HyTrust CloudControl Compliance Operations Guide · CloningaTemplate CloningaTemplate 1.SelectCompliance> Templates. 2.OntheSystemtab,selectthetemplateortemplatesthatyouwanttoclone,andclickClone

HyTrust CloudControl® ComplianceOperations Guide

Version 5.5April 2019

Copyright and Legal NoticeHyTrust CloudControl®

Copyright © 2019 HyTrust, Inc. AllRightsReserved.

HyTrust, HyTrust, Inc., Virtualization Under Control, HyTrust CloudAdvisor, HyTrust CloudControl, HyTrust DataControl, HyTrust KeyControl and otherHyTrust product namesare trademarksof HyTrust, Inc. Other trademarksare recognized asbelonging to their respective owners. The content of thisguide is furnished for informational use only and is subject to change without notice. HyTrust assumesno responsibility or liability for anyerrors orinaccuracies that mayappear in the content contained in this guide. Except asallowed by license, no part of thismaterialmaybe reproduced or transmittedin any form or byanymeans, electronic or mechanical, including photocopying, recording, or byany information storage and retrieval system, without thewritten permission of the copyright owner, except where permitted by law.

U.S. Patent information: http://www.hytrust.com/patents.

HyTrust, Inc.1975W. ElCamino Real, Suite 203Mountain View, CA 94040 U.S.A.Phone (650) 681-8100

Email: [email protected]: http://www.hytrust.com/https://www.facebook.com/Hytrust/https://twitter.com/HyTrust

http://www.hytrust.com/patents

mailto:[email protected]

http://www.hytrust.com/

https://www.facebook.com/Hytrust/

https://twitter.com/HyTrust

ContentsCompliance Templates 4

Overview 4

Viewing Templates 4

Cloning a Template 5

Creating Templates 5

Editing Templates 5

Compliance Operations 7

vSphere and ESXi Operations 7

NSX Operations 37

HyTrust CloudControl ComplianceOperationsGuide 3

Compliance TemplatesOverview 4Viewing Templates 4Cloning a Template 5Creating Templates 5Editing Templates 5

OverviewMany regulatory authorities provide guidelines for resource settings in virtual environments. Compliance operations inCloudControl are the tests or checks performed to ensure that the resources are configured per compliance guidelines.The operations in CloudControl are organized in templates. Each template is a collection of operations set forth by aspecific compliance guide. The templates in CloudControl allow users to harden hosts according to the compliancerequirements.

System Templates

CloudControl ships with a number of built-in templates for ESXi and NSX. These templates can not bemodified. Systemtemplates are displayed on theSystem tab on the Templates page.

Note: The VMware Operations Catalog ESXi and VMware Operations Catalog NSX templates include all of theoperations for ESXi and NSX that are supported by CloudControl. These templates are useful in automating theresource hardening process.

Custom Templates

You canmake your own custom templates or clone existing system templates tomeet your compliance requirements.Custom templates are displayed on theCustom tab on the Templates page.

Viewing TemplatesTo view CloudControl templates:

1. Log in to the CloudControl Management Console.

2. Select Compliance > Templates.The system templates display by default on theSystem tab. Click Custom to view any custom templates that youhave created.


Cloning a Template

Cloning a Template1. Select Compliance > Templates.

2. On theSystem tab, select the template or templates that you want to clone, and click Clone.The cloned templates are visible on theCustom tab with '_copy' appended to the original template name

Creating Templates1. Select Compliance > Templates and click theCustom tab.

2. Click Add.

3. Type the Name and optional description to use for the template.

4. On the Add Template page, select the Host Type, and then click Add.

5. On the AddOperations to Template page, choose the template type from the Type drop-down list.Note: Select VMware Operations Catalog ESXi to view all ESXi operations, or VMware Operations Catalog NSX to

view all possible NSX operations.

6. Choose the operations that you want to apply and click OK.

7. Click OK to save your changes.

Editing Templates1. Select Compliance > Templates and click theCustom tab.

2. Click Add.

3. Click the template that you want to modify.

4. On the Edit Template page, modify the template name and description if needed.

5. Optionally do one of the following: l Click Add to add additional operations to your template.

l Choose one or more operations and click Delete to remove those operations from your template.

l Click Copy to create an additional copy of your template.

6. In theAssess/Remediate column, you can click the Assess radio button for any operations marked as Remediate.

7. In theName column, if highlighted, click the Name to view andmodify the parameters for the operation.


Editing Templates

8. Optionally assign aRisk Score for the operation. This can be one of the following: l Unassigned (default)

l Low

l Medium

l High

9. Add aCustom Description.

10. Click OK to save your changes.


Compliance OperationsThe following tables provide information about CloudControl compliance operations, their descriptions, and the templatesthat include them.

vSphere and ESXi Operations 7NSX Operations 37

vSphere and ESXi OperationsOps IDASC-vSphere

Operation Name inCloudControl Description Templates

0001 VmSnapshot-snapshot-all-vms Snapshot all virtual machines.

HIPAA ESXi, SOX ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening

0002 TargetVersionChecker-esxi-check-patch-version Check ESXi patch version

DISA STIG vSphere6.0 ESXiHigh, HIPAA ESXi, PCI DSS2.0 ESXi, PCI DSS 3.0 and 3.1ESXi, SOX ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi


vSphere and ESXi Operations

Ops IDASC-vSphere


0003 VmCosSecurer-disable-console-copy-paste-gui-options

Disable copy and pasteoperations betweenGuestOSand Remote Console

DISA STIG vSphere6.0 VMLow, HIPAA ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi, SOXESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi

0004 EsxiLogRotator-limit-log-number-size

Limit virtual machine log filesize and number

DISA STIG vSphere6.0 VMLow, HIPAA ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi, SOXESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi



Ops IDASC-vSphere


0005 VmHostSecurer-limit-setinfo-sizePrevent GuestOS processesfrom flooding ESXi host withinformational messages.

HIPAA ESXi, ICD 503 INT AESXi, ICD 503 INT B ESXi,ICD 503 INT C ESXi, NIST SP800-53r4 High ESXi, NIST SP800-53r4 Low ESXi, NIST SP800-53r4Moderate ESXi, PCIDSS 2.0 ESXi, PCI DSS 3.0and 3.1 ESXi, SOX ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi, NIST 800-171 ESXi

0006 VmDeviceSecurer-disable-unnecessary-functions

Disable unnecessary orsuperfluous functions(hardware) inside virtualmachines.

HIPAA ESXi, PCI DSS 2.0ESXi, PCI DSS 3.0 and 3.1ESXi, SOX ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi

0007 EsxiRemoteSyslogger-enable-remote-syslog

Set up log to a remote loggingserver

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT C ESXi, PCI DSS 2.0ESXi, PCI DSS 3.0 and 3.1ESXi, SOX ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi



Ops IDASC-vSphere


0008 EsxiNtpSecurer-config-ntp Configure NTP timesynchronization.

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi, SOXESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi

0009 VSwitchSetter-reject-mac-changes-forged-transmit-promiscuous-mode

Ensure that the 'MAC AddressChange', 'Forged Transmits',and 'Promiscuous Mode'policies are set to reject.

HIPAA ESXi, PCI DSS 2.0ESXi, PCI DSS 3.0 and 3.1ESXi, SOX ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi

0010 IscsiSecurer-enable-chap-auth

Ensure bidirectional CHAPauthentication is enabled foriSCSI traffic. (Note: May takeaminute to remediate.)

DISA STIG vSphere6.0 ESXiLow, HIPAA ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi, SOXESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi



Ops IDASC-vSphere


0011 HostConfigService-disable-esxi-shell

Disable ESXi Shell unlessneeded for diagnostics ortroubleshooting.

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, PCIDSS 2.0 ESXi, PCI DSS 3.0and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi

0012 HostConfigService-disable-ssh HostConfigService-disable-ssh


0013 HostConfigService-disable-dcui Disable DCUI to prevent localadministrative control.

HIPAA ESXi, PCI DSS 2.0ESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi



Ops IDASC-vSphere


0014 HostConfigManager-set-shell-timeout

Set a timeout for the ESXiShell to automatically disabledidle sessions after apredetermined period

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,PCI DSS 2.0 ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi

0015 VCConfigManager-vpxuser-password-age

Ensure that vpxuser auto-password changemeetspolicy.

HIPAA ESXi, ICD 503 INT AESXi, ICD 503 INT B ESXi,ICD 503 INT C ESXi, NIST SP800-53r4 High ESXi, NIST SP800-53r4 Low ESXi, NIST SP800-53r4Moderate ESXi, PCIDSS 2.0 ESXi, PCI DSS 3.0and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi

0016 VCConfigManager-vpxuser-password-length

Ensure that vpxuser passwordmeets length policy

HIPAA ESXi, PCI DSS 2.0ESXi, PCI DSS 3.0 and 3.1ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi



Ops IDASC-vSphere


0017 ImageProfileConfigManager-verify-acceptance-level

Verify Image Profile and VIBAcceptance Levels

DISA STIG vSphere6.0 ESXiHigh, HIPAA ESXi, NIST SP800-53r4 High ESXi, PCI DSS2.0 ESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi

0018 VmConfigService-prevent-device-interaction-connect

Prevent unauthorizedconnection of devices.

DISA STIG vSphere6.0 VMModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi, NIST 800-171 ESXi

0019 VmConfigService-prevent-device-interaction-edit

Prevent unauthorizedremoval, connection andmodification of devices.

DISA STIG vSphere6.0 VMModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi, NIST 800-171 ESXi



Ops IDASC-vSphere


0020 VmConfigService-disable-console-dnd Disable console dnd service

DISA STIG vSphere6.0 VMLow, HIPAA ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi, NIST 800-171 ESXi

0021 VmConfigService-disable-unexposed-features-autologon Disable autologon service

DISA STIG vSphere6.0 VMLow, HIPAA ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi

0022 VmConfigService-disable-unexposed-features-biosbbs Disable biosbbs service

DISA STIG vSphere6.0 VMLow, HIPAA ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi



Ops IDASC-vSphere


0023 VmConfigService-disable-unexposed-features-getcreds

Disable getting credentialservice


0024 VmConfigService-disable-unexposed-features-launchmenu

disable launchingmenuservice


0025 DisableAutoInstall-disable-autoinstall Disable tools auto install

DISA STIG vSphere6.0 VMLow, HIPAA ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi, NIST 800-171 ESXi



Ops IDASC-vSphere


0026 VmConfigService-disable-unexposed-features-memsfss

DisablingmemSchedFakeSampleStatsservice


0027 VmConfigService-disable-unexposed-features-protocolhandler

Disable protocolhandler infoservice


0028 VmConfigService-disable-unexposed-features-shellaction Disable shellaction service


0029 VmConfigService-disable-unexposed-features-toporequest Disable toporequest service




Ops IDASC-vSphere


0030 VmConfigService-disable-unexposed-features-trashfolderstate

Disable trashfolderstateservice


0031 VmConfigService-disable-unexposed-features-trayicon Disable trayicon service


0032 VmConfigService-disable-unexposed-features-unity Disable unity service


0033 VmConfigService-disable-unexposed-features-unity-interlock Disable unity-interlock service




Ops IDASC-vSphere


0034 VmConfigService-disable-unexposed-features-unitypush Disable unitypush service


0035 VmConfigService-disable-unexposed-features-unity-taskbar Disable unity taskbar service


0036 VmConfigService-disable-unexposed-features-unity-unityactive Disable unityactive service


0037VmConfigService-disable-unexposed-features-unity-windowcontents

Disable unity windowcontentsservice




Ops IDASC-vSphere


0038 AccessToVMConfigService-verify-network-filter

Control access to VMsthrough the dvfilter networkAPIs.

HIPAA ESXi, ICD 503 INT AESXi, ICD 503 INT B ESXi,ICD 503 INT C ESXi, NIST SP800-53r4 High ESXi, NIST SP800-53r4Moderate ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NIST 800-171 ESXi

0039 AccessToVMConfigService-verify-vmsafe-cpumem-enable

Control access to VMsthrough CPU memory


0040 AccessToVMConfigService-verify-vmsafe-cpumem-agentport

Control access to VMsthrough CPU memoryagentport




Ops IDASC-vSphere


0041 AccessToVMConfigService-verify-vmsafe-cpumem-agentaddress

Control access to VMsthrough CPU memoryagentaddress


0042 VmDisableDevices-disconnect-devices-floppy

Disconnect unauthorizedfloppy devices

DISA STIG vSphere6.0 VMModerate, HIPAA ESXi, PCIDSS 2.0 ESXi, PCI DSS 3.0and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi

0043 VmDisableDevices-disconnect-devices-ide

Disconnect unauthorized idedevices

DISA STIG vSphere6.0 VMLow, HIPAA ESXi, PCI DSS2.0 ESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi



Ops IDASC-vSphere


0044 VmDisableDevices-disconnect-devices-parallel

Disconnect unauthorizedparallel devices


0045 VmDisableDevices-disconnect-devices-serial

Disconnect unauthorizedserial devices


0046 VmDisableDevices-disconnect-device-usb

Disconnect unauthorized usbdevices




Ops IDASC-vSphere


0047 VmDisableNonPersistentDisk-disable-independent-nonpersistent

Avoid using independentnonpersistent disks

DISA STIG vSphere6.0 VMHigh, HIPAA ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi, NIST 800-171 ESXi

0048 HostConfigManager-set-shell-interactive-timeout

Set a timeout to automaticallyterminate idle ESXi Shell andSSH sessions. The value is inseconds

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,PCI DSS 2.0 ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi

0049 HostConfigurator-set-dcui-accessSet DCUI.Access to allowtrusted users to overridelockdownmode

DISA STIG vSphere6.0 ESXiLow, HIPAA ESXi, PCI DSS2.0 ESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi



Ops IDASC-vSphere


0050 HostConfigurator-verify-dvfilter-bind Prevent unintended use ofdvfilter network APIs

DISA STIG vSphere6.0 VMLow, HIPAA ESXi, VMware6.0 ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi

0051 HostConfigurator-config-firewall-access

Configure the ESXi hostfirewall to restrict access toservices running on the host


0053 HostConfigurator-config-persistent-logs

Configure persistent loggingfor all ESXi host

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 2.0 ESXi, PCIDSS 3.0 and 3.1 ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi, NIST 800-171 ESXi



Ops IDASC-vSphere


0054 VmConfigService-disable-unexposed-features-versionget Disable versionget service


0055 VmConfigService-disable-unexposed-features-versionset Disable versionset service


0056 VmConfigService-disable-hgfs Disable HGFS file transfers

DISA STIG vSphere6.0 VMModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi



Ops IDASC-vSphere


0057 VmConfigService-disable-disk-shrinking-shrink Disable virtual disk shrinking

DISA STIG vSphere6.0 VMHigh, HIPAA ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi

0058 VmConfigService-disable-disk-shrinking-wiper

Disable virtual disk shrinkingwiper

DISA STIG vSphere6.0 VMHigh, HIPAA ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi

0059 VmConfigService-disable-vix-messages

Disable VIX messages fromthe VM




Ops IDASC-vSphere


0060 VmConfigService-restrict-host-info Do not send host informationto guests

DISA STIG vSphere6.0 VMModerate, HIPAA ESXi, PCIDSS 3.0 and 3.1 ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi

0061 VmConfigService-disable-intervm-vmci

disable VM-to-VMcommunication throughVMCI.

HIPAA ESXi, PCI DSS 3.0and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi

0062 VmConfigService-limit-console-connections-one-or-two

Limit sharing of consoleconnections. Expected valueis either 1 or 2

DISA STIG vSphere6.0 VMModerate, HIPAA ESXi, NISTSP 800-53r4 High ESXi, PCIDSS 3.0 and 3.1 ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi, NIST 800-171 ESXi

0063 VCConfigManager-enable-host-profiles

Configure Host Profiles tomonitor and alert onconfiguration changes

HIPAA ESXi, NIST SP 800-53r4 High ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NIST 800-171ESXi



Ops IDASC-vSphere


0064 HostSNMPConfigManager-config-snmp

Ensure proper SNMPconfiguration done

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi

0065 HostUserConfigManager-create-local-admin

Check for a non-root useraccount for local adminaccess


0066 HostUserConfigManager-limit-cim-access

Do not provide administratorlevel access (i.e. root) to CIM-based hardwaremonitoringtools or other 3rd partyapplications user

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4ModerateESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi, NIST 800-171 ESXi



Ops IDASC-vSphere


0067 LocalAccountChecker-check-local-accounts Check local accounts

HIPAA ESXi, PCI DSS 2.0ESXi, PCI DSS 3.0 and 3.1ESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi, GDPR HTCCHardening

0068 TargetTrustChecker-check-trust-status Check trust status


0069 RpvChecker-check-root-password-vaulting Check root password vaulting


0071 HostConfigurator-set-dcui-timeout Audit DCUI timeout value

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, PCIDSS 3.0 and 3.1 ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi



Ops IDASC-vSphere


0072 HostLockoutManager-set-account-auto-unlock-time

Set the time after which alocked account isautomatically unlocked


0073 HostLockoutManager-set-account-lockout

Set the count of maximumfailed login attempts beforethe account is locked out


0074HostIntraVmTPS-transparentPageSharing-intra-enabled

Ensure default setting forintra-VM TPS is correct

DISA STIG vSphere6.0 ESXiLow, HIPAA ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi

0075 VmPCIPassthroughChecker-verify-PCI-Passthrough

Audit all uses of PCI or PCIepassthrough functionality




Ops IDASC-vSphere


0076 HostLockoutManager-enable-bpdu-filter

Enable BPDU filter on theESXi host to prevent beinglocked out of physical switchports with Portfast and BPDUGuard enabled

DISA STIG vSphere6.0 ESXiLow, HIPAA ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi

0077InterVmTPSManager-TransparentPageSharing-inter-VM-Enabled

Check for enablement ofsalted VM's that are sharingmemory pages


0078 DVPortGroupConfigManager-reject-mac-changes-dvportgroup

Ensure that the “MACAddress Changes” policy isset to reject

DISA STIG vSphere6.0 ESXiHigh, HIPAA ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi, GDPR HTCCHardening, NERC CIP 5.0ESXi

0079 DVPortGroupConfigManager-reject-forged-transmit-dvportgroup

Ensure that the “ForgedTransmits” policy is set toreject




Ops IDASC-vSphere


0080 DVPortGroupConfigManager-reject-promiscuous-mode-dvportgroup

Ensure that the “PromiscuousMode” policy is set to reject


0081 DVPortGroupConfigManager-restrict-port-level-overrides

Restrict port-levelconfiguration overrides onVDS


0082 VCHostLockdown-audit-exception-users

Audit the list of users who areon the Exception Users Listand whether they haveadministrator privleges


0083 VCHostLockdown-enable-normal-lockdown-mode

Enable Normal LockdownMode to restrict access

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi,VMware 6.0 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, GDPRHTCC Hardening



Ops IDASC-vSphere


0084 VCHostLockdown-enable-strict-lockdown-mode

Enable Strict LockdownModeto restrict access


0085 DVSManager-restrict-netflow-usageEnsure that VDS Netflowtraffic is only being sent toauthorized collector IPs


0086 EsxiTLSChecker-esxi-disable-oldtls Disable TLS 1.0 and 1.1 onESXi Hosts if necessary.

HIPAA ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,GDPR HTCC Hardening,NERC CIP 5.0 ESXi, NIST800-171 ESXi, NIST SP 800-53r4Moderate ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.5ESXi, VMware 6.7 ESXi,VMware Operations CatalogESXi, VMware OperationsCatalogMatrix ESXi



Ops IDASC-vSphere


0087 HostConfigurator-esxi-disable-mob DisableManagedObjectBrowser (MOB).

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,GDPR HTCC Hardening,NERC CIP 5.0 ESXi, NIST800-171 ESXi, NIST SP 800-53r4Moderate ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi

0088 HostConfigurator-set-password-policies

Establish a password policyfor password complexity.

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,GDPR HTCC Hardening,NERC CIP 5.0 ESXi, NIST800-171 ESXi, NIST SP 800-53r4Moderate ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi



Ops IDASC-vSphere


0089 VCConfigManager-verify-nfc-ssl Enable SSL for Network Filecopy (NFC).

DISA STIG vSphere6.0 ESXiModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,GDPR HTCC Hardening,NERC CIP 5.0 ESXi, NIST800-171 ESXi, NIST SP 800-53r4 High ESXi, NIST SP 800-53r4 Low ESXi, NIST SP 800-53r4Moderate ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi

0090 VmConfigService-minimize-console-vnc-use

Control access to VM consolevia VNC protocol.

DISA STIG vSphere6.0 VMModerate, HIPAA ESXi, ICD503 INT A ESXi, ICD 503 INTB ESXi, ICD 503 INT C ESXi,GDPR HTCC Hardening,NERC CIP 5.0 ESXi, NIST800-171 ESXi, NIST SP 800-53r4Moderate ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi



Ops IDASC-vSphere


0091 DVSHealthCheck-limit-network-healthcheck

Enable VDS networkhealthcheck only if you needit.

DISA STIG vSphere6.0 ESXiLow, HIPAA ESXi, ICD 503INT A ESXi, ICD 503 INT BESXi, ICD 503 INT C ESXi,GDPR HTCC Hardening,NERC CIP 5.0 ESXi, NIST800-171 ESXi, NIST SP 800-53r4Moderate ESXi, PCI DSS3.0 and 3.1 ESXi, VMware 6.0ESXi, VMware 6.5 ESXi,VMware 6.7 ESXi, VMwareOperations Catalog ESXi,VMware Operations CatalogMatrix ESXi

0092 ESXiDcuiDODBanner-dcui-dod-banner

The systemmust display theStandardMandatory DoDNotice and Consent Bannerbefore granting access to thesystem.

DISA STIG vSphere6.0 ESXiModerate, ICD 503 INT AESXi, ICD 503 INT B ESXi,ICD 503 INT C ESXi, GDPRHTCC Hardening, NERC CIP5.0 ESXi, NIST 800-171 ESXi,NIST SP 800-53r4 High ESXi,NIST SP 800-53r4 Low ESXi,NIST SP 800-53r4ModerateESXi, VMware 6.0 ESXi,VMware 6.5 ESXi, VMware 6.7ESXi, VMware OperationsCatalog ESXi, VMwareOperations CatalogMatrixESXi

0093 HostMemoryConfig-mem-allocate-large-Page

Enables backing of guestlarge pages with host largepages.

VMware 6.0 ESXi, VMware6.5, VMware 6.7 ESXi

0094 EsxiDiskConfigurater-Disk-Scheduler-With-Reservation

Allows you to reserve IOPSwhen delivering storageservices to virtual machines.


0095 EsxiDiskConfigurater-Disk-Use-Device-Reset

Use device reset (instead ofbus reset) to reset a SCSIdevice.


0097 EsxiNFSConfigurator-nfs-max-volume

Themaximum number of NFSvolumes which can bemounted to an ESXi host.




Ops IDASC-vSphere


0098 EsxiTcpIpConfigurator-tcp-ip-configrator

Themaximum amount of heapmemory, measured inmegabytes, which can beallocated for managingVMkernel TCP/IP networkconnectivity.


0099 EsxiUserVarConfigurator-suppress-core-dump-warnings

Do not show warning fordisabled or unconfigured coredump target.


0100 EsxiDiskConfigurater-Disk-Use-Lun-Reset

Use LUN reset (instead ofdevice.bus reset) to reset aSCSI device.


0101 EsxiTcpIpConfigurator-tcp-ip-heap-size

Thememory size (in MB)which is allocated by theVMkernel to TCP/IP heap.Themaximum amount ofmemory is defined inNet.TcpIpHeapMax.


0102 EsxiUserVarConfigurator-suppress-shell-warnings

Do not show warning forenabled local and remote shellaccess.


0103 EsxiVsanConfigurator-vsan-repair-delay

Minutes to wait for absentcomponents to come backbefore starting repair.



NSX Operations

NSX OperationsOps IDASC-NSX Operation Name in CloudControl Description Templates

0001 ValidateCert_ensure-valid-certificates

Ensure that theNSX managercertificate is validand legitimate

VMwareOperationsCatalogMatrixNSX, VMwareOperationsCatalog NSX

0002 ControllerConfig_secure-controller-network Controller networkshould be secured


0003 RemoteSyslogger_enable-remote-syslogSet up log to aremote loggingserver

DISA STIGNSX6.2Moderate,VMwareOperationsCatalogMatrixNSX, VMwareOperationsCatalog NSX

0004 SshService-disable-ssh-manager

Disable SecureShell (SSH) unlessneeded fordiagnostics ortroubleshootingpurposes


0005 DnsServerConfig_secure-dns-serverEnsure that IPv4DNS is authorizedand secure


0006 BackupSettings_backup-excludes

Do not excludeaudit logs andsystem events frombacking up



NSX Operations

Ops IDASC-NSX Operation Name in CloudControl Description Templates

0007 BackupSettings_use-sftpUse SFTP forbackup andrestoration


0008 BackupSettings_secure-sftp-server

Ensure that theSFTP server onwhich backup isdone is hardened asappropriate


0009 DnsServerConfig-disable-ipv6-dns

Ensure IPv6 DNS isdisabled/notconfigured if not inuse


0010 NtpSecurer_enable-ntpSet up log to aremote loggingserver

DISA STIGNSX6.2 Low, VMwareOperationsCatalogMatrixNSX, VMwareOperationsCatalog NSX

0011 SshGateway_disable-ssh-gateway

Disable SecureShell (SSH) unlessneeded fordiagnostics ortroubleshootingpurposes


0012 PatchVersionChecker-keep-nsx-patchedFollow VMwareSecurity Advisoriesand apply patches



NSX Operations


0013 OspfBgpAuthentication_enable-md5

Enable in-protocolMD5 authenticationfor OSPF andpassword for BGP

DISA STIGNSX6.2Moderate,VMwareOperationsCatalogMatrixNSX, VMwareOperationsCatalog NSX

0014 DnsServerConfig-disable-ipv6

Ensure IPv6 isdisabled/notconfigured if not inuse


0015 BackupSettings_secure-backup-dirNo read or writepermissions onbackup directory


0016 DVPortGroupConfigManager-reject-forged-transmit-dvportgroup

Ensure that the“Forged Transmits”policy is set toreject


0017 DVPortGroupConfigManager-reject-mac-changes-dvportgroup

Ensure that the“MAC AddressChanges” policy isset to reject


0018 DVPortGroupConfigManager-reject-promiscuous-mode-dvportgroup

Ensure that the“PromiscuousMode” policy is setto reject



NSX Operations


0019 DSwitchConfigManager-restrict-vds-accessRestrict access tovSphere distributedswitch


0020 VxlanConfig_use-srcid-lb-option

Choose LoadBalance - SRCIDfor the VXLANvmknic teamingpolicy



Documents

HyTrust CloudControl Compliance Operations Guide · CloningaTemplate CloningaTemplate 1.SelectCompliance> Templates. 2.OntheSystemtab,selectthetemplateortemplatesthatyouwanttoclone,andclickClone