2.9 (L2) Ensure VDS health check is disabled

Information

The health check support in VDS helps you identify and troubleshoot configuration errors in a vSphere Distributed Switch. It is recommended that health check be turned off by default and confirmed that it is turned off when troubleshooting is finished.

vSphere Distributed switch health check once enabled, collects packets that contain information on host#, vds# port#, which an attacker would find useful.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Using the vSphere Web Client for each VDS:

- Select a VDS
- Go to Configure expand Settings then select Health Check
- Click on Edit
- Set VLAN and MTU state to Disabled
- Set Teaming and failover state to Disabled
- Click OK

Additionally, the following PowerCLI command can be used:

Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-6(9), 800-53|AU-2, 800-53|AU-12, CSCv7|9.2

Plugin: VMware

Control ID: 5c67dba7c929020a161fb23f984538740cab0eb33208341793a71adc7b10ea61