Check: VCTR-67-000057
VMware vSphere 6.7 vCenter STIG:
VCTR-67-000057
(in versions v1 r4 through v1 r2)
Title
The vCenter Server must enable TLS 1.2 exclusively. (Cat II impact)
Discussion
TLS 1.0 and 1.1 are deprecated protocols with well published shortcomings and vulnerabilities. TLS 1.2 should be disabled on all interfaces and TLS 1.1 and 1.0 disabled where supported. Mandating TLS 1.2 may break third-party integrations and add-ons to vSphere. Test these integrations carefully after implementing TLS 1.2 and roll back where appropriate. On interfaces where required functionality is broken with TLS 1.2 this finding is N/A until such time as the third party software supports TLS 1.2. Make sure you modify TLS settings in the following order: 1. Platform Services Controls (if applicable), 2. vCenter, 3. ESXi
Check Content
Note: For vCenter Server Windows, this is not applicable. On the vCenter Server, execute the following command: # $(find /usr/lib -name reconfigureVc) scan If the output indicates versions of TLS other than 1.2 are enabled, this is a finding.
Fix Text
On the vCenter Server, execute the following commands: # $(find /usr/lib -name reconfigureVc) backup # $(find /usr/lib -name reconfigureVc) update -p TLS1.2 vCenter services will be restarted as part of the reconfiguration, the OS will not be restarted. You can add the --no-restart flag to restart services at a later time. Changes will not take effect until all services are restarted or the machine is rebooted.
Additional Identifiers
Rule ID: SV-243112r879887_rule
Vulnerability ID: V-243112
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |