Title

ESX Server is not configured in accordance with the UNIX STIG. (Cat II impact)

Discussion

The UNIX Checklist must first be verified against all ESX Servers, since the ESX Server service console is considered a modified Linux distribution. DISA Field Security Operations has developed the UNIX SRR scripts to evaluate all UNIX machines against the UNIX STIG requirements. The UNIX SRR scripts determine all the open operating system vulnerabilities. The UNIX SRR Scripts are not supported against the ESX Server platform, but they can still be run to verify compliance. If the UNIX SRR Scripts are used, system administrators should verify all results against the UNIX Checklist to ensure results are accurate.

Check Content

1. Use the UNIX Checklist to manually verify compliance to the UNIX requirements. OR 2. On the ESX Server service console, perform the following command: # find / -iname Script.* If the command brings back an output, review the result files that are located under (Script.Month)/hostname. Review the results and verify that only GEN003540 and GEN006640 are open. If any other findings are open this is a finding. If the command does not return a result, then the reviewer will have to run the UNIX SRR scripts from the CD. If there are any open findings other than GEN003540 and GEN006640 this is a finding. The following open findings will NOT be applicable when running the UNIX SRR against the ESX Server service console: GEN003540 - Executable Stack GEN003540 (CAT II) OPEN FINDING DESCRIPTION GEN003540: The SA will ensure the executable stack is disabled. SYSTEM CONFIGURATION: VMware ESX Server 3 does not support this configuration. The kernel has executable stack enabled. GEN006640 - Virus Protection GEN006640 (CAT I) OPEN FINDING DESCRIPTION GEN006640: An approved DoD virus scan program in not used and/or updated. SYSTEM CONFIGURATION: Unable to install McAfee Virus scan command-line tool on VMware ESX. Some of the prerequisite filesets for this product conflict with the versions required by VMware Operating System filesets. Note: The UNIX SRR Scripts are not supported on the ESX Server. If used, please verify all results and findings against the UNIX Checklist.

Fix Text

Manually check the UNIX requirements against the ESX Server or run the UNIX SRR scripts against the ESX Server service console.

Additional Identifiers

Rule ID: SV-16722r1_rule

Vulnerability ID: V-15783

Group Title: ESX Server not compliant with UNIX STIG.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.