kriterion 0.0.1

data/standards/stig_vmware_vsphere_vcenter_server_version_6.json

@@ -0,0 +1,311 @@
+{
+  "name": "stig_vmware_vsphere_vcenter_server_version_6",
+  "date": "2017-07-11",
+  "description": "The VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-63149",
+      "title": "The system must prohibit password reuse for a minimum of five generations.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nTo meet password policy requirements, passwords need to be changed at specific policy-based intervals. \n\nIf the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63943",
+      "title": "The system must not automatically refresh client sessions.",
+      "description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Automatic client session refreshes keep unused sessions online, blocking session timeouts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63945",
+      "title": "The system must enforce a 60-day maximum password lifetime restriction.",
+      "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. \n\nOne method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. \n\nThis requirement does not include emergency administration accounts which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63947",
+      "title": "The system must terminate management sessions after 10 minutes of inactivity.",
+      "description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63949",
+      "title": "The vCenter Server users must have the correct roles assigned.",
+      "description": "Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63951",
+      "title": "The system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of Denial of Service (DoS) attacks by enabling Network I/O Control (NIOC).",
+      "description": "DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.\n\nManaging excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63953",
+      "title": "The system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.",
+      "description": "It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nTo ensure the appropriate personnel are alerted if an audit failure occurs a vCenter alarm can be created to trigger when an ESXi host can no longer reach its syslog server.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63955",
+      "title": "The system must use Active Directory authentication.",
+      "description": "The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator.  Using Active Directory for authentication provides more robust account management capabilities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63959",
+      "title": "The system must limit the use of the built-in SSO administrative account.",
+      "description": "Use of the SSO administrator account should be limited as it is a shared account and individual accounts must be used wherever possible.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63961",
+      "title": "The system must disable the distributed virtual switch health check.",
+      "description": "Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain information on host#, vds#, port#, which an attacker would find useful. It is recommended that network healthcheck be used for troubleshooting, and turned off when troubleshooting is finished.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63963",
+      "title": "The distributed port group Forged Transmits policy must be set to reject.",
+      "description": "If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network.\n\nWhen the Forged transmits option is set to Accept, ESXi does not compare source and effective MAC addresses.\n\nTo protect against MAC impersonation, you can set the Forged transmits option to Reject. If you do, the host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to see if they match. If the addresses do not match, the ESXi host drops the packet.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63965",
+      "title": "The system must ensure the distributed port group MAC Address Change policy is set to reject.",
+      "description": "If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63967",
+      "title": "The system must ensure the distributed port group Promiscuous Mode policy is set to reject.",
+      "description": "When promiscuous mode is enabled for a virtual switch all virtual machines connected to the Portgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that Portgroup. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63969",
+      "title": "The system must only send NetFlow traffic to authorized collectors.",
+      "description": "The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network making it easier for a MITM attack to be executed successfully. If NetFlow export is required, verify that all NetFlow target IP's are correct.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63971",
+      "title": "The system must not override port group settings at the port level on distributed switches.",
+      "description": "Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is established at the Port-Group level. There are cases where particular VMs require unique configurations, but this should be monitored so it is only used when authorized. If overrides are not monitored, anyone who gains access to a VM with a less secure VDS configuration could surreptitiously exploit that broader access.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63973",
+      "title": "All port groups must be configured to a value other than that of the native VLAN.",
+      "description": "ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a \"1\"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a \"1\" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63975",
+      "title": "All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.",
+      "description": "When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself. If VGT is enabled inappropriately, it might cause denial-of-service or allow a guest VM to interact with traffic on an unauthorized VLAN.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63977",
+      "title": "All port groups must not be configured to VLAN values reserved by upstream physical switches.",
+      "description": "Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001–1024 and 4094, while Nexus switches typically reserve 3968–4047 and 4094. Check with the documentation for your specific switch. Using a reserved VLAN might result in a denial of service on the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63979",
+      "title": "The system must enable SSL for Network File Copy (NFC).",
+      "description": "NFC is the mechanism used to migrate or clone a VM between two ESXi hosts over the network. By default, NFC over SSL is enabled (i.e., \"True\") within a vSphere cluster but the value of the setting is null. Clients check the value of the setting and default to not using SSL for performance reasons if the value is null. This behavior can be changed by ensuring the setting has been explicitly created and set to \"True\". This will force clients to use SSL. Without this setting VM contents could potentially be sniffed if the management network is not adequately isolated and secured.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63981",
+      "title": "The vCenter Server services must be ran using a service account instead of a built-in Windows account.",
+      "description": "You can use the Microsoft Windows built-in system account or a domain user account to run vCenter Server.  The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contribute to security problems. With a domain user account, you can enable Windows authentication for SQL Server; it also allows more granular security and logging. The installing account only needs to be a member of the Administrators group, and have permission to act as part of the operating system and log on as a service. If you are using SQL Server for the vCenter database, you must configure the SQL Server database to allow the domain account access to SQL Server.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63983",
+      "title": "The system must ensure the vpxuser auto-password change meets policy.",
+      "description": "By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure this setting meets your policies; if not, configure to meet password aging policies. \n\nNote: It is very important the password aging policy not be shorter than the default interval that is set to automatically change the vpxuser password, to preclude the possibility that vCenter might get locked out of an ESXi host.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63985",
+      "title": "The system must ensure the vpxuser password meets length policy.",
+      "description": "The vpxuser password default length is 32 characters. Ensure this setting meets site policies; if not, configure to meet password length policies. Longer passwords make brute-force password attacks more difficult. The vpxuser password is added by vCenter, meaning no manual intervention is normally required. The vpxuser password length must never be modified to less than the default length of 32 characters.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63987",
+      "title": "The system must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.",
+      "description": "The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63989",
+      "title": "Privilege re-assignment must be checked after the vCenter Server restarts.",
+      "description": "Check for privilege reassignment when you restart vCenter Server. If the user or user group that is assigned the Administrator role on the root folder cannot be verified as a valid user or group during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On account administrator@vsphere.local. This account can then act as the administrator.\n\nReestablish a named administrator account and assign the Administrator role to that account to avoid using the anonymous administrator@vsphere.local account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63991",
+      "title": "The system must minimize access to the vCenter server.",
+      "description": "After someone has logged in to the vCenter Server system, it becomes more difficult to prevent what they can do. In general, logging in to the vCenter Server system should be limited to very privileged administrators, and then only for the purpose of administering vCenter Server or the host OS. Anyone logged in to the vCenter Server can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes. They also have potential access to vCenter credentials, such as the SSL certificate.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63993",
+      "title": "Log files must be cleaned up after failed installations of the vCenter Server.",
+      "description": "In certain cases, if the vCenter installation fails, a log file (with a name of the form “hs_err_pidXXXX”) is created that contains the database password in plain text. An attacker who breaks into the vCenter Server  could potentially steal this password and access the vCenter Database.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63995",
+      "title": "The system must enable all tasks to be shown to Administrators in the Web Client.",
+      "description": "By default not all tasks are shown in the web client to administrators and only that user's tasks will be shown.  Enabling all tasks to be shown will allow the administrator to potentially see any malicious activity they may miss with the view disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63999",
+      "title": "The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.",
+      "description": "By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows server to users who are not vCenter administrators.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64003",
+      "title": "The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.",
+      "description": "The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64005",
+      "title": "A least-privileges assignment must be used for the Update Manager database user.",
+      "description": "Least-privileges mitigate attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64007",
+      "title": "A least-privileges assignment must be used for the vCenter Server database user.",
+      "description": "Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64009",
+      "title": "The system must use unique service accounts when applications connect to vCenter.",
+      "description": "In order to not violate non-repudiation (i.e., deny the authenticity of who is connecting to vCenter), when applications need to connect to vCenter they should use unique service accounts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64011",
+      "title": "vSphere Client plugins must be verified.",
+      "description": "The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64013",
+      "title": "The system must produce audit records containing information to establish what type of events occurred.",
+      "description": "Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64015",
+      "title": "Passwords must be at least 15 characters in length.",
+      "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64017",
+      "title": "Passwords must contain at least one uppercase character.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64019",
+      "title": "Passwords must contain at least one lowercase character.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64021",
+      "title": "Passwords must contain at least one numeric character.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64023",
+      "title": "Passwords must contain at least one special character.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64025",
+      "title": "The system must limit the maximum number of failed login attempts to three.",
+      "description": "By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64027",
+      "title": "The system must set the interval for counting failed login attempts to at least 15 minutes.",
+      "description": "By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64029",
+      "title": "The system must require an administrator to unlock an account locked due to excessive login failures.",
+      "description": "By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64031",
+      "title": "The system must alert administrators on permission creation operations.",
+      "description": "If personnel are not notified of permission events, they will not be aware of possible unsecure situations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64033",
+      "title": "The system must alert administrators on permission deletion operations.",
+      "description": "If personnel are not notified of permission events, they will not be aware of possible unsecure situations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64035",
+      "title": "The system must alert administrators on permission update operations.",
+      "description": "If personnel are not notified of permission events, they will not be aware of possible unsecure situations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64037",
+      "title": "The vCenter Server users must have the correct roles assigned.",
+      "description": "Users and service accounts must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-73137",
+      "title": "The system must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.",
+      "description": "Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes VSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and Virtual Machines will limit unauthorized users from viewing the traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-73139",
+      "title": "The system must enable the VSAN Health Check.",
+      "description": "VSAN Health Check is enabled by default in vSphere 6.0 update 1 and later, it has to be manually installed and enabled on vSphere 6.0.0 prior to usage. The VSAN Health Check is used for additional alerting capabilities, performance stress testing prior to production usage, and verifying that the underlying hardware officially is supported by being in compliance with the VSAN Hardware Compatibility Guide",
+      "severity": "low"
+    },
+    {
+      "id": "V-73141",
+      "title": "The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted by use of an external proxy server.",
+      "description": "The VSAN Health Check is able to download the hardware compatibility list from VMware in order to check compliance against the underlying VSAN Cluster hosts. To ensure the vCenter server is not directly downloading content from the internet this functionality must be disabled or if this feature is necessary an external proxy server must be configured.",
+      "severity": "low"
+    },
+    {
+      "id": "V-73143",
+      "title": "The system must configure the VSAN Datastore name to a unique name.",
+      "description": "VSAN Datastore name by default is \"vsanDatastore\". If more than one VSAN cluster is present in vCenter both datastores will have the same name by default potentially leading to confusion and manually misplaced workloads.",
+      "severity": "low"
+    }
+  ]
+}

data/standards/stig_vmware_vsphere_virtual_machine_version_6.json

@@ -0,0 +1,269 @@
+{
+  "name": "stig_vmware_vsphere_virtual_machine_version_6",
+  "date": "2015-12-09",
+  "description": "The VMware vSphere Virtual Machine Version 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "VMware vSphere Virtual Machine Version 6 Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-63151",
+      "title": "The system must explicitly disable copy operations.",
+      "description": "Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64041",
+      "title": "The system must explicitly disable drag and drop operations.",
+      "description": "Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64043",
+      "title": "The system must explicitly disable any GUI functionality for copy/paste operations.",
+      "description": "Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64045",
+      "title": "The system must explicitly disable paste operations.",
+      "description": "Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64047",
+      "title": "The system must disable virtual disk shrinking.",
+      "description": "Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to shrink is available to non-administrative users operating within the VMs guest OS.",
+      "severity": "high"
+    },
+    {
+      "id": "V-64049",
+      "title": "The system must disable virtual disk erasure.",
+      "description": "Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes - that is, users and processes without root or administrator privileges - within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to wipe (erase) is available to non-administrative users operating within the VMs guest OS.",
+      "severity": "high"
+    },
+    {
+      "id": "V-64051",
+      "title": "The system must not use independent, non-persistent disks.",
+      "description": "The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode; additionally, make sure that activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked.",
+      "severity": "high"
+    },
+    {
+      "id": "V-64053",
+      "title": "The system must disable HGFS file transfers.",
+      "description": "Setting isolation.tools.hgfsServerSet.disable to true disables registration of the guest's HGFS server with the host. APIs that use HGFS to transfer files to and from the guest operating system, such as some VIX commands, will not function. An attacker could potentially use this to transfer files inside the guest OS.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64055",
+      "title": "The unexposed feature keyword isolation.tools.ghi.autologon.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64057",
+      "title": "The unexposed feature keyword isolation.bios.bbs.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64059",
+      "title": "The unexposed feature keyword isolation.tools.getCreds.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64061",
+      "title": "The unexposed feature keyword isolation.tools.ghi.launchmenu.change must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64063",
+      "title": "The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64065",
+      "title": "The unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64067",
+      "title": "The unexposed feature keyword isolation.ghi.host.shellAction.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64069",
+      "title": "The unexposed feature keyword isolation.tools.dispTopoRequest.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64071",
+      "title": "The unexposed feature keyword isolation.tools.trashFolderState.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64073",
+      "title": "The unexposed feature keyword isolation.tools.ghi.trayicon.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64075",
+      "title": "The unexposed feature keyword isolation.tools.unity.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64077",
+      "title": "The unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64079",
+      "title": "The unexposed feature keyword isolation.tools.unity.push.update.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64081",
+      "title": "The unexposed feature keyword isolation.tools.unity.taskbar.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64083",
+      "title": "The unexposed feature keyword isolation.tools.unityActive.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64085",
+      "title": "The unexposed feature keyword isolation.tools.unity.windowContents.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64087",
+      "title": "The unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64089",
+      "title": "The unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be set.",
+      "description": "Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64091",
+      "title": "The system must disable VIX messages from the VM.",
+      "description": "The VIX API is a library for writing scripts and programs to manipulate virtual machines. If you do not make use of custom VIX programming in your environment, then you should consider disabling certain features to reduce the potential for vulnerabilities. The ability to send messages from the VM to the host is one of these features. Note that disabling this feature does NOT adversely affect the functioning of VIX operations that originate outside the guest, so certain VMware and 3rd party solutions that rely upon this capability should continue to work. This is a deprecated interface.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64093",
+      "title": "The system must disconnect unauthorized floppy devices.",
+      "description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64095",
+      "title": "The system must disconnect unauthorized CD/DVD devices.",
+      "description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64097",
+      "title": "The system must disconnect unauthorized parallel devices.",
+      "description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64099",
+      "title": "The system must disconnect unauthorized serial devices.",
+      "description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64101",
+      "title": "The system must disconnect unauthorized USB devices.",
+      "description": "Ensure that no device is connected to a virtual machine if it is not required. For example, floppy, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64103",
+      "title": "The system must limit sharing of console connections.",
+      "description": "By default, remote console sessions can be connected to by more than one user at a time.  When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a non-administrator in the VM might connect to the console and observe the administrator's actions.  Also, this could result in an administrator losing console access to a virtual machine. For example, if a jump box is being used for an open console session and the admin loses connection to that box, then the console session remains open. Allowing two console sessions permits debugging via a shared session.  For highest security, only one remote console session at a time should be allowed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64105",
+      "title": "The system must disable console access through the VNC protocol.",
+      "description": "The VM console enables you to connect to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. This console is also available via the Virtual Network Computing (VNC) protocol and should be disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64107",
+      "title": "The system must disable tools auto install.",
+      "description": "Tools auto install can initiate an automatic reboot, disabling this option will prevent tools from being installed automatically and prevent automatic machine reboots.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64109",
+      "title": "The system must limit informational messages from the VM to the VMX file.",
+      "description": "The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest OS are capable of sending a large and continuous data stream to the host. This 1MB capacity should be sufficient for most cases, but this value can change if necessary. The value can be increased if large amounts of custom information are being stored in the configuration file. The default limit is 1MB.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64111",
+      "title": "The system must prevent unauthorized removal, connection and modification of devices.",
+      "description": "In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with nonadministrator privileges in a virtual machine can: \n1. Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive\n2. Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service\n3. Modify settings on a device",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64113",
+      "title": "The system must prevent unauthorized removal, connection and modification of devices.",
+      "description": "In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with nonadministrator privileges in a virtual machine can: \n1. Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive\n2. Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service\n3. Modify settings on a device",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64115",
+      "title": "The system must not send host information to guests.",
+      "description": "If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64117",
+      "title": "The system must disable shared salt values.",
+      "description": "When salting is enabled (Mem.ShareForceSalting=1 or 2) in order to share a page between two virtual machines both salt and the content of the page must be same. A salt value is a configurable VMX option for each virtual machine. You can manually specify the salt values in the virtual machine's VMX file with the new VMX option sched.mem.pshare.salt. If this option is not present in the virtual machine's VMX file, then the value of vc.uuid VMX option is taken as the default value. Since the vc.uuid is unique to each virtual machine, by default TPS happens only among the pages belonging to a particular virtual machine (Intra-VM).",
+      "severity": "low"
+    },
+    {
+      "id": "V-64119",
+      "title": "The system must control access to VMs through the dvfilter network APIs.",
+      "description": "An attacker might compromise a VM by making use the dvFilter API. Configure only those VMs that need this access to use the API.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64121",
+      "title": "The system must use templates to deploy VMs whenever possible.",
+      "description": "By capturing a hardened base operating system image (with no applications installed) in a template, ensure all virtual machines are created with a known baseline level of security. Then use this template to create other, application-specific templates, or use the application template to deploy virtual machines. Manual installation of the OS and applications into a VM introduces the risk of misconfiguration due to human or process error.",
+      "severity": "low"
+    },
+    {
+      "id": "V-64123",
+      "title": "The system must minimize use of the VM console.",
+      "description": "The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and removable device connectivity controls, which might potentially allow a malicious user to bring down a virtual machine. In addition, it also has a performance impact on the service console, especially if many VM console sessions are open simultaneously.",
+      "severity": "medium"
+    }
+  ]
+}