5.11 (L2) Ensure contents of exposed configuration files have not been modified

Information

Although most configurations on ESXi are controlled via an API, there are a limited set of configuration files that are used directly to govern host behavior. These files are exposed via the vSphere HTTPS-based file transfer API. These files should be monitored for modifications.

WARNING: Do not attempt to monitor files that are NOT exposed via this file transfer API, since this can result in a destabilized system.

Any changes to these files should be correlated with an approved administrative action, such as an authorized configuration change. Tampering with these files could enable unauthorized access to the host configuration and virtual machines.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Restore all modified configuration files to a known good state by restoring backups or using other means.

To help prevent future occurrences, you can back up the host configuration data after configuring or reconfiguring an ESXi host. The vicfg-cfgbackup command is available only for ESXi hosts; it is not available through a vCenter Server system connection. No equivalent ESXCLI command is supported.

To help identify future occurrences more quickly, implement a procedure to monitor the files and their contents over time to ensure they are not improperly modified. Be sure not to monitor log files and other files whose content is expected to change regularly due to system activity. Also, account for configuration file changes that are due to authorized administrative activity.

Note: Host Profiles may also be used to track configuration changes on the host; however, Host Profiles do not track all configuration changes.

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|5.5, CSCv7|14.9

Plugin: VMware

Control ID: 9b7958770c314b454a7ac1788b3d8631a533f7fcca6a371af94d518d54a11690