# # (C) 2015 Tenable Network Security, Inc. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # $Revision: 1.2 $ # $Date: Tue Jun 9 10:13:38 2015 -0400 $ # # Description : This .audit is designed to query VMware 5.5 # as defined by CIS in the CIS VMware ESXi v1.2.0 benchmark # https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf type :AUDIT_VCENTER description :"2.5 Ensure proper SNMP configuration - 'community name private does not exist'" info :"Verify that SNMP (Simple Network Management Protocol) is configured and that all the settings are correct. If SNMP is not being used, it should be disabled.Note- ESXi supports SNMPv3 which provides stronger security than SNMPv1 or SNMPv2, including key authentication and encryption. *Rationale* If SNMP is not being used, it should remain disabled. If it is being used, the proper trap destination should be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Update the host SNMP Configuration (single host connection required) Get-VmHostSNMP | Set-VMHostSNMP -Enabled-$true -ReadOnlyCommunity ''Notes-. SNMP must be configured on each ESXi host . SNMP settings can be configured using Host Profiles" see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1NS" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "snmp\.receiver\.[0-9]+\.community : " not_expect : "snmp\.receiver\.[0-9]+\.community : [Pp][Rr][Ii][Vv][Aa][Tt][Ee]" type : AUDIT_ESX description :"2.6 Prevent unintended use of dvfilter network APIs" info :"Confirm that dvfilter API is not configured if not is use. If you are using virtual security appliances that leverage this API then configuration may be necessary. *Rationale* If you are not using products that make use of the dvfilter network API (e.g. VMSafe), the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, thereby potentially providing access to the network of other VMs on the host. If you are using a product that makes use of this API then verify that the host has been configured correctly." solution :"Perform the following from the vSphere web client- 1. Select the host and click 'Manage' -> 'Settings' -> 'System' -> 'Advanced System Settings'. 2. Enter Net.DVFilterBindIpAddress in the filter. 3. Verify Net.DVFilterBindIpAddress has an empty value. 4. If an appliance is being used, then make sure the value of this parameter is set to the proper IP address. 5. Make sure the attribute is highlighted, then click the pencil icon. 6. Enter the proper IP address. 7. Click 'OK'.To implement the recommended configuration state, run the following PowerCLI command-# Set Net.DVFilterBindIpAddress to null on all hosts Get-VMHost HOST1 | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name Net.DVFilterBindIpAddress -Value '' } Impact-This will prevent a dvfilter-based network security appliance such as a firewall from functioning if not configured correctly. Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - Net.DVFilterBindIpAddress : NOT configured" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "Net\.DVFilterBindIpAddress : " expect : "Net\.DVFilterBindIpAddress : NOT configured" type : AUDIT_ESX description :"4.4 Verify Active Directory group membership for the 'ESX Admins' group" info :"The AD group used by vSphere is defined by the esxAdminsGroup attribute. By default, this attribute is set to 'ESX Admins'. All members of the 'ESX Admins' group are granted full administrative access to all ESXi hosts in the domain. Monitor AD for the creation of this group and limit membership to highly trusted users and groups. *Rationale* An unauthorized user having membership in the group set by the esxAdminsGroup attribute will have full administrative access to all ESXi hosts. Given this, such users may compromise the confidentiality, availability, and integrity of the all ESXi hosts and the respective data and processes they influence." solution :"1. Verify the setting of the esxAdminsGroup attribute ('ESX Admins' by default). 2. Check the list of members for that Microsoft Active Directory group. 3. Remove any unauthorized users from that group. Impact-Coordination between vSphere admins and Active Directory admins is needed. Default Value-The AD group used by vSphere is defined by the esxAdminsGroup attribute. By default, this attribute is set to 'ESX Admins'" see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1NS,NIST_800-125a|HY-SR-13,NIST_800-125a|HY-SR-14,NIST_800-125a|HY-SR-15" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - Config.HostAgent.plugins.hostsvc.esxAdminsGroup : NOT configured" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "Config\.HostAgent\.plugins\.hostsvc\.esxAdminsGroup : " not_expect : "ESX Admins$" type : AUDIT_ESX description :"5.2 Disable ESXi Shell unless needed for diagnostics or troubleshooting" info :"The ESXi shell should only be enabled when running diagnostics or troubleshooting. Otherwise, it should be disabled on each host. *Rationale* ESXi Shell is an interactive command line environment available from the Direct Console User Interface (DCUI) or remotely via SSH. Access to this mode requires the root password of the server. The ESXi Shell can be turned on and off for individual hosts. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The ESXi shell should only be turned on when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere web client or vCLI/PowerCLI. You can use the vSphere Web Client to enable local and remote (SSH) access to the ESXi Shell and to set the idle timeout and availability timeout." solution :"Perform the following- 1. From the vSphere web client select the host. 2. Select 'Manage' -> 'Settings' -> 'System' -> 'Security Profile'. 3. Scroll down to 'Services'. 4. Click 'Edit...'. 5. Select 'ESXi Shell'. 6. Click 'Stop'. 7. Change the Startup Policy 'Start and Stop Manually' 8. Click 'OK'.Additionally, the following PowerCLI command will implement the recommended configuration state-# Set ESXi Shell to start manually rather than automatic for all hosts Get-VMHost | Get-VMHostService | Where { $_.key -eq 'TSM' } | Set-VMHostService - Policy Off Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S,NIST_800-125a|HY-SR-16" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - : running = " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - ESXi Shell : running = NOT configured" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "ESXi Shell : running =" expect : "ESXi Shell : running = FALSE$" type : AUDIT_ESX description :"5.3 Disable SSH" info :"Disable Secure Shell (SSH) for each ESXi host to prevent remote access to the ESXi shell. only enable if needed for troubleshooting or diagnostics. *Rationale* The ESXi shell, when enabled, can be accessed directly from the host console through the DCUI or remotely using SSH. Remote access to the host should be limited to the vSphere Client, remote command-line tools (vCLI/PowerCLI), and through the published APIs. Under normal circumstances remote access to the host using SSH should be disabled." solution :"Perform the following- 1. From the vSphere web client select the host. 2. Select 'Manage' -> 'Settings' -> 'System' -> 'Security Profile'. 3. Scroll down to 'Services'. 4. Click 'Edit...'. 5. Select 'SSH'. 6. Click 'Stop'. 7. Change the Startup Policy 'to Start and Stop Manually'. 8. Click 'OK'.Additionally, the following PowerCLI command will implement the recommended configuration state-# Set SSH to start manually rather than automatic for all hosts Get-VMHost | Get-VMHostService | Where { $_.key -eq 'TSM-SSH' } | Set-VMHostService - Policy Off Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S,NIST_800-125a|HY-SR-16,NIST_800-125a|HY-SR-17" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - : running = " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - SSH : running = NOT found" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "SSH : running = " expect : "SSH : running = FALSE$" type : AUDIT_ESX description :"5.7 Set a timeout to automatically terminate idle ESXi Shell and SSH sessions" info :"Set a timeout to automatically terminate any idle ESXi shell and SSH sessions. *Rationale* If a user forgets to logout of their SSH session, then the idle connection will remain indefinitely, increasing the potential for someone to gain privileged access to the host. The ESXiShellInteractiveTimeOut allows you to automatically terminate idle shell sessions." solution :"From the vSphere web client- 1. Select the host. 2. Click 'Manage' -> 'Settings' -> 'System' -> 'Advanced System Settings'. 3. Type ESXiShellInteractiveTimeOut in the filter. 4. Click on the attribute to highlight it. 5. Click the pencil icon to edit. 6. Set the attribute to the desired value (1800 or less). 7. Click 'OK'.Note- A value of 0 disables the ESXi ShellInteractiveTimeOut.Additionally, the following PowerCLI command will implement the recommended configuration state-# Set Remove UserVars.ESXiShellInteractiveTimeOut to 1800 on all hosts Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name UserVars.ESXiShellInteractiveTimeOut -Value 1800 } Default Value-The prescribed state is not the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S,NIST_800-125a|HY-SR-16" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - UserVars.ESXiShellInteractiveTimeOut : NOT configured" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "UserVars\.ESXiShellInteractiveTimeOut : " expect : "UserVars\.ESXiShellInteractiveTimeOut : (([1-9]$)|([1-9][0-9]$)|([1-9][0-9][0-9]$)|([1][0-7][0-9][0-9]$)|(1800$))" type : AUDIT_ESX description :"5.8 Set a timeout for Shell Services" info :"In order to limit how long the services are allowed to run, set a timeout to automatically stop the service for ESXi shell and SSH sessions. *Rationale* When the ESXi Shell or SSH services are enabled on a host, they will run indefinitely. To avoid having these services left running, set the ESXiShellTimeOut. The ESXiShellTimeOut defines a window of time after which the ESXi Shell and SSH services will automatically be terminated." solution :"From the vSphere web client- 1. Select the host and click 'Manage' -> 'Settings' -> 'System' -> 'Advanced System Settings'. 2. Type ESXiShellTimeOut in the filter. 3. Click on the attribute to highlight it. 4. Click the pencil icon to edit. 5. Set the attribute to 1800 seconds or less. 6. Click 'OK'. Note- A value of 0 disables the ESXi ShellTimeOut. It is recommended to set the ESXiShellInteractiveTimeOut together with ESXiShellTimeOut.To implement the recommended configuration state, run the following PowerCLI command-# Set UserVars.ESXiShellTimeOut to 1800 on all hosts Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name UserVars.ESXiShellTimeOut -Value 1800 } Default Value-The prescribed state is not the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S,NIST_800-125a|HY-SR-16" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - UserVars.ESXiShellTimeout : NOT configured" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "UserVars\.ESXiShellTimeout : " expect : "UserVars\.ESXiShellTimeout :(([1-9]$)|([1-9][0-9]$)|([1-9][0-9][0-9]$)|([1][0-7][0-9][0-9]$)|(1800$))" type : AUDIT_ESX description :"6.1 Enable bidirectional CHAP authentication for iSCSI traffic." info :"By enabling bidirectional CHAP, also known as Mutual CHAP, an additional level of security enables the initiator to authenticate the target. *Rationale* vSphere allows for the use of bidirectional authentication of both the iSCSI target and host. Choosing not to enforce more stringent authentication can make sense if you create a dedicated network or VLAN to service all your iSCSI devices. By not authenticating both the iSCSI target and host, there is a potential for a MiTM attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication can mitigate this risk. If the iSCSI facility is isolated from general network traffic, it is less vulnerable to exploitation." solution :"Perform the following- 1. From the vSphere Web Client, navigate to 'Hosts'. 2. Click on a host. 3. Click on 'Manage' -> 'Storage' -> 'Storage Adapters'. 4. Select the iSCSI adapter to configure OR click the green plus symbol to create a new adapter. 5. Under Adapter Details, click the Properties tab and click 'Edit' in the Authentication panel. 6. Specify authentication method- 'Use bidirectional CHAP'. 7. Specify the outgoing CHAP name. o Make sure that the name you specify matches the name configured on the storage side. . To set the CHAP name to the iSCSI adapter name, select Use initiator name. . To set the CHAP name to anything other than the iSCSI initiator name, deselect Use initiator name and type a name in the Name text box.8. Enter an outgoing CHAP secret to be used as part of authentication. Use the same secret as your storage side secret. 9. Specify incoming CHAP credentials. Make sure your outgoing and incoming secrets do not match. 10. Click OK. 11. Click the second to last symbol to rescan the iSCSI adapter.To implement the recommended configuration state, run the following PowerCLI command-# Set the Chap settings for the Iscsi Adapter Get-VMHost | Get-VMHostHba | Where {$_.Type -eq 'Iscsi'} | Set-VMHostHba # Use desired parameters here Default Value-The prescribed state is not the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - chapAuthEnabled : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - chapAuthEnabled : No iSCSI devices found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "chapAuthEnabled : " not_expect : "chapAuthEnabled : FALSE$" type : AUDIT_ESX description :"7.1 Ensure that the vSwitch Forged Transmits policy is set to reject" info :"Set the vSwitch Forged Transmits policy is set to reject for each vSwitch. *Rationale* If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Forged transmissions should be set to accept by default. This means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level." solution :"1. In the vSphere Web Client, navigate to the host. 2. 'Hosts and Clusters' -> 'vCenter' -> host. 3. On the Manage tab, click Networking, and select Virtual switches. 4. Select a standard switch from the list and click the pencil icon to edit settings. 5. Select Security. 6. Set Forged transmits to 'Reject'. 7. Click 'OK'.Additionally, the following ESXi shell command may be used-# esxcli network vswitch standard policy security set -v vSwitch2 -f false Impact-This will prevent VMs from changing their effective MAC address. This will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - forgedTransmits = " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - forgedTransmits = NOT configured" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "forgedTransmits =" expect : "forgedTransmits = FALSE$" type : AUDIT_ESX description :"7.2 Ensure that the vSwitch MAC Address Change policy is set to reject" info :"Ensure that the MAC Address Change policy within the vSwitch is set to reject. *Rationale* If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to. Reject MAC Changes can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level." solution :"1. In the vSphere Web Client, navigate to the host. 2. 'Hosts and Clusters' -> 'vCenter' -> host. 3. On the Manage tab, click Networking, and select Virtual switches. 4. Select a standard switch from the list and click the pencil icon to edit settings. 5. Select Security. 6. Set MAC Address Changes to 'Reject'. 7. Click 'OK'.Additionally, perform the following to implement the recommended configuration state using the ESXi shell-# esxcli network vswitch standard policy security set -v vSwitch2 -m false Impact-This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - macChanges = " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - macChanges = NOT configured" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "macChanges =" expect : "macChanges = FALSE$" type : AUDIT_ESX description :"7.3 Ensure that the vSwitch Promiscuous Mode policy is set to reject" info :"Ensure that the Promiscuous Mode Policy within the vSwitch is set to reject. *Rationale* When promiscuous mode is enabled for a virtual switch all virtual machines connected to the dvPortgroup have the potential of reading all packets crossing that network. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting. However, there might be a legitimate reason to enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to, in order to allow for full-time visibility to the traffic on that dvPortgroup. Promiscous mode can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level." solution :"1. In the vSphere Web Client, navigate to the host. 2. 'Hosts and Clusters' -> 'vCenter' -> host. 3. On the Manage tab, click Networking, and select Virtual switches. 4. Select a standard switch from the list and click the pencil icon to edit settings. 5. Select Security. 6. Set Promiscuous Mode to 'Reject'. 7. Click 'OK'.Additionally, perform the following to implement the recommended configuration state via the ESXi shell-# esxcli network vswitch standard policy security set -v vSwitch2 -p false Impact-Security devices that require the ability to see all packets on a vSwitch will not operate properly if the Promiscuous Mode parameter is set to Reject. Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - allowPromiscuous = " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " - allowPromiscuous = NOT configured" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "allowPromiscuous =" expect : "allowPromiscuous = FALSE$" type : AUDIT_VM description :"8.1.1 Limit informational messages from the VM to the VMX file" info :"Limit informational messages from the virtual machine to the VMX file to avoid filling the datastore and causing a Denial of Service (DoS). *Rationale* The configuration file containing these name-value pairs is limited to a size of 1MB. This 1MB capacity should be sufficient for most cases, but you can change this value if necessary. You might increase this value if large amounts of custom information are being stored in the configuration file. The default limit is 1MB; this limit is applied even when the sizeLimit parameter is not listed in the .vmx file. Uncontrolled size for the VMX file can lead to denial of service if the datastore is filled." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'tools.setInfo.sizeLimit' -value 1048576 Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - tools.setInfo.sizeLimit : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - tools.setInfo.sizeLimit : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - tools.setInfo.sizeLimit : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - tools.setInfo.sizeLimit : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "tools\.setInfo\.sizeLimit : " expect : "tools\.setInfo\.sizeLimit : 1048576$" type : AUDIT_VM description :"8.2.6 Prevent unauthorized removal and modification of devices." info :"Prevent unauthorized removal and modification of devices. *Rationale* In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with nonadministrator privileges in a virtual machine can: 1. Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive 2. Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service 3. Modify settings on a device" solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'isolation.device.edit.disable' -value $true Impact-Device interaction is blocked inside the guest OS using VMware tools. Default Value-The prescribed state is not the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.device.edit.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.device.edit.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.device.edit.disable : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.device.edit.disable : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "isolation\.device\.edit\.disable : " expect : "isolation\.device\.edit\.disable : TRUE$" type : AUDIT_VM description :"8.2.7 Prevent unauthorized connection of devices." info :"Prevent unauthorized connection of devices. *Rationale* In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with non-administrator privileges in a virtual machine can - Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service Modify settings on a device" solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'isolation.device.connectable.disable' -value $true Impact-Device interaction is blocked inside the guest OS using VMware tools Default Value-The prescribed state is not the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference :"Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.device.connectable.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.device.connectable.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.device.connectable.disable : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.device.connectable.disable : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "isolation\.device\.connectable\.disable : " expect : "isolation\.device\.connectable\.disable : True$" type : AUDIT_VM description :"8.4.1 Control access to VMs through the dvfilter network APIs" info :"Configure VMs protected by dvfilter network APIs correctly. *Rationale* A VM must be configured explicitly to accept access by the dvfilter network API. Only configure VMs that will be specifically accessed by the API. An attacker might compromise a VM by making use the dvFilter API." solution :"If a VM is supposed to be protected: Configure the following in its VMX file: ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM. Ensure that the name of the data path kernel is set correctly.If a VM is not supposed to be protected: Remove the following from its VMX file: ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM. Impact-Incorrectly configuring this option can negatively impact functionality of tools that use vmsafe API. It can also prevent VMs from connecting to the network. Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1NS" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - ethernetn.filtern.name : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - ethernetn.filtern.name : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "ethernet[0-9]+\\.filter[0-9]+\\.name :" expect : "ethernet[0-9]+\\.filter[0-9]+\\.name : NOT configured" type : AUDIT_VM description :"8.4.4 Control VMsafe Agent Configuration" info :"Configure the vmsafe.enable option in the virtual machine configuration file correctly. It should either be non-existent or set to FALSE. *Rationale* The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the contents of the memory and CPU registers on other VMs, for the purpose of detecting and preventing malware attacks. However, an attacker might compromise the VM by making use of this introspection channel; therefore you should monitor for unauthorized usage of this API. A VM must be configured explicitly to accept access by the VMsafe CPU/memory API.This involves three parameters to perform the following- 1. Enable the API 2. Set the IP address used by the security virtual appliance on the introspection vSwitch 3. Set the port number for that IP address.If the VM is being protected by such a product, then make sure the latter two parameters are set correctly. This should be done only for specific VMs for which you want this protection." solution :"If the VM is not being protected by a VMsafe CPU/memory product, then check virtual machine configuration file and set vmsafe.enable to FALSE. Impact-Incorrectly configuring this option can negatively impact functionality of tools that use vmsafe API. Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1NS,NIST_800-125a|HY-SR-1" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - vmsafe.enable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - vmsafe.enable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - vmsafe.enable : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - vmsafe.enable : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "vmsafe\.enable : " expect : "vmsafe\.enable : FALSE$" type : AUDIT_VM description :"8.4.24 Disable VM Console Copy operations" info :"Disable VM console copy and paste operations. *Rationale* Copy and paste operations are disabled by default; however, by explicitly disabling this feature, it will enable audit controls to check that this setting is correct." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'isolation.tools.copy.disable' -value $true Impact-This is the default setting so functionality remains the same. If you require copy and paste operations, you must enable them using the vSphere Client. Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.copy.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.copy.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.copy.disable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.copy.disable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "isolation\.tools\.copy\.disable : " expect : "isolation\.tools\.copy\.disable : TRUE$" type : AUDIT_VM description :"8.4.25 Disable VM Console Drag and Drop operations" info :"Disable VM Console Drag and Drop operations. *Rationale* Copy and paste operations are disabled by default; however, by explicitly disabling this feature, it will enable audit controls to check that this setting is correct." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'isolation.tools.dnd.disable' -value $true Impact-This is the default setting so functionality remains the same. Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.dnd.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.dnd.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.dnd.disable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.dnd.disable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "isolation\.tools\.dnd\.disable : " expect : "isolation\.tools\.dnd\.disable : TRUE$" type : AUDIT_VM description :"8.4.26 Disable VM Console GUI Options" info :"Disable VM Console and Paste GUI Options. *Rationale* Copy and paste operations are disabled by default; however, by explicitly disabling this feature, it will enable audit controls to check that this setting is correct." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'isolation.tools.setGUIOptions.enable' -value $false Impact-This is the default setting so functionality remains the same. Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.setGUIOptions.enable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.setGUIOptions.enable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.setGUIOptions.enable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.setGUIOptions.enable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "isolation\.tools\.setGUIOptions\.enable : " expect : "isolation\.tools\.setGUIOptions\.enable : FALSE$" type : AUDIT_VM description :"8.4.27 Disable VM Console Paste operations" info :"Disable VM Console Paste operations. *Rationale* Copy and paste operations are disabled by default; however, by explicitly disabling this feature, it will enable audit controls to check that this setting is correct." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'isolation.tools.paste.disable' -value $true Impact-This is the default setting so functionality remains the same. If you require copy and paste operations, you must enable them using the vSphere Web Client. Default Value-The prescribed state is the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.paste.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.paste.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.paste.disable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.paste.disable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "isolation\.tools\.paste\.disable : " expect : "isolation\.tools\.paste\.disable : TRUE$" type : AUDIT_VM description :"8.4.28 Control access to VM console via VNC protocol" info :"Minimize access to the Virtual Machine via VNC protocol. *Rationale* The VM console enables you to connect to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. This console is also available via the VNC protocol. Setting up this access also involves setting up firewall rules on each ESXi server the virtual machine will run on." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'RemoteDisplay.vnc.enabled' -value $false Impact-Configuring VM settings and opening up the firewall means multiple steps to be configured and monitored." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference :"Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - RemoteDisplay.vnc.enabled : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - RemoteDisplay.vnc.enabled : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - RemoteDisplay.vnc.enabled : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - RemoteDisplay.vnc.enabled : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "RemoteDisplay\.vnc\.enabled : " expect : "RemoteDisplay\.vnc\.enabled : FALSE$" type : AUDIT_VM description :"8.6.2 Disable virtual disk shrinking" info :"If Virtual disk shrinking is done repeatedly it will cause the virtual disk to become unavailable resulting in a denial of service. You can prevent virtual disk shrinking by disabling it. *Rationale* Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes that is, users and processes without root or administrator privileges within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so you should disable this feature. Repeated disk shrinking can make a virtual disk unavailable. This capability is available to nonadministrative users in the guest." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'isolation.tools.diskShrink.disable' -value $true Impact-Inability to shrink virtual machine disks in the event that a datastore runs out of space. Default Value-The prescribed state is not the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.diskShrink.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.diskShrink.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.diskShrink.disable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.diskShrink.disable : NOT configured " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "isolation\.tools\.diskShrink\.disable : " expect : "isolation\.tools\.diskShrink\.disable : TRUE$" type : AUDIT_VM description :"8.6.3 Disable virtual disk wiping" info :"If Virtual disk wiping is done repeatedly, it will cause the virtual disk to become unavailable resulting in a denial of service. You can prevent virtual disk wiping by disabling it. *Rationale* Wiping a virtual disk reclaims ALL unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes that is, users and processes without root or administrator privileges within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this wiping is being performed, effectively causing a denial of service. In most datacenter environments, disk wiping is not done, so you should disable this feature. Repeated disk wiping can make a virtual disk unavailable. This capability is available to nonadministrative users in the guest." solution :"To implement the recommended configuration state, run the following PowerCLI command- # Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'isolation.tools.diskWiper.disable' -value $true Impact-When you disable this feature, you cannot wipe virtual machine disks when a datastore runs out of space. Default Value-The prescribed state is not the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference :"Level|1S" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.diskWiper.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.diskWiper.disable : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.diskWiper.disable : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - isolation.tools.diskWiper.disable : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "isolation\.tools\.diskWiper\.disable : " expect : "isolation\.tools\.diskWiper\.disable : True$" type : AUDIT_VM description :"8.7.2 Limit number of VM log files" info :"Configure VM settings to prevent uncontrolled logging. *Rationale* You can use log settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. You can ensure that new log files are created more frequently by limiting the maximum size of the log files. If you want to restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000KB. Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. You should not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due to the datastore's being filled." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'log.keepOld' -value '10' Impact-A more extreme strategy is to disable logging altogether for the virtual machine. Disabling logging makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Default Value-The prescribed state is not the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S,NIST_800-125a|HY-SR-20" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - log.keepOld : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - log.keepOld : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - log.keepOld : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - log.keepOld : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "log\.keepOld : " expect : "log\.keepOld : 10$" type : AUDIT_VM description :"8.7.4 Limit VM log file size" info :"Configure VM settings to prevent uncontrolled logging. Virtual machines write troubleshooting information into a virtual machine log file stored on the VMFS volume. Virtual machine users and processes can abuse logging either on purpose or inadvertently so that large amounts of data flood the log file. Over time, the log file can consume enough file system space to cause a denial of service. *Rationale* You can use log settings to limit the total size and number of log files. Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. You can ensure that new log files are created more frequently by limiting the maximum size of the log files. If you want to restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000KB (1,024,000 bytes). Datastores are likely to be formatted with a block size of 2MB or 4MB, so a size limit too far below this size would result in unnecessary storage utilization. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4KB, so no log files are ever more than 4KB larger than the configured limit. A second option is to disable logging for the virtual machine. Disabling logging for a virtual machine makes troubleshooting challenging and support difficult. You should not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due to the datastores being filled." solution :"To implement the recommended configuration state, run the following PowerCLI command-# Add the setting to all VMs Get-VM | New-AdvancedSetting -Name 'log.rotateSize' -value '1024000' Impact-A more extreme strategy is to disable logging altogether for the virtual machine. Disabling logging makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Default Value-The prescribed state is not the default state." see_also :"https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.5_Benchmark_v1.2.0.pdf" reference : "Level|1S,NIST_800-125a|HY-SR-20" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - log.rotateSize : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - log.rotateSize : " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - log.rotateSize : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : " () - log.rotateSize : NOT found " xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "log\.rotateSize : " expect : "log\.rotateSize : 1024000$"