| Grade: 10% F |
| COS Report Check- http://communities.vmware.com/docs/DOC-11848 | 13 total checks | PASS - 7.7 % | FAIL - 0 % | REQUIRE MANUAL VALIDATION - 92.3 % |
| Entity | Code | Description | Status | Resolution/Fix |
| himalaya.primp-industries.com | CON01 | Ensure ESX Firewall is configured to High Security | PASS | N/A |
| himalaya.primp-industries.com | CON02 | Limit network access to applications and services | MANUAL | esxcfg-firewall --query to query for running services |
| himalaya.primp-industries.com | COM01 | Do not apply Red Hat patches to the Service Console | MANUAL | Apply only patches published by VMware & follow http://www.vmware.com/security |
| himalaya.primp-industries.com | COM02 | Do not rely upon tools that only check for Red Hat patches | MANUAL | Use scanners specifically for ESX Service Console (COS) |
| himalaya.primp-industries.com | COM03 | Do Not Manage the Service Console as a Red Hat Linux Host | MANUAL | Manage Service Console with only vmkfstools & esxcfg-* commands |
| himalaya.primp-industries.com | COM04 | Use vSphere Client and vCenter to Administer the Hosts Instead of Service Console | MANUAL | Use vSphere APIs whenever possible for security policies & processes |
| himalaya.primp-industries.com | COP01 | Use a Directory Service for Authentication | MANUAL | esxcfg-auth to configure directory services - http://www.vmware.com/vmtn/resources/582 |
| himalaya.primp-industries.com | COL01 | Configure syslog logging | MANUAL | Please refer to COS document for detail instructions |
| himalaya.primp-industries.com | COL02 | Configure NTP time synchronization | MANUAL | Please refer to COS document for detail instructions |
| himalaya.primp-industries.com | COH01 | Partition the disk to prevent the root file system from filling up | MANUAL | Please refer to http://pubs.vmware.com/vsp40u1/install/c_esx_partitioning.html# 1_9_18_1 |
| himalaya.primp-industries.com | COA03 | Ensure root access via SSH is disabled | MANUAL | "PermitRootLogin" in the /etc/sshd_conf should be setto "no" |
| himalaya.primp-industries.com | COA05 | Limit access to the su command | MANUAL | Configure PAM module /etc/pam.d/su |
| himalaya.primp-industries.com | COA06 | Configure and use sudo to control administrative access | MANUAL | Ensure access to commands are controled and configured properly in /etc/sudoers |
| HOST Report Check- http://communities.vmware.com/docs/DOC-11845 | 11 total checks | PASS - 9.1 % | FAIL - 45.5 % | REQUIRE MANUAL VALIDATION - 36.4 % |
| Entity | Code | Description | Status | Resolution/Fix |
| himalaya.primp-industries.com | HIN01 | Verify integrity of software before installation | MANUAL | Verify SHA1 hash after downloading from VMware |
| himalaya.primp-industries.com | HCM01 | Configure Encryption for ESX/ESXi Communication | FAIL | VMware default SSL cert should not be used |
| himalaya.primp-industries.com | HCM01 | Configure Encryption for ESX/ESXi Communication | FAIL | proxy.xml for SSL should contain readTimeoutsMs and/or handshakeTimeoutMs |
| himalaya.primp-industries.com | HCM04 | Ensure ESX is Configured to Encrypt All Sessions | FAIL | <httpPort/> in proxy.xml should not be configured to allow HTTP |
| himalaya.primp-industries.com | HCM04 | Ensure ESX is Configured to Encrypt All Sessions | FAIL | <accessMode/> in proxy.xml should not be configured to allow HTTP |
| himalaya.primp-industries.com | HLG01 | Configure remote syslog | FAIL | Remote syslog should be configured |
| himalaya.primp-industries.com | HLG02 | Configure persistent logging | MANUAL | Please refer to HOST doc for further details |
| himalaya.primp-industries.com | HLG03 | Configure NTP time synchronization | PASS | N/A |
| himalaya.primp-industries.com | HMT01 | Control access by CIM-based hardware monitoring tools | MANUAL | Please refer to the HOST doc for further details |
| himalaya.primp-industries.com | HCN01 | Ensure only authorized users have access to the DCUI | MANUAL | Check the users in the local group named localadmin |
| himalaya.primp-industries.com | HCN03 | Avoid adding the root user to local groups | WIP | Lockdown mode is not enabled |
| VM Report Check- http://communities.vmware.com/docs/DOC-11844 | 24 total checks | PASS - 0 % | FAIL - 54.2 % | REQUIRE MANUAL VALIDATION - 45.8 % |
| Entity | Code | Description | Status | Resolution/Fix |
| William-XP | VMX01 | Prevent Virtual Disk Shrinking | FAIL | isolation.tools.diskWiper.disable and/or isolation.tools.diskShrink.disable should be configured to be disable |
| William-XP | VMX01 | Prevent Virtual Disk Shrinking | FAIL | isolation.tools.diskWiper.disable and/or isolation.tools.diskShrink.disable should be configured to be disable |
| William-XP | VMX03 | Disable Copy/Paste to Remote Console | FAIL | isolation.tools.copy.disable,isolation.tools.paste.disable,isolation.tools.setGUIOptions.enable should be configured to be disabled |
| William-XP | VMX03 | Disable Copy/Paste to Remote Console | FAIL | isolation.tools.copy.disable,isolation.tools.paste.disable,isolation.tools.setGUIOptions.enable should be configured to be disabled |
| William-XP | VMX03 | Disable Copy/Paste to Remote Console | FAIL | isolation.tools.copy.disable,isolation.tools.paste.disable,isolation.tools.setGUIOptions.enable should be configured to be disabled |
| William-XP | VMX10 | Ensure Unauthorized Devices are Not Connected | MANUAL | Please refer to VM doc for further details |
| William-XP | VMX11 | Prevent Unauthorized Removal or Connection of Devices | FAIL | isolation.device.connectable.disable and/or isolation.device.edit.disable should be configured to be disabled |
| William-XP | VMX11 | Prevent Unauthorized Removal or Connection of Devices | FAIL | isolation.device.connectable.disable and/or isolation.device.edit.disable should be configured to be disabled |
| William-XP | VMX12 | Disable VM to VM communication through VMCI | FAIL | VMCI should not have unrestricted access |
| William-XP | VMX20 | VM log file size and number should be limited | FAIL | VM logging is not configured sufficently |
| William-XP | VMX20 | VM log file size and number should be limited | FAIL | VM logging is not configured sufficently |
| William-XP | VMX21 | Limit informational messages from the VM to the VMX file | FAIL | tools.setInfo.sizeLimit should be limited to 1MB of output |
| William-XP | VMX30 | Disable remote operations within the guest | FAIL | VIX API commands to guest should be disabled |
| William-XP | VMX31 | Do not send host performance information to guests | FAIL | Host performance should not be sent to guest VMs |
| William-XP | VMX50 | Disable VMsafe CPU/Mem APIs | MANUAL | Please refer to VM doc for further details |
| William-XP | VMX51 | Restrict access to VMsafe CPU/Mem APIs | MANUAL | Please refer to VM doc for further details |
| William-XP | VMX52 | Prevent VM from being access through VMsafe CPU/Mem API | MANUAL | Please refer to VM doc for further details |
| William-XP | VMX53 | Disable VMsafe Network APIs | MANUAL | Please refer to VM doc for further details |
| William-XP | VMX54 | Restrict access to VMsafe Network APIs | MANUAL | Please refer to VM doc for further details |
| William-XP | VMX55 | Prevent VM from being access through VMsafe Network API | MANUAL | Please refer to VM doc for further details |
| William-XP | VMP01 | Secure Virtual Machines as You Would Secure Physical Machines | MANUAL | Please refer to VM doc for further details |
| William-XP | VMP02 | Disable Unnecessary or Superfluous Functions | MANUAL | Please refer to VM doc for further details |
| William-XP | VMP03 | Use Templates to deploy VMs whenever possible | MANUAL | Please refer to VM doc for further details |
| William-XP | VMP05 | Minimize Use of the VM Console | MANUAL | Please refer to VM doc for further details |
| VNETWORK Report Check- http://communities.vmware.com/docs/DOC-11846 | 13 total checks | PASS - 0 % | FAIL - 7.7 % | REQUIRE MANUAL VALIDATION - 92.3 % |
| Entity | Code | Description | Status | Resolution/Fix |
| himalaya.primp-industries.com | NAR01 | Ensure management traffic is on a restricted network | MANUAL | Please refer to the vNetwork Doc for further details |
| himalaya.primp-industries.com | NAR02 | Ensure VMotion Traffic is isolated | MANUAL | Please refer to the vNetwork Doc for further details |
| himalaya.primp-industries.com | NAR03 | Ensure IP Based Storage Traffic is isolated | MANUAL | Please refer to the vNetwork Doc for further details |
| himalaya.primp-industries.com | NAR04 | Strictly control access to Management network | MANUAL | Please refer to the vNetwork Doc for further details |
| himalaya.primp-industries.com | NCN01 | Ensure that there are no unused port groups on standard vSwitches | FAIL | Portgroup: tempTrunkPassThrough is not being used by any VMs |
| himalaya.primp-industries.com | NCN06 | Ensure that port groups are not configured to VLAN1 or the native VLAN | MANUAL | Please refer to vNetwork doc for further details |
| himalaya.primp-industries.com | NCN07 | Ensure that Port Groups are Configured with a clearnetwork label | MANUAL | Clearly label your portgroups along with identifer to specify functionality |
| himalaya.primp-industries.com | NCN08 | Ensure that all vSwitches have a clear network label | MANUAL | Clearly label your vSwitches |
| himalaya.primp-industries.com | NCN09 | Fully document all VLANs used on vSwitches | MANUAL | Document all VLANs on vSwitches |
| himalaya.primp-industries.com | NCN10 | Ensure that only authorized administrators have access to virtual networking components | MANUAL | Ensure authorized admins have access |
| himalaya.primp-industries.com | NPN01 | Ensure physical switch ports are configured with spanning tree disabled | MANUAL | Disable spanning tree on physical switches |
| himalaya.primp-industries.com | NPN02 | Ensure that the non-negotiate option is configured for trunk links between external physical switches and virtual switches in VST mode | MANUAL | Please refer to vNetwork doc for further details |
| himalaya.primp-industries.com | NPN03 | VLAN trunk links must be connected only to physical switch ports that function as trunk links | MANUAL | Self explanatory |