CIS Controls and CIS Benchmarks provide global standards for internet security and are a recognized global standard and best practices for securing IT systems and data against attacks.

The vRealize Operations Compliance Pack for CIS provides Alerts, Policies, and Reports to validate the vSphere resources against the CIS hardening guide. The following resources are being validated using this content:

  • ESXi Host
  • Virtual Machine


VROPS Virtual Machine CIS Hardening Guide Rules for vSphere

1. Limit informational messages from the VM to the VMX file
2. Non-compliant max number of remote console connections (5.5 Hardening Guide)
3. Floppy drive connected (5.5 Hardening Guide)
4. CD-ROM connected (5.5 Hardening Guide)
5. Parallel port connected (5.5 Hardening Guide)
6. Serial port connected (5.5 Hardening Guide)
7. USB controller connected (5.5 Hardening Guide)
8. Prevent unauthorized removal and modification of devices
9. Prevent unauthorized connection of devices
10. Control access to VMs through the dvfilter network APIs
11. VMsafe CPU/memory APIs – IP address configured (5.5 Hardening Guide)
12. VMsafe CPU/memory APIs – port number configured (5.5 Hardening Guide)
13. VMsafe CPU/memory API enabled (5.5 Hardening Guide)
14. Disable Autologon
15. Disable BIOS BBS
16. Disable Unity Taskbar
17. Disable Unity Active
18. Disable Unity Window Contents
19. Disable Unity Push Update
20. Disable Drag and Drop Version Set
21. Disable Shell Action
22. Disable Trash Folder State
23. Disable Guest Host Interaction Tray Icon
24. Disable Unity
25. Disable Unity Interlock
26. Disable GetCreds
27. Disable Host Guest File System Server
28. Non-compliant max VM log file size (5.5 Hardening Guide)
29. Do not send host information to guests
30. Non-compliant max VM log file count (5.5 Hardening Guide)
31. Disable VIX messages from the VM
32. Disable virtual disk wiping
33. Disable virtual disk shrinking
34. Avoid using nonpersistent disks
35. VGA only mode is not enabled (5.5 Hardening Guide)
36. Control access to VM console via VNC protocol
37. Disable VM Console Copy operations
38. Disable VM Console Paste operations
39. Disable VM Console GUI Options
40. Disable Drag and Drop Version Get
41. RP 1 – VM.disable-unexposed-features-launchmenu – launchmenu feature is enabled (5.5/6.0 Hardening Guide)
42. Disable Drag and Drop Version Get
43. Integrity – Toprequest feature is enabled
44. The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be set
45. Disable Guest Host Interaction Protocol Handler

VROPS ESXi Host CIS Hardening Guide Rules for vSphere

1. ESXi.config-ntp – NTP Server property is not configured (5.5/6.0 Hardening Guide)
2. Firewall is not configured to restrict few or all services running on ESXi host (5.5/6.0 Hardening Guide)
3. ESXi.config-snmp – SNMP service is running (5.5/6.0 Hardening Guide)
4. Access Control – Prevent unintended use of dvfilter network APIs
5. Configure persistent logging for all ESXi host
6. Configure remote logging for ESXi hosts
7. Use Active Directory for local user authentication
8. DCUI service is running (5.5 Hardening Guide)
9. SSH service is running
10. Set DCUI.Access to allow trusted users to override lockdown mode
11. ESXi.set-shell-interactive-timeout – Timeout is not configured for idle ESXi Shell and SSH sessions (5.5/6.0 Hardening Guide)
12. Set a timeout to automatically terminate idle ESXi Shell and SSH sessions
13. Enable bidirectional CHAP authentication for iSCSI traffic
14. Ensure that the vSwitch Forged Transmits policy is set to reject
15. Ensure that the vSwitch MAC Address Change policy is set to reject
16. Ensure that the vSwitch Promiscuous Mode policy is set to reject
17. The system must set shell services timeout
18. The system must terminate shell services after a predetermined period
19. The system must disable ESXi Shell unless needed for diagnostics or troubleshooting.
20. The system must disable ESXi Shell.

Leave a Reply

Your email address will not be published. Required fields are marked *