Check: ESXI-65-000061
VMware vSphere 6.5 ESXi STIG:
ESXI-65-000061
(in versions v2 r4 through v1 r1)
Title
The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host. (Cat II impact)
Discussion
When promiscuous mode is enabled for a virtual switch all virtual machines connected to the Portgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that Portgroup. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting. Promiscous mode can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.
Check Content
From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. View the properties on each virtual switch and port group and verify "Promiscuous Mode" is set to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy Get-VirtualPortGroup | Get-SecurityPolicy If the "Promiscuous Mode" policy is set to accept, this is a finding.
Fix Text
From the vSphere Web Client go to Configure >> Networking >> Virtual Switches. For each virtual switch and port group click Edit settings and change "Promiscuous Mode" to reject. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true
Additional Identifiers
Rule ID: SV-207660r388482_rule
Vulnerability ID: V-207660
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |