An error occurred:

Check: VMCH-70-000024

VMware vSphere 7.0 Virtual Machine STIG: VMCH-70-000024 (in version v1 r1)

Title

Encryption must be enabled for vMotion on the virtual machine (VM). (Cat II impact)

Discussion

vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5, this transfer can be transparently encrypted using 256-bit AES-GCM with negligible performance impact. vSphere enables encrypted vMotion by default as "Opportunistic", meaning that encrypted channels are used where supported but the operation will continue in plain text where encryption is not supported. For example, when vMotioning between two hosts, encryption will always be used. However, because 6.0 and earlier releases do not support this feature, vMotion from a 7.0 host to a 6.0 host would be allowed but would not be encrypted. If the encryption is set to "Required", vMotions to unsupported hosts will fail. This must be set to "Opportunistic" or "Required".

Check Content

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> Encrypted vMotion. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM | Where {($_.ExtensionData.Config.MigrateEncryption -ne "opportunistic") -or ($_.ExtensionData.Config.MigrateEncryption -ne "required")} If the setting does not have a value of "Opportunistic" or "Required", this is a finding.

Fix Text

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> Encrypted vMotion. Set the value to "Opportunistic" or "Required". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes $spec.MigrateEncryption = $true (Get-VM -Name <vmname>).ExtensionData.ReconfigVM($spec)

Additional Identifiers

Rule ID: SV-256472r886459_rule

Vulnerability ID: V-256472

Group Title: SRG-OS-000480-VMM-002000

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings