【免费】CIS-VMWARE-ESXi-7.0-Benchmark-V1.2.0-PDF资源-CSDN文库

vmware

需积分: 0 150 浏览量更新于2023-10-04 收藏 2.16MB PDF 举报

CIS_VMWARE_ESXi_7.0_Benchmark_V1.2.0_PDF VMWARE ESXI 7.0

CIS VMware ESXi 7.0

Benchmark

v1.2.0 - 03-16-2023

Page 2

Table of Contents

Terms of Use .................................................................................................................. 1

Table of Contents ........................................................................................................... 2

Overview ......................................................................................................................... 6

Intended Audience ................................................................................................................... 6

Consensus Guidance .............................................................................................................. 7

Typographical Conventions .................................................................................................... 8

Recommendation Definitions ....................................................................................... 9

Title ............................................................................................................................................ 9

Assessment Status .................................................................................................................. 9

Automated ............................................................................................................................................. 9

Manual .................................................................................................................................................... 9

Profile ........................................................................................................................................ 9

Description ............................................................................................................................... 9

Rationale Statement ................................................................................................................. 9

Impact Statement ................................................................................................................... 10

Audit Procedure ..................................................................................................................... 10

Remediation Procedure ......................................................................................................... 10

Default Value .......................................................................................................................... 10

References .............................................................................................................................. 10

CIS Critical Security Controls

(CIS Controls

) .................................................................. 10

Additional Information ........................................................................................................... 10

Profile Definitions .................................................................................................................. 11

Acknowledgements ............................................................................................................... 12

Recommendations ....................................................................................................... 13

1 Install .................................................................................................................................... 13

1.1 (L1) Ensure ESXi is properly patched (Manual) .................................................................................... 14

1.2 (L1) Ensure the Image Profile VIB acceptance level is configured properly (Automated) ..................... 16

1.3 (L1) Ensure no unauthorized kernel modules are loaded on the host (Manual) .................................... 19

1.4 (L2) Ensure the default value of individual salt per vm is configured (Automated) ................................ 21

2 Communication ................................................................................................................... 23

2.1 (L1) Ensure NTP time synchronization is configured properly (Automated) .......................................... 24

2.2 (L1) Ensure the ESXi host firewall is configured to restrict access to services running on the host

(Manual) ...................................................................................................................................................... 26

2.3 (L1) Ensure Managed Object Browser (MOB) is disabled (Automated) ................................................ 28

2.4 (L2) Ensure default self-signed certificate for ESXi communication is not used (Manual) .................... 30

2.5 (L1) Ensure SNMP is configured properly (Manual) .............................................................................. 32

Page 3

2.6 (L1) Ensure dvfilter API is not configured if not used (Manual) ............................................................. 34

2.7 (L1) Ensure expired and revoked SSL certificates are removed from the ESXi server (Manual) .......... 36

2.8 (L1) Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory (Manual) ... 39

2.9 (L2) Ensure VDS health check is disabled (Manual) ............................................................................. 42

3 Logging ................................................................................................................................ 44

3.1 (L1) Ensure a centralized location is configured to collect ESXi host core dumps (Automated) ........... 45

3.2 (L1) Ensure persistent logging is configured for all ESXi hosts (Manual) .............................................. 47

3.3 (L1) Ensure remote logging is configured for ESXi hosts (Automated) ................................................. 49

4 Access .................................................................................................................................. 51

4.1 (L1) Ensure a non-root user account exists for local admin access (Automated) ................................. 52

4.2 (L1) Ensure passwords are required to be complex (Manual) ............................................................... 54

4.3 (L1) Ensure the maximum failed login attempts is set to 5 (Automated) ............................................... 56

4.4 (L1) Ensure account lockout is set to 15 minutes (Automated) ............................................................. 58

4.5 (L1) Ensure previous 5 passwords are prohibited (Manual) .................................................................. 60

4.6 (L1) Ensure Active Directory is used for local user authentication (Manual) ......................................... 62

4.7 (L1) Ensure only authorized users and groups belong to the esxAdminsGroup group (Manual) .......... 64

4.8 (L1) Ensure the Exception Users list is properly configured (Manual) ................................................... 66

5 Console ................................................................................................................................ 68

5.1 (L1) Ensure the DCUI timeout is set to 600 seconds or less (Automated) ............................................ 69

5.2 (L1) Ensure the ESXi shell is disabled (Automated) .............................................................................. 71

5.3 (L1) Ensure SSH is disabled (Automated) ............................................................................................. 73

5.4 (L1) Ensure CIM access is limited (Manual) .......................................................................................... 75

5.5 (L1) Ensure Normal Lockdown mode is enabled (Automated) .............................................................. 77

5.6 (L2) Ensure Strict Lockdown mode is enabled (Automated) ................................................................. 79

5.7 (L2) Ensure the SSH authorized_keys file is empty (Manual) ............................................................... 81

5.8 (L1) Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less (Automated) .......... 83

5.9 (L1) Ensure the shell services timeout is set to 1 hour or less (Automated) ......................................... 85

5.10 (L1) Ensure DCUI has a trusted users list for lockdown mode (Manual) ............................................. 87

5.11 (L2) Ensure contents of exposed configuration files have not been modified (Manual) ...................... 89

6 Storage ................................................................................................................................. 92

6.1 (L1) Ensure bidirectional CHAP authentication for iSCSI traffic is enabled (Automated) ...................... 93

6.2 (L2) Ensure the uniqueness of CHAP authentication secrets for iSCSI traffic (Manual) ....................... 96

6.3 (L1) Ensure storage area network (SAN) resources are segregated properly (Manual) ....................... 99

7 vNetwork ............................................................................................................................ 101

7.1 (L1) Ensure the vSwitch Forged Transmits policy is set to reject (Automated) ................................... 102

7.2 (L1) Ensure the vSwitch MAC Address Change policy is set to reject (Automated) ........................... 104

7.3 (L1) Ensure the vSwitch Promiscuous Mode policy is set to reject (Automated) ................................ 106

7.4 (L1) Ensure port groups are not configured to the value of the native VLAN (Automated) ................. 108

7.5 (L1) Ensure port groups are not configured to VLAN values reserved by upstream physical switches

(Manual) .................................................................................................................................................... 110

7.6 (L1) Ensure port groups are not configured to VLAN 4095 and 0 except for Virtual Guest Tagging

(VGT) (Automated) .................................................................................................................................... 112

7.7 (L1) Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collector (Manual) ...... 114

7.8 (L1) Ensure port-level configuration overrides are disabled. (Automated) .......................................... 117

8 Virtual Machines ................................................................................................................ 118

8.1 Communication ........................................................................................................................... 119

8.1.1 (L2) Ensure only one remote console connection is permitted to a VM at any time (Automated) .... 120

8.2 Devices ......................................................................................................................................... 122

8.2.1 (L1) Ensure unnecessary floppy devices are disconnected (Automated) ........................................ 123

Page 4

8.2.2 (L2) Ensure unnecessary CD/DVD devices are disconnected (Automated) .................................... 125

8.2.3 (L1) Ensure unnecessary parallel ports are disconnected (Automated) ........................................... 127

8.2.4 (L1) Ensure unnecessary serial ports are disconnected (Automated) .............................................. 129

8.2.5 (L1) Ensure unnecessary USB devices are disconnected (Automated) ........................................... 131

8.2.6 (L1) Ensure unauthorized modification and disconnection of devices is disabled (Automated) ....... 133

8.2.7 (L1) Ensure unauthorized connection of devices is disabled (Automated) ....................................... 135

8.2.8 (L1) Ensure PCI and PCIe device passthrough is disabled (Automated) ......................................... 137

8.3 Guest ............................................................................................................................................ 139

8.3.1 (L1) Ensure unnecessary or superfluous functions inside VMs are disabled (Manual) .................... 140

8.3.2 (L1) Ensure use of the VM console is limited (Manual) .................................................................... 142

8.3.3 (L1) Ensure secure protocols are used for virtual serial port access (Manual) ................................ 144

8.3.4 (L1) Ensure standard processes are used for VM deployment (Manual) ......................................... 146

8.4 Monitor ......................................................................................................................................... 148

8.4.1 (L1) Ensure access to VMs through the dvfilter network APIs is configured correctly (Manual) ...... 149

8.4.2 (L2) Ensure Autologon is disabled (Automated) ............................................................................... 152

8.4.3 (L2) Ensure BIOS BBS is disabled (Automated) .............................................................................. 154

8.4.4 (L2) Ensure Guest Host Interaction Protocol Handler is set to disabled (Automated) ...................... 156

8.4.5 (L2) Ensure Unity Taskbar is disabled (Automated) ......................................................................... 158

8.4.6 (L2) Ensure Unity Active is disabled (Automated) ............................................................................ 160

8.4.7 (L2) Ensure Unity Window Contents is disabled (Automated) .......................................................... 162

8.4.8 (L2) Ensure Unity Push Update is disabled (Automated) ................................................................. 164

8.4.9 (L2) Ensure Drag and Drop Version Get is disabled (Automated) ................................................... 166

8.4.10 (L2) Ensure Drag and Drop Version Set is disabled (Automated) .................................................. 168

8.4.11 (L2) Ensure Shell Action is disabled (Automated) .......................................................................... 170

8.4.12 (L2) Ensure Request Disk Topology is disabled (Automated) ........................................................ 172

8.4.13 (L2) Ensure Trash Folder State is disabled (Automated) ............................................................... 174

8.4.14 (L2) Ensure Guest Host Interaction Tray Icon is disabled (Automated) ......................................... 176

8.4.15 (L2) Ensure Unity is disabled (Automated) ..................................................................................... 178

8.4.16 (L2) Ensure Unity Interlock is disabled (Automated) ...................................................................... 180

8.4.17 (L2) Ensure GetCreds is disabled (Automated) .............................................................................. 182

8.4.18 (L2) Ensure Host Guest File System Server is disabled (Automated) ............................................ 184

8.4.19 (L2) Ensure Guest Host Interaction Launch Menu is disabled (Automated) .................................. 186

8.4.20 (L2) Ensure memSchedFakeSampleStats is disabled (Automated) .............................................. 188

8.4.21 (L1) Ensure VM Console Copy operations are disabled (Automated) ............................................ 190

8.4.22 (L1) Ensure VM Console Drag and Drop operations is disabled (Automated) ............................... 192

8.4.23 (L1) Ensure VM Console GUI Options is disabled (Automated) ..................................................... 194

8.4.24 (L1) Ensure VM Console Paste operations are disabled (Automated) ........................................... 196

8.5 Resources .................................................................................................................................... 198

8.5.1 (L2) Ensure VM limits are configured correctly (Manual) ................................................................. 199

8.5.2 (L2) Ensure hardware-based 3D acceleration is disabled (Automated) ........................................... 201

8.6 Storage ......................................................................................................................................... 203

8.6.1 (L2) Ensure nonpersistent disks are limited (Automated) ................................................................. 204

8.6.2 (L1) Ensure virtual disk shrinking is disabled (Automated) ............................................................... 206

8.6.3 (L1) Ensure virtual disk wiping is disabled (Automated) ................................................................... 208

8.7 Tools ............................................................................................................................................. 210

8.7.1 (L1) Ensure the number of VM log files is configured properly (Automated) .................................... 211

8.7.2 (L2) Ensure host information is not sent to guests (Automated) ...................................................... 213

8.7.3 (L1) Ensure VM log file size is limited (Automated) .......................................................................... 215

Appendix: Summary Table ........................................................................................ 217

Appendix: Change History ........................................................................................ 251

剩余252页未读，继续阅读

资源推荐

资源评论