- Vmware vsphere 6.5 low level design document Patch#
- Vmware vsphere 6.5 low level design document software#
- Vmware vsphere 6.5 low level design document code#
The ESXi host must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using the vSphere Authentication Proxy. If a user forgets to log out of their SSH session, the idle connection will remains open indefinitely, increasing the potential for someone to gain privileged access to the host. The ESXi host must set a timeout to automatically disable idle sessions after 10 minutes. The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well.
The ESXi host must disable the Managed Object Browser (MOB). The use of unapproved algorithms may result in weak password hashes. Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
The ESXi shell provides temporary access to commands essential for server maintenance. The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console.
The ESXi host must be configured to disable non-essential capabilities by disabling SSH. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The ESXi Shell is an interactive command line environment available locally from the DCUI or remotely via SSH. The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting. This allows it to stage malicious attacks on the devices in. If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. The virtual switch MAC Address Change policy must be set to reject on the ESXi host.
Vmware vsphere 6.5 low level design document Patch#
The ESXi host must verify the integrity of the installation media before installing ESXi.Īlways check the SHA1 or MD5 hash after downloading an ISO, offline bundle, or patch to ensure integrity and authenticity of the downloaded files.
Vmware vsphere 6.5 low level design document software#
Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. The ESXi host must have all security patches and updates installed. The ESXi Image profile supports four acceptance levels:
Vmware vsphere 6.5 low level design document code#
An unsigned VIB represents untested code installed on an ESXi host. Verify the ESXi Image Profile to only allow signed VIBs. The ESXi Image Profile and VIB Acceptance Levels must be verified. Only SSH protocol version 2 connections should be permitted. SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. The ESXi host SSH daemon must be configured to use only the SSHv2 protocol. The ESXi host SSH daemon must not allow authentication using an empty password.Ĭonfiguring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. Findings (MAC III - Administrative Sensitive) Finding ID
0 kommentar(er)
