VCTR-67-000031 - The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.

Information

The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server.

For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has internet access to download upgrades, patch binaries, and patch metadata and then export the downloads to a portable media drive so they become accessible to the Update Manager server.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air gap model) must be enforced and documented with organization policies.

Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the internet.

To configure a web server or local disk repository as a download source (i.e., 'Direct connection to Internet' must not be selected as the source), from the vSphere Client/vCenter Server system, click 'Update Manager' under 'Solutions and Applications'.

On the 'Configuration' tab, under 'Settings', click 'Download Settings'.

In the 'Download Sources' pane, select 'Use a shared repository'.

Enter the <site-specific> path or the URL to the shared repository.

Click 'Validate URL' to validate the path.

Click 'Apply'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243094r879887_rule, STIG-ID|VCTR-67-000031, Vuln-ID|V-243094

Plugin: VMware

Control ID: 8b3dad80bb8a361759768f8333b72cf72894da9b5c7a1fc6404654da0104a8d2