. The parameter governing this behavior is globalconf enabled with a recommended setting of false.

Deactivating GlobalConf minimizes the attack surface by reducing the number of channels through which configurations can be pushed to virtual machines, hence enhancing security.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

With GlobalConf deactivated, administrators would need to employ alternative methods for updating and reconfiguring VMware Tools, which might require additional steps or tools."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.1,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.8 (L1) VMware Tools must deactivate ContainerInfo unless required"
  info        : "Deactivating the ContainerInfo plugin within VMware Tools is advised unless its functionality is required. This plugin collects data on running containers within a Linux guest operating system. The parameter governing this behavior is containerinfo poll-interval with a recommended setting of 0.

Restricting unnecessary data collection is a prudent practice to minimize potential security risks, and to comply with least privilege principles.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Disabling ContainerInfo could affect certain products and services within the VMware ecosystem that rely on this functionality, necessitating other configurations or methods to obtain the required container information."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.1,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.9 (L1) VMware Tools must deactivate Appinfo information gathering unless required"
  info        : "Deactivating the Appinfo module, unless necessary, through VMware Tools is a prudent measure to minimize the attack surface. This module is designed for application discovery, but if not in use, it should be disabled. The parameter governing this behavior is appinfo disabled with a recommended setting of true.

By deactivating the Appinfo module when not in use, potential vectors for unauthorized access or data leakage can be reduced.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Disabling Appinfo may affect products and services within the VMware ecosystem that depend on this functionality, necessitating alternative configurations or solutions to retain those capabilities."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.1,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.10 (L1) VMware Tools must deactivate Guest Store Upgrade operations unless required"
  info        : "The GuestStore feature facilitates the distribution of specific content to multiple guests. If not required, it is advisable to disable this plugin to minimize potential attack vectors. The parameter governing this behavior is gueststoreupgrade policy with a recommended setting of off.

Minimizing the attack surface by disabling unnecessary features is a prudent security measure. This control aids in reducing potential exposure points in the system.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Deactivating Guest Store Upgrade operations may affect certain products and services within the VMware ecosystem that rely on this functionality, necessitating alternative configurations or methods to maintain required operational capabilities."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.1,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.11 (L1) VMware Tools must deactivate Service Discovery unless required"
  info        : "The VMware Tools Service Discovery plugin is designed to connect to Aria Operations, furnishing it with additional data concerning guests and workloads. Disabling this plugin, when not in use, is a prudent step to diminish the attack surface. The parameter governing this behavior is servicediscovery disabled with a recommended setting of true.

Reducing the attack surface by disabling non-essential features is a fundamental security best practice. This control assists in minimizing potential exposure points, especially when the Service Discovery feature is not in use.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Disabling Service Discovery may affect certain products and services within the VMware ecosystem dependent on this functionality, necessitating alternative configurations or methods to retain required operational capabilities."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.1,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.12 (L1) VMware Tools must limit the use of MSI transforms when reconfiguring VMware Tools"
  info        : "Limiting the use of MSI transforms during VMware Tools reconfiguration is crucial to prevent unintended alterations to the installation database on Microsoft Windows guest operating systems from vSphere. This control is managed through a specific configuration parameter. The parameter governing this behavior is autoupgrade allow-msi-transforms with a recommended setting of false.

By restricting the use of MSI transforms, organizations can maintain a consistent security profile of the guest OS and minimize risks associated with unintended configuration changes during VMware Tools reconfiguration.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Implementing this control will necessitate administrators to leverage alternative methods for updating and reconfiguring VMware Tools as required, which may demand additional administrative effort and oversight."
  reference   : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.1,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.13 (L1) VMware Tools must enable VMware Tools logging"
  info        : "Enable logging within VMware Tools to ensure the collection of pertinent information, facilitating diagnostic or forensic activities. Logging within VMware Tools is highly customizable, allowing for tailored logging setups. The parameter governing this behavior is logging log with a recommended setting of true.

Logging is crucial for diagnosing issues and understanding system interactions. It provides a clear trail of events, aiding in the identification and rectification of potential problems.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

There is no known negative functional impact from enabling VMware Tools logging. This control solely promotes the capture of essential data for diagnostics and analysis."
  reference   : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv8|8.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1M,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

<report type:"WARNING">
  description : "8.14 (L1) VMware Tools must send VMware Tools logs to the system log service"
  info        : "Adjusting the logging destination in VMware Tools from the default file on disk to system log services streamlines log management. It redirects logs to syslog on Linux guests and the Windows Event Service on Microsoft Windows guests for centralized monitoring, management, and archiving. The parameter governing this behavior is logging vmsvc.handler with a recommended setting of syslog.

Centralizing log management through system log services enhances monitoring and archival processes. It also fosters a more structured approach to analyzing log data which is crucial for troubleshooting and compliance purposes.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
  solution    : "Impact:

Processes dependent on log files in the default location may require modifications to function correctly with the new logging setup, necessitating updates to ensure proper operation and log data retrieval."
  reference   : "800-171|3.3.1,800-171|3.3.5,800-53|AU-6(3),800-53r5|AU-6(3),CN-L3|7.1.3.3(d),CSCv7|6.5,CSCv8|8.9,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.DP-4,CSF|PR.PT-1,CSF|RS.AN-1,CSF|RS.CO-2,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-6(3),LEVEL|1M,NESA|M5.2.5,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
  see_also    : "https://workbench.cisecurity.org/benchmarks/15784"
</report>

</check_type>