Encryption must be enabled for Fault Tolerance on the virtual machine (VM).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256477	VMCH-70-000029	SV-256477r942499_rule		Medium

Description
Fault Tolerance log traffic can be encrypted. This could contain sensitive data from the protected machine's memory or CPU instructions. vSphere Fault Tolerance performs frequent checks between a primary VM and secondary VM so the secondary VM can quickly resume from the last successful checkpoint. The checkpoint contains the VM state that has been modified since the previous checkpoint. When Fault Tolerance is turned on, FT encryption is set to "Opportunistic" by default, which means it enables encryption only if both the primary and secondary host are capable of encryption.

Description

Fault Tolerance log traffic can be encrypted. This could contain sensitive data from the protected machine's memory or CPU instructions. vSphere Fault Tolerance performs frequent checks between a primary VM and secondary VM so the secondary VM can quickly resume from the last successful checkpoint. The checkpoint contains the VM state that has been modified since the previous checkpoint. When Fault Tolerance is turned on, FT encryption is set to "Opportunistic" by default, which means it enables encryption only if both the primary and secondary host are capable of encryption.

STIG	Date
VMware vSphere 7.0 Virtual Machine Security Technical Implementation Guide	2023-12-01

Details

Check Text ( C-60152r942498_chk )
If the VM does not have Fault Tolerance enabled, this is not applicable. From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> Encrypted FT. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM \| Where {$_.ExtensionData.Config.FtEncryptionMode -eq "ftEncryptionDisabled"} If the setting does not have a value of "Opportunistic" or "Required", this is a finding.

Check Text ( C-60152r942498_chk )

If the VM does not have Fault Tolerance enabled, this is not applicable.

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> Encrypted FT.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM | Where {$_.ExtensionData.Config.FtEncryptionMode -eq "ftEncryptionDisabled"}

If the setting does not have a value of "Opportunistic" or "Required", this is a finding.

Fix Text (F-60095r886473_fix)
From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> FT Encryption. Set the value to "Opportunistic" or "Required". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands: $spec = New-Object VMware.Vim.VirtualMachineConfigSpec $spec.FTEncryption = New-Object VMware.Vim.VMware.Vim.VirtualMachineConfigSpecEncryptedFtModes $spec.FT = ftEncryptionOpportunistic or ftEncryptionRequired (Get-VM -Name ).ExtensionData.ReconfigVM($spec)

Fix Text (F-60095r886473_fix)

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Encryption >> FT Encryption.

Set the value to "Opportunistic" or "Required".

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands:

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$spec.FTEncryption = New-Object VMware.Vim.VMware.Vim.VirtualMachineConfigSpecEncryptedFtModes
$spec.FT = ftEncryptionOpportunistic or ftEncryptionRequired
(Get-VM -Name ).ExtensionData.ReconfigVM($spec)