{
"stig": {
"date": "2013-01-15",
"description": "The VMware vCenter Server Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
"findings": {
"VCENTER-000003": {
"checkid": "C-VCENTER-000003_chk",
"checktext": "Ask the SA if either the VMware Update Manager and/or vCenter Server are installed as VMs rather than physical machines. \n\nIf either the VMware Update Manager and/or vCenter Server are installed as VMs, this is a finding.",
"description": "The VMware Update Manager and vCenter Server are VM installable on an ESXi host. The Update Manager must not be configured to manage the updates on either of those VMs.",
"fixid": "F-VCENTER-000003_fix",
"fixtext": "Ensure both the VMware Update Manager and vCenter Server are installed as physical machines.",
"iacontrols": null,
"id": "VCENTER-000003",
"ruleID": "VCENTER-000003_rule",
"severity": "medium",
"title": "The Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.",
"version": "VCENTER-000003"
},
"VCENTER-000004": {
"checkid": "C-VCENTER-000004_chk",
"checktext": "This check is both site and installation specific.\n\nAsk the SA for a list of all unblocked ports on the vCenter Server's Window system. Verify all unblocked ports are necessary and used. Example: a partial list of examples of where ports might be blocked: (636/TCP) if the vCenter will not be part of a linked-mode vCenter group; (1521/TCP) if the vCenter DB is not Oracle. \n\nIf there are any unused, unblocked ports on the vCenter Server's Window system, this is a finding.",
"description": "Militate against general attacks on the Windows system by blocking unneeded ports. A local firewall on the Windows system of vCenter, or a network firewall, can be used to block access to ports not specifically being used by vCenter. \n",
"fixid": "F-VCENTER-000004_fix",
"fixtext": "Determine what site-specific ports are required to support the Window system hosting the vCenter Server application. Determine the installation-specific ports that are required to support the vCenter Server application. Block all ports that are not required by either the Windows system and/or the vCenter Server.",
"iacontrols": null,
"id": "VCENTER-000004",
"ruleID": "VCENTER-000004_rule",
"severity": "high",
"title": "The system must block access to ports not being used by vCenter.",
"version": "VCENTER-000004"
},
"VCENTER-000005": {
"checkid": "C-VCENTER-000005_chk",
"checktext": "After the Windows server hosting the vCenter Server has been rebooted, a vCenter Server user or member of the user group granted the administrator role must log in and verify the role permissions remain intact. \n\nIf the user and/or user group granted vCenter administrator role permissions cannot be verified intact, this is a finding.",
"description": "During a restart of vCenter Server, if the user or user group that is assigned Administrator role on the root folder could not be verified as a valid user/group during the restart, the user/group's permission as Administrator will be removed. In its place, vCenter Server grants the Administrator role to the local Windows administrators group, to act as a new vCenter Server administrator. Since it is not recommended to grant vCenter Server Administrator rights to Windows Administrators, resulting in a situation that should be rectified by re-establishing a legitimate administrator account.",
"fixid": "F-VCENTER-000005_fix",
"fixtext": "As a Windows Administrator, log in to the vCenter Server and restore a legitimate administrator account per site-specific user/group/role requirements.",
"iacontrols": null,
"id": "VCENTER-000005",
"ruleID": "VCENTER-000005_rule",
"severity": "medium",
"title": "Privilege re-assignment must be checked after the vCenter Server restarts.",
"version": "VCENTER-000005"
},
"VCENTER-000006": {
"checkid": "C-VCENTER-000006_chk",
"checktext": "Verify the datastore browser is disabled:\nDetermine the location of the vpxd.cfg file on the vCenter Server's Windows OS host.\nEdit the file and locate the element.\nEnsure that the following element is set. false \n\nIf the enableHttpDatastoreAccess element is set to true, this is a finding.",
"description": "The datastore browser enables viewing of all the datastores associated with the vSphere deployment, including all folders and files, such as VM files. This functionality is controlled by the site-specific, user permissions on vCenter Server.",
"fixid": "F-VCENTER-000006_fix",
"fixtext": "Disable the datastore browser:\nDetermine the location of the vpxd.cfg file on the Windows host.\nEdit the file and locate the ... element.\nEnsure that the following element is set false \n\nRestart the vCenter Service to ensure the config file change(s) are in effect.",
"iacontrols": null,
"id": "VCENTER-000006",
"ruleID": "VCENTER-000006_rule",
"severity": "low",
"title": "The system must disable the datastore browser.",
"version": "VCENTER-000006"
},
"VCENTER-000007": {
"checkid": "C-VCENTER-000007_chk",
"checktext": "Verify the managed object browser is disabled:\nDetermine the location of the vpxd.cfg file on the vCenter Server's Windows OS host.\nEdit the file and locate the ... element.\nEnsure that the following element is set. false \n\nIf the enableDebugBrowse element is set to true, this is a finding.",
"description": "The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.",
"fixid": "F-VCENTER-000007_fix",
"fixtext": "Disable the managed object browser:\nDetermine the location of the vpxd.cfg file on the Windows host.\nEdit the file and locate the ... element.\nEnsure that the following element is set. false \n\nRestart the vCenter Service to ensure the config file change(s) are in effect.",
"iacontrols": null,
"id": "VCENTER-000007",
"ruleID": "VCENTER-000007_rule",
"severity": "low",
"title": "The system must disable the managed object browser.",
"version": "VCENTER-000007"
},
"VCENTER-000008": {
"checkid": "C-VCENTER-000008_chk",
"checktext": "Verify vCenter Server was installed using a special-purpose user account on the Windows host with a local-only administrator role. This account should have the \"Act as part of the operating system\" privilege, and write access to the local file system with a local-only administrator role.\n\nIf the vCenter Server was not installed with a special-purpose, local-only administrator role with the \"Act as part of the operating system\" privilege, this is a finding.",
"description": "The Microsoft Windows built-in system account or a user account can be used to run vCenter Server. With a user account, the Windows authentication for SQL Server can be enabled; it also provides more security. The user account must be an administrator on the local machine. In the installation wizard, specify the account name as DomainName\\Username. If using SQL Server for the vCenter database, the SQL Server database must be configured to allow the domain account access to SQL Server.",
"fixid": "F-VCENTER-000008_fix",
"fixtext": "Re-install the vCenter Server with a special-purpose, local-only administrator role with the \"Act as part of the operating system\" privilege.",
"iacontrols": null,
"id": "VCENTER-000008",
"ruleID": "VCENTER-000008_rule",
"severity": "low",
"title": "The vCenter Server must be installed using a service account instead of a built-in Windows account.",
"version": "VCENTER-000008"
},
"VCENTER-000009": {
"checkid": "C-VCENTER-000009_chk",
"checktext": "Check the following conditions:\nThe Update Manager must be configured to use the Download Service. \nThe use of physical media to transfer update files to the Update Manager server (air-gap model example: separate Update Manager Download Server) must be enforced with site policies.\nThe vSphere Update Manager server does not obtain patches directly from the Internet.\n\nIf all of the above conditions are not met, this is a finding.",
"description": "In a typical deployment, Update Manager connects to public patch repositories on the Internet to download patches. This connection should be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat.",
"fixid": "F-VCENTER-000009_fix",
"fixtext": "Configure the vSphere Update Manager Server to use a physically separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air-gap model) must be enforced and documented with organization policies. Configure the vSphere Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the vSphere Update Manager Server application from the Internet.",
"iacontrols": null,
"id": "VCENTER-000009",
"ruleID": "VCENTER-000009_rule",
"severity": "low",
"title": "The connectivity between Update Manager and public patch repositories must be limited.",
"version": "VCENTER-000009"
},
"VCENTER-000012": {
"checkid": "C-VCENTER-000012_chk",
"checktext": "Check that roles are created in vCenter with the required granularity of privilege for the organization's administrator types, and that these roles are assigned to the correct, site-specific users:\nLog into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. \nGo to \"Home>> Administration>> Roles\" and verify that a role exists for each of the administrator privilege sets the organization requires and allows. \nRight click on each Role name and select \"Edit\". Verify under \"All Privileges>> Virtual Machines\" that only site-specific, required checkboxes are selected. \n\nIf the organization does not require roles for administrator privilege sets, this is a finding.\n\nIf a role does not exist for each of the organization-required, administrator privilege sets, this is a finding.",
"description": "Administrative users must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.",
"fixid": "F-VCENTER-000012_fix",
"fixtext": "Create roles in vCenter with the required granularity of privilege for the organization's administrator types, and ensure that these roles are assigned to the correct, site-specific users. As a vCenter Server administrator, log into the vCenter Server with the vSphere Client. \nGo to \"Home>> Administration>> Roles\" and create a role for each of the administrator privilege sets the organization requires and allows. \nRight click on each role name and select \"Edit\". Verify under \"All Privileges>> Virtual Machines\" that only site-specific, required checkboxes are selected.",
"iacontrols": null,
"id": "VCENTER-000012",
"ruleID": "VCENTER-000012_rule",
"severity": "medium",
"title": "The vCenter Server administrative users must have the correct roles assigned.",
"version": "VCENTER-000012"
},
"VCENTER-000013": {
"checkid": "C-VCENTER-000013_chk",
"checktext": "Ask the SA if event log monitoring is used to alert on non-service account access to the certificates directory.\n\nIf event log monitoring is not used, this is a finding.",
"description": "The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, the vCenter Server system administrator might need to access it for support purposes. The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password.",
"fixid": "F-VCENTER-000013_fix",
"fixtext": "Set up Windows event log monitoring to alert on nonservice account access to the certificates directory.\n\n\n\n",
"iacontrols": null,
"id": "VCENTER-000013",
"ruleID": "VCENTER-000013_rule",
"severity": "medium",
"title": "Access to SSL certificates must be monitored.",
"version": "VCENTER-000013"
},
"VCENTER-000014": {
"checkid": "C-VCENTER-000014_chk",
"checktext": "To examine the certificate configured for the Update Manager instance, start the Microsoft Management Console (MMC) snap-in and open the Windows Certificate Store. Navigate to the vCenter Server certificate and click the \"Certificate Details\" tab to display the certificate details. If unable to determine certificate details from the MMC, ask the SA if self-signed certificates on the Update Manager have been changed to certificates from a trusted certification authority.\n\nIf certificates from a trusted certification authority are not used, this is a finding.",
"description": "Self-signed certificates are automatically generated by Update Manager during the installation process, are not signed by a commercial CA, and do not provide strong security. The use of default certificates leaves the SSL connection open to MiTM attacks. Changing the default certificates to trusted CA-signed certificates mitigates the potential for MiTM attacks.",
"fixid": "F-VCENTER-000014_fix",
"fixtext": "To replace default self-signed certificates with those from a trusted certification authority, either a commercial CA or an organizational CA, perform the following steps: Begin by backing up the existing Update Manager certificates. Copy the new certificate files (rui.crt, rui.key, and rui.pfx) to the Update Manager SSL directory where Update Manager is installed. The default directory is C:\\Program Files\\VMware\\Infrastructure\\Update Manager\\SSL. Stop the VMware vSphere Update Manager service. Change to the Update Manager installation directory. Run the file VMwareUpdateManagerUtility.exe. In the Options pane, click SSL Certificate. In the Configuration pane, select \"Followed and verified the steps\" and click Apply. After the operation completes, restart the VMware vSphere Update Manager service.",
"iacontrols": null,
"id": "VCENTER-000014",
"ruleID": "VCENTER-000014_rule",
"severity": "medium",
"title": "The system's Update Manager must not use default self-signed certificates.",
"version": "VCENTER-000014"
},
"VCENTER-000015": {
"checkid": "C-VCENTER-000015_chk",
"checktext": "To check the status of SSL certificates on vCenter Server, open the vSphere Client and connect to the vCenter Server and log in. In the Security Warning dialog, click View Certificate and check the Valid from mm/dd/yy to mm/dd/yy field for the expiry information. Click OK. If unable to determine the certificate status from the certificate details, ask the SA if there is a site procedure to ensure the monitoring and removal of expired certificates from the vCenter Server Windows host. Use this procedure to check the vCenter Server/host for the presence of expired certificates.\n\nIf a procedure does not exist and/or expired certificates are found, this is a finding.",
"description": "If expired certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.",
"fixid": "F-VCENTER-000015_fix",
"fixtext": "If a site procedure to ensure the monitoring and removal of expired certificates from the vCenter Server Windows host does not exist, create one. Check the vCenter Server/host for the presence of expired certificates. Remove all expired certificates.",
"iacontrols": null,
"id": "VCENTER-000015",
"ruleID": "VCENTER-000015_rule",
"severity": "medium",
"title": "Expired certificates must be removed from the vCenter Server.",
"version": "VCENTER-000015"
},
"VCENTER-000016": {
"checkid": "C-VCENTER-000016_chk",
"checktext": "If at any time a vCenter Server installation fails, only the log files of format \"hs_err_pid....\" should be identified on the Windows host and deleted securely before putting the host into production. Determine if a site policy exists for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format \"hs_err_pid\".\n\nIf a file name of the format \"hs_err_pid\" is found, this is a finding.\n\nIf a site policy does not exist and/or is not followed, this is a finding.",
"description": "If the vCenter installation fails, a log file (with a name of the form \"hs_err_pidXXXX\") is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this password and access the vCenter Database.",
"fixid": "F-VCENTER-000016_fix",
"fixtext": "Develop a site policy for handling failed installation cleanup of the Windows host prior to deployment. Using the Windows host search function, determine the existence of any log files of format \"hs_err_pid and remove them.",
"iacontrols": null,
"id": "VCENTER-000016",
"ruleID": "VCENTER-000016_rule",
"severity": "medium",
"title": "Log files must be cleaned up after failed installations of the vCenter Server.",
"version": "VCENTER-000016"
},
"VCENTER-000017": {
"checkid": "C-VCENTER-000017_chk",
"checktext": "To check the status of SSL certificates on vCenter Server, open the vSphere Client and connect to the vCenter Server and log in. In the Security Warning dialog, click View Certificate and check the Valid from mm/dd/yy to mm/dd/yy field for the expiry information. Click OK. If unable to determine the certificate status from the certificate details, ask the SA if there is a site procedure to ensure the monitoring and removal of revoked certificates from the vCenter Server Windows host. Use this procedure to check the vCenter Server/host for the presence of revoked certificates.\n\nIf a procedure does not exist and/or revoked certificates are found, this is a finding.",
"description": "If revoked certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.",
"fixid": "F-VCENTER-000017_fix",
"fixtext": "If a site procedure to ensure the monitoring and removal of revoked certificates from the vCenter Server Windows host does not exist, create one. Check the vCenter Server/host for the presence of revoked certificates. Remove all revoked certificates.",
"iacontrols": null,
"id": "VCENTER-000017",
"ruleID": "VCENTER-000017_rule",
"severity": "medium",
"title": "Revoked certificates must be removed from the vCenter Server.",
"version": "VCENTER-000017"
},
"VCENTER-000018": {
"checkid": "C-VCENTER-000018_chk",
"checktext": "Check the permissions assigned in vSphere. Verify that a non-Windows administrative user account is used to manage vCenter. Ensure the user does not belong to any local groups, such as administrator. \n\nIf a Windows administrative account is used to manage vCenter, this is a finding. \n\nIf the account used to manage vCenter belongs to a local Windows or administrative group, this is a finding.",
"description": "By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows administrator account and instead be given to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts.",
"fixid": "F-VCENTER-000018_fix",
"fixtext": "Ensure \"Administrator\" or any other account or group does not have any privileges except users created as follows: \nCreate an ordinary user account that will be used to manage vCenter (example vi-admin). \nMake sure the user does not belong to any local groups, such as administrator. \n On the top-level hosts and clusters context, log onto vCenter as the Windows administrator; then grant the role of administrator (global vCenter administrator) to the created account. \nLog out of vCenter and log into vCenter with the account created. Verify user is able to perform all tasks available to a vCenter administrator. \nRemove the permissions in the vCenter for the local administrator group.",
"iacontrols": null,
"id": "VCENTER-000018",
"ruleID": "VCENTER-000018_rule",
"severity": "medium",
"title": "The vSphere Administrator role must be secured and assigned to specific users.",
"version": "VCENTER-000018"
},
"VCENTER-000019": {
"checkid": "C-VCENTER-000019_chk",
"checktext": "Check the Windows file permission on the SSL certificate directory files are set so only the vCenter service account and authorized vCenter Server Administrators can access them. Verify the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\\ProgramData\\VMware\\VMware VirtualCenter\\SSL and for the Inventory Service SSL certificate is C:\\Program Files\\VMware\\Infrastructure\\Inventory Service\\ssl.\n\nIf the SSL certificate directory/files are not set so that only the vCenter service account and authorized vCenter Server Administrators can access them, this is a finding.",
"description": "The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. By default, only the service user account and the vCenter Server administrators can access the directory containing the SSL certificates. The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, when collecting data for support purposes, the vCenter Server system administrator might need to access it. The permissions should be checked on a regular basis to ensure they have not been changed to add unauthorized users.",
"fixid": "F-VCENTER-000019_fix",
"fixtext": "Ensure the Windows file permission on the SSL certificate directory files are set so only the vCenter service account and authorized vCenter Server Administrators can access them. Ensure the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\\ProgramData\\VMware\\VMware VirtualCenter\\SSL and for the Inventory Service SSL certificate is C:\\Program Files\\VMware\\Infrastructure\\Inventory Service\\ssl.\n\n",
"iacontrols": null,
"id": "VCENTER-000019",
"ruleID": "VCENTER-000019_rule",
"severity": "medium",
"title": "Access to SSL certificates must be restricted.",
"version": "VCENTER-000019"
},
"VCENTER-000020": {
"checkid": "C-VCENTER-000020_chk",
"checktext": "Check that a role is used to manage the vCenter Server without the Guest Access Control (example \"Administrator No Guest Access\"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. \n\nLog into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. \nGo to \"Home>> Administration>> Roles\" and verify that a role exists for administrators with Guest access removed. \nRight click on the role name and select \"Edit\". Verify under \"All Privileges>> Virtual Machines\" the \"Guest Operations\" checkbox is unchecked. \nVerify users requiring Administrator privileges without Guest access privileges are assigned to that role and not the default Administrator role.\n\nAsk the SA for a list of users that require administrator privileges without Guest access privileges and verify their role assignments.\n\nIf users requiring administrator privileges without Guest access privileges are assigned to the default Administrator role, this is a finding.\n\n",
"description": "By default, vCenter Server \"Administrator\" role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege should not be granted to any users who are not authorized, to reduce risk of Guest confidentiality, availability, or integrity loss. To prevent such loss, a non-guest access role must be created without these privileges. This role is for users who need administrator privileges excluding those allowing file and program interaction within the guests.",
"fixid": "F-VCENTER-000020_fix",
"fixtext": "Create a role to manage vCenter without the Guest Access Control (example \"Administrator No Guest Access\"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. \n\nLog into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. \nGo to \"Home>> Administration>> Roles\" and verify a role exists for administrators with Guest access removed. \nRight click on the role name and select \"Edit\". Verify under \"All Privileges>> Virtual Machines\" the \"Guest Operations\" checkbox is unchecked. \nCreate account(s) requiring administrator privileges without Guest access privileges.",
"iacontrols": null,
"id": "VCENTER-000020",
"ruleID": "VCENTER-000020_rule",
"severity": "medium",
"title": "The system must restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine.",
"version": "VCENTER-000020"
},
"VCENTER-000021": {
"checkid": "C-VCENTER-000021_chk",
"checktext": "Verify all client operating systems connecting to the vCenter Server is not Linux.\n\nIf any client operating system connecting to the vCenter Server is Linux-based, this is a finding.\n\n",
"description": "Although SSL-based encryption is used to protect communication between client components and vCenter Server or ESXi, the Linux versions of these components do not perform certificate validation. Even if the self-signed certificates are replaced on vCenter and ESXi with legitimate certificates signed by the local root certificate authority or a third party, communications with Linux clients are still vulnerable to MiTM attacks.",
"fixid": "F-VCENTER-000021_fix",
"fixtext": "Replace all Linux-based clients connecting to the vCenter Server with non-Linux-based clients.\n\n",
"iacontrols": null,
"id": "VCENTER-000021",
"ruleID": "VCENTER-000021_rule",
"severity": "low",
"title": "The use of Linux-based clients must be restricted.",
"version": "VCENTER-000021"
},
"VCENTER-000022": {
"checkid": "C-VCENTER-000022_chk",
"checktext": "The vCenter Server must be protected by a network and/or local firewall on the vCenter Server Windows system. This protection must include IP-based access restrictions, enabling only necessary components to communicate with the vCenter Server system.\n\nIf the vCenter Server Windows system is not protected by a network and/or local firewall, this is a finding.",
"description": "Restrict access to only those essential components required to communicate with vCenter. Blocking access by unnecessary systems reduces the potential for general attacks on the operating system and minimizes risk.",
"fixid": "F-VCENTER-000022_fix",
"fixtext": "The vCenter Server Windows system must be protected by utilizing a network and/or local firewall. Install the vCenter Server Windows system behind the firewall and/or install a firewall application on the Windows system. Firewall protections must include IP-based access restrictions, enabling only necessary components to communicate with the vCenter Server system.",
"iacontrols": null,
"id": "VCENTER-000022",
"ruleID": "VCENTER-000022_rule",
"severity": "low",
"title": "Network access to the vCenter Server system must be restricted.",
"version": "VCENTER-000022"
},
"VCENTER-000023": {
"checkid": "C-VCENTER-000023_chk",
"checktext": "Verify only the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server, is assigned. \n\nGrant the following permissions to the vCenter user in the vCenter database.\nGRANT ALTER ON SCHEMA :: to ;\nGRANT REFERENCES ON SCHEMA :: to ;\nGRANT INSERT ON SCHEMA :: to ;\nGRANT CREATE TABLE to ;\nGRANT CREATE VIEW to ;\nGRANT CREATE Procedure to ;\n\nGrant the following permissions to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs.\nGRANT SELECT on msdb.dbo.syscategories to ;\nGRANT SELECT on msdb.dbo.sysjobsteps to ;\nGRANT SELECT ON msdb.dbo.sysjobs to ;\nGRANT EXECUTE ON msdb.dbo.sp_add_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_delete_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO ;\nGRANT EXECUTE ON msdb.dbo.sp_update_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_category TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO ;\n\nFor Oracle, either assign the DBA role or grant the following permissions to the user.\ngrant connect to \ngrant resource to \ngrant create view to \ngrant create materialized view to \ngrant execute on dbms_job to \ngrant execute on dbms_lock to \ngrant unlimited tablespace to \n\nIf the above permissions are not strictly adhered to, this is a finding.",
"description": "Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.",
"fixid": "F-VCENTER-000023_fix",
"fixtext": "Set the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server as noted below. \n\nGrant the following permissions to the vCenter user in the vCenter database:\nGRANT ALTER ON SCHEMA :: to ;\nGRANT REFERENCES ON SCHEMA :: to ;\nGRANT INSERT ON SCHEMA :: to ;\nGRANT CREATE TABLE to ;\nGRANT CREATE VIEW to ;\nGRANT CREATE Procedure to ;\n\nGrant the following permissions to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs.\nGRANT SELECT on msdb.dbo.syscategories to ;\nGRANT SELECT on msdb.dbo.sysjobsteps to ;\nGRANT SELECT ON msdb.dbo.sysjobs to ;\nGRANT EXECUTE ON msdb.dbo.sp_add_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_delete_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO ;\nGRANT EXECUTE ON msdb.dbo.sp_update_job TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_category TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO ;\nGRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO ;\n\nFor Oracle, either assign the DBA role or grant the following permissions to the user.\ngrant connect to \ngrant resource to \ngrant create view to \ngrant create materialized view to \ngrant execute on dbms_job to \ngrant execute on dbms_lock to \ngrant unlimited tablespace to ",
"iacontrols": null,
"id": "VCENTER-000023",
"ruleID": "VCENTER-000023_rule",
"severity": "medium",
"title": "A least-privileges assignment must be used for the vCenter Server database user.",
"version": "VCENTER-000023"
},
"VCENTER-000024": {
"checkid": "C-VCENTER-000024_chk",
"checktext": "Verify only the following permissions are allowed to the VUM DB user after installation.\n\nFor Oracle DB normal operation, only the following permissions are required. \ncreate session\ncreate any table\ndrop any table\n\nFor SQL Server DB normal operation, the dba_owner role or sysadmin role can be removed from the MSDB database. The dba_owner role or sysadmin role is still required for normal operation by the Update Manager database.\n\nNote: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.\n\nIf the above vendor database-dependent permissions are not strictly adhered to, this is a finding.",
"description": "Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.",
"fixid": "F-VCENTER-000024_fix",
"fixtext": "For Oracle DB normal runtime operation, set the following permissions. \ncreate session\ncreate any table\ndrop any table\n\nFor SQL Server DB normal runtime operation remove/delete the dba_owner role or sysadmin role from the MSDB database. The dba_owner role or sysadmin role is still required for normal operation by the Update Manager database.\n\nNote: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.",
"iacontrols": null,
"id": "VCENTER-000024",
"ruleID": "VCENTER-000024_rule",
"severity": "medium",
"title": "A least-privileges assignment must be used for the Update Manager database user.",
"version": "VCENTER-000024"
},
"VCENTER-000027": {
"checkid": "C-VCENTER-000027_chk",
"checktext": "On each Windows computer with the vSphere Client installed, verify:\nA 15 minute (maximum) timeout is set in the VpxClient.exe.config file:\nLocate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the ... section, verify the setting X where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. \n\nVerify the timeout that the vSphere Client executable is started with is an execution flag:\nLocate the vSphere Client executable icon on the desktop, right click, and select properties. Verify the presence of \"-inactivityTimeout 15\" in the command.\n\nIf either of the above methods are invoked and the timeout interval exceeds 15 minutes, this is a finding.",
"description": "An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session termination minimizes risk and reduces the potential for unauthorized access to vCenter.",
"fixid": "F-VCENTER-000027_fix",
"fixtext": "On each Windows computer with the vSphere Client installed:\nSet a 15 minute (maximum) timeout in the VpxClient.exe.config file:\nLocate the VpxClient.exe.config file using the Windows OS search facility. Next, right click on VpxClient.exe.config and edit the file using an editor, such as Notepad. In the ... section, modify the X where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server. Exit, saving the file.\n\nSet a 15 minute (maximum) timeout execution flag when starting the vSphere Client executable:\nLocate the vSphere Client executable icon on the desktop, right click, and select properties. Add \"-inactivityTimeout X\", where X is the (maximum=15) number of minutes before the vSphere Client will automatically disconnect from the server.",
"iacontrols": null,
"id": "VCENTER-000027",
"ruleID": "VCENTER-000027_rule",
"severity": "medium",
"title": "The system must set a timeout for all thick-client logins without activity.",
"version": "VCENTER-000027"
},
"VCENTER-000028": {
"checkid": "C-VCENTER-000028_chk",
"checktext": "VMware vSphere documentation is extensive and therefore cannot be duplicated here for all possible combinations. VMware's website \"www.vmware.com\" maintains a section \"VMware vSphere Documentation\", where all of this information is readily available in HTML and PDF formats. OS and databases currently supported by vCenter Server include: Windows server 2008 and later, Oracle 10g R2 and later, Microsoft SQL Server 2008 and later, and Microsoft SQL Server 2008 R2 Express and later.\n\nVerify vCenter Server is running on supported:\nOS - For vCenter Server OS compatibility, select the latest version of the \"vCenter Server and Host Management Guide\", and view vSphere Installation and Setup >> System Requirements >> vCenter Server Software Requirements.\nHardware - For vCenter Server OS compatibility, select the latest version of the \"vCenter Server and Host Management Guide\", and view vSphere Installation and Setup >> System Requirements >> ESXi Hardware Requirements.\nDatabase - For vCenter Server OS compatibility, select the latest version of the \"vCenter Server and Host Management Guide\", and view vSphere Installation and Setup >> System Requirements >> vCenter Server Software Requirements.\n\nIf the vCenter Server is running while using an unsupported Operating System, hardware platform or database application, this is a finding.",
"description": "The VMware vCenter Server is a Windows-based OS application and must reside on a supported version of Windows.",
"fixid": "F-VCENTER-000028_fix",
"fixtext": "Using the latest vendor documentation as a guide, migrate the Vmware vCenter Server to a supported hardware, Operating System, and database architecture.",
"iacontrols": null,
"id": "VCENTER-000028",
"ruleID": "VCENTER-000028_rule",
"severity": "high",
"title": "The supported operating system, database, and hardware for the vCenter Server must all be maintained.",
"version": "VCENTER-000028"
},
"VCENTER-000029": {
"checkid": "C-VCENTER-000029_chk",
"checktext": "Verify the vSphere Client used by administrators includes only authorized extensions from trusted sources:\nFrom the vSphere Client, \"Plug-ins>> Manage Plug-ins\" and click the Installed Plug-ins tab. View the Installed/Available Plug-ins list and verify they are all identified as authorized VMware, 3rd party (Partner) and/or site-specific (locally developed and site) approved plug-ins.\n\nIf any Installed/Available plug-ins in the viewable list cannot be verified as vSphere Client plug-ins and/or authorized extensions from trusted sources, this is a finding.",
"description": "The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.",
"fixid": "F-VCENTER-000029_fix",
"fixtext": "Disable/remove all listed plug-ins that cannot be verified as distributed from trusted sources:\nFrom the vSphere client, connect to the vCenter server.\nOn the menu bar, go to \"Plug-ins >> Manage Plug-ins\".\nUnder Installed Plug-ins, right-click the plug-in of choice and select Disable.",
"iacontrols": null,
"id": "VCENTER-000029",
"ruleID": "VCENTER-000029_rule",
"severity": "medium",
"title": "vSphere Client plugins must be verified.",
"version": "VCENTER-000029"
},
"VCENTER-000030": {
"checkid": "C-VCENTER-000030_chk",
"checktext": "When connecting to the vCenter Server, vSphere Client users must never ignore certificate verification warnings. The message box that appears when certificate verification issues a certificate warning \"may\" be ignored by the user, however, this is a clear warning of certificate verification issues. Lack of the message box is an indication that the certificate is from a trusted source.\n\nIf a vCenter Server certificate cannot be verified by a trusted third party database, this is a finding.",
"description": "Without certificate verification, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system. When connecting to vCenter Server using vSphere Client, the client must check if the certificate being presented can be verified by a trusted third party. If it cannot be, the user is presented with a warning and the option to ignore this check. This warning should not be ignored; if an administrator is presented with this warning, they should inquire further before proceeding.",
"fixid": "F-VCENTER-000030_fix",
"fixtext": "Check the vCenter Server/host for the presence of expired/revoked certificates. If found, remove all expired/revoked certificates. Example: The default path in 64-bit Windows is C:\\Program Files (x86)\\VMware\\Infrastructure\\Update Manager\\SSL. Back up the files rui.crt, rui.key, and rui.pfx, located in the C:\\Program Files (x86)\\VMware\\Infrastructure\\Update Manager\\SSL folder and delete the files. These files will need to be recreated for new/updated certificates.",
"iacontrols": null,
"id": "VCENTER-000030",
"ruleID": "VCENTER-000030_rule",
"severity": "medium",
"title": "The system must always verify SSL certificates.",
"version": "VCENTER-000030"
},
"VCENTER-000031": {
"checkid": "C-VCENTER-000031_chk",
"checktext": "Ask the SA if domain administrators have administrative rights to the vSphere administrator account have been removed, if administrative rights have been removed from the local Windows administrator account and if a special-purpose, local vSphere administrator account for creating individual user accounts has been created.\n \nIf domain administrators have administrative rights to the vSphere administrator account, this is a finding.\n \nIf administrative rights have not been removed from the local Windows administrator account, this is a finding.\n \nIf a special-purpose, local vSphere administrator account for creating individual user accounts has not been created, this is a finding.",
"description": "By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts.",
"fixid": "F-VCENTER-000031_fix",
"fixtext": "Remove all domain administrator, administrative rights to the vSphere administrator account.\nRemove all administrative rights to the vSphere administrator account from the local Windows administrator account.\nCreate a special-purpose, local vSphere administrator account for creating individual user accounts.",
"iacontrols": null,
"id": "VCENTER-000031",
"ruleID": "VCENTER-000031_rule",
"severity": "high",
"title": "The vSphere Administrator role must be secured by assignment to specific user(s).",
"version": "VCENTER-000031"
},
"VCENTER-000032": {
"checkid": "C-VCENTER-000032_chk",
"checktext": "Ask the SA if self-signed certificates on the vCenter Server have been changed to certificates from a trusted certification authority. \nAlternatively, use the vSphere Client from a remote system to log into the vCenter Server. If a certificate warning dialog box appears, a valid certificate from a trusted certification authority is not used, and this is a finding.",
"description": "Self-signed certificates, automatically generated by vCenter Server during the installation process, are not signed by a commercial CA, and might not provide strong security. Default self-signed certificates must be replaced with those from a trusted certification authority.",
"fixid": "F-VCENTER-000032_fix",
"fixtext": "Replace default self-signed certificates with those from a trusted certification authority, either a commercial CA or an organizational CA.",
"iacontrols": null,
"id": "VCENTER-000032",
"ruleID": "VCENTER-000032_rule",
"severity": "medium",
"title": "Default self-signed certificates must not be used by the vCenter Server.",
"version": "VCENTER-000032"
},
"VCENTER-000033": {
"checkid": "C-VCENTER-000033_chk",
"checktext": "Verify there is a Web proxy between Update Manager and the Internet. Check the proxy settings for Update Manager to ensure correct configuration. \n\nTo verify proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications.\n\nOn the Configuration tab, under Settings, click Download Settings.\nIn the Proxy Settings pane, select properties and view the proxy information.\n\nIf a web proxy between Update Manager and the Internet is not configured, this is a finding.",
"description": "In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. This connection must be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat.",
"fixid": "F-VCENTER-000033_fix",
"fixtext": "To configure proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications.\n\nOn the Configuration tab, under Settings, click Download Settings. In the Proxy Settings pane, select Use proxy and change the proxy information. Optional: If the proxy requires authentication, select Proxy requires authentication and provide a user name and password. Optional: Click Test Connection at any time to test a connection to the Internet through the proxy is possible. Click Apply.",
"iacontrols": null,
"id": "VCENTER-000033",
"ruleID": "VCENTER-000033_rule",
"severity": "medium",
"title": "The connectivity between Update Manager and public patch repositories must be limited.",
"version": "VCENTER-000033"
},
"VCENTER-000034": {
"checkid": "C-VCENTER-000034_chk",
"checktext": "Verify the Update Manager download source is not the Internet. \n\nTo verify download settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications.\n\nOn the Configuration tab, under Settings, click Download Settings. In the Download Sources pane, verify \"Direct connection to Internet\" is not selected.\n\nIf \"Direct connection to Internet\" is configured, this is a finding.",
"description": "In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. This connection must be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat.",
"fixid": "F-VCENTER-000034_fix",
"fixtext": "To configure a Web server or local disk repository as a download source, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications.\n\nOn the Configuration tab, under Settings, click Download Settings.\nIn the Download Sources pane, select Use a shared repository.\nEnter the path or the URL to the shared repository.\nClick Validate URL to validate the path.\nClick Apply.",
"iacontrols": null,
"id": "VCENTER-000034",
"ruleID": "VCENTER-000034_rule",
"severity": "medium",
"title": "The connectivity between Update Manager and public patch repositories must be limited.",
"version": "VCENTER-000034"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"VCENTER-000003": "true",
"VCENTER-000004": "true",
"VCENTER-000005": "true",
"VCENTER-000006": "true",
"VCENTER-000007": "true",
"VCENTER-000008": "true",
"VCENTER-000009": "true",
"VCENTER-000012": "true",
"VCENTER-000013": "true",
"VCENTER-000014": "true",
"VCENTER-000015": "true",
"VCENTER-000016": "true",
"VCENTER-000017": "true",
"VCENTER-000018": "true",
"VCENTER-000019": "true",
"VCENTER-000020": "true",
"VCENTER-000021": "true",
"VCENTER-000022": "true",
"VCENTER-000023": "true",
"VCENTER-000024": "true",
"VCENTER-000027": "true",
"VCENTER-000028": "true",
"VCENTER-000029": "true",
"VCENTER-000030": "true",
"VCENTER-000031": "true",
"VCENTER-000032": "true",
"VCENTER-000033": "true",
"VCENTER-000034": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"VCENTER-000003": "true",
"VCENTER-000004": "true",
"VCENTER-000005": "true",
"VCENTER-000006": "true",
"VCENTER-000007": "true",
"VCENTER-000008": "true",
"VCENTER-000009": "true",
"VCENTER-000012": "true",
"VCENTER-000013": "true",
"VCENTER-000014": "true",
"VCENTER-000015": "true",
"VCENTER-000016": "true",
"VCENTER-000017": "true",
"VCENTER-000018": "true",
"VCENTER-000019": "true",
"VCENTER-000020": "true",
"VCENTER-000021": "true",
"VCENTER-000022": "true",
"VCENTER-000023": "true",
"VCENTER-000024": "true",
"VCENTER-000027": "true",
"VCENTER-000028": "true",
"VCENTER-000029": "true",
"VCENTER-000030": "true",
"VCENTER-000031": "true",
"VCENTER-000032": "true",
"VCENTER-000033": "true",
"VCENTER-000034": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"VCENTER-000003": "true",
"VCENTER-000004": "true",
"VCENTER-000005": "true",
"VCENTER-000006": "true",
"VCENTER-000007": "true",
"VCENTER-000008": "true",
"VCENTER-000009": "true",
"VCENTER-000012": "true",
"VCENTER-000013": "true",
"VCENTER-000014": "true",
"VCENTER-000015": "true",
"VCENTER-000016": "true",
"VCENTER-000017": "true",
"VCENTER-000018": "true",
"VCENTER-000019": "true",
"VCENTER-000020": "true",
"VCENTER-000021": "true",
"VCENTER-000022": "true",
"VCENTER-000023": "true",
"VCENTER-000024": "true",
"VCENTER-000027": "true",
"VCENTER-000028": "true",
"VCENTER-000029": "true",
"VCENTER-000030": "true",
"VCENTER-000031": "true",
"VCENTER-000032": "true",
"VCENTER-000033": "true",
"VCENTER-000034": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"VCENTER-000003": "true",
"VCENTER-000004": "true",
"VCENTER-000005": "true",
"VCENTER-000006": "true",
"VCENTER-000007": "true",
"VCENTER-000008": "true",
"VCENTER-000009": "true",
"VCENTER-000012": "true",
"VCENTER-000013": "true",
"VCENTER-000014": "true",
"VCENTER-000015": "true",
"VCENTER-000016": "true",
"VCENTER-000017": "true",
"VCENTER-000018": "true",
"VCENTER-000019": "true",
"VCENTER-000020": "true",
"VCENTER-000021": "true",
"VCENTER-000022": "true",
"VCENTER-000023": "true",
"VCENTER-000024": "true",
"VCENTER-000027": "true",
"VCENTER-000028": "true",
"VCENTER-000029": "true",
"VCENTER-000030": "true",
"VCENTER-000031": "true",
"VCENTER-000032": "true",
"VCENTER-000033": "true",
"VCENTER-000034": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"VCENTER-000003": "true",
"VCENTER-000004": "true",
"VCENTER-000005": "true",
"VCENTER-000006": "true",
"VCENTER-000007": "true",
"VCENTER-000008": "true",
"VCENTER-000009": "true",
"VCENTER-000012": "true",
"VCENTER-000013": "true",
"VCENTER-000014": "true",
"VCENTER-000015": "true",
"VCENTER-000016": "true",
"VCENTER-000017": "true",
"VCENTER-000018": "true",
"VCENTER-000019": "true",
"VCENTER-000020": "true",
"VCENTER-000021": "true",
"VCENTER-000022": "true",
"VCENTER-000023": "true",
"VCENTER-000024": "true",
"VCENTER-000027": "true",
"VCENTER-000028": "true",
"VCENTER-000029": "true",
"VCENTER-000030": "true",
"VCENTER-000031": "true",
"VCENTER-000032": "true",
"VCENTER-000033": "true",
"VCENTER-000034": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"VCENTER-000003": "true",
"VCENTER-000004": "true",
"VCENTER-000005": "true",
"VCENTER-000006": "true",
"VCENTER-000007": "true",
"VCENTER-000008": "true",
"VCENTER-000009": "true",
"VCENTER-000012": "true",
"VCENTER-000013": "true",
"VCENTER-000014": "true",
"VCENTER-000015": "true",
"VCENTER-000016": "true",
"VCENTER-000017": "true",
"VCENTER-000018": "true",
"VCENTER-000019": "true",
"VCENTER-000020": "true",
"VCENTER-000021": "true",
"VCENTER-000022": "true",
"VCENTER-000023": "true",
"VCENTER-000024": "true",
"VCENTER-000027": "true",
"VCENTER-000028": "true",
"VCENTER-000029": "true",
"VCENTER-000030": "true",
"VCENTER-000031": "true",
"VCENTER-000032": "true",
"VCENTER-000033": "true",
"VCENTER-000034": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"VCENTER-000003": "true",
"VCENTER-000004": "true",
"VCENTER-000005": "true",
"VCENTER-000006": "true",
"VCENTER-000007": "true",
"VCENTER-000008": "true",
"VCENTER-000009": "true",
"VCENTER-000012": "true",
"VCENTER-000013": "true",
"VCENTER-000014": "true",
"VCENTER-000015": "true",
"VCENTER-000016": "true",
"VCENTER-000017": "true",
"VCENTER-000018": "true",
"VCENTER-000019": "true",
"VCENTER-000020": "true",
"VCENTER-000021": "true",
"VCENTER-000022": "true",
"VCENTER-000023": "true",
"VCENTER-000024": "true",
"VCENTER-000027": "true",
"VCENTER-000028": "true",
"VCENTER-000029": "true",
"VCENTER-000030": "true",
"VCENTER-000031": "true",
"VCENTER-000032": "true",
"VCENTER-000033": "true",
"VCENTER-000034": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"VCENTER-000003": "true",
"VCENTER-000004": "true",
"VCENTER-000005": "true",
"VCENTER-000006": "true",
"VCENTER-000007": "true",
"VCENTER-000008": "true",
"VCENTER-000009": "true",
"VCENTER-000012": "true",
"VCENTER-000013": "true",
"VCENTER-000014": "true",
"VCENTER-000015": "true",
"VCENTER-000016": "true",
"VCENTER-000017": "true",
"VCENTER-000018": "true",
"VCENTER-000019": "true",
"VCENTER-000020": "true",
"VCENTER-000021": "true",
"VCENTER-000022": "true",
"VCENTER-000023": "true",
"VCENTER-000024": "true",
"VCENTER-000027": "true",
"VCENTER-000028": "true",
"VCENTER-000029": "true",
"VCENTER-000030": "true",
"VCENTER-000031": "true",
"VCENTER-000032": "true",
"VCENTER-000033": "true",
"VCENTER-000034": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"VCENTER-000003": "true",
"VCENTER-000004": "true",
"VCENTER-000005": "true",
"VCENTER-000006": "true",
"VCENTER-000007": "true",
"VCENTER-000008": "true",
"VCENTER-000009": "true",
"VCENTER-000012": "true",
"VCENTER-000013": "true",
"VCENTER-000014": "true",
"VCENTER-000015": "true",
"VCENTER-000016": "true",
"VCENTER-000017": "true",
"VCENTER-000018": "true",
"VCENTER-000019": "true",
"VCENTER-000020": "true",
"VCENTER-000021": "true",
"VCENTER-000022": "true",
"VCENTER-000023": "true",
"VCENTER-000024": "true",
"VCENTER-000027": "true",
"VCENTER-000028": "true",
"VCENTER-000029": "true",
"VCENTER-000030": "true",
"VCENTER-000031": "true",
"VCENTER-000032": "true",
"VCENTER-000033": "true",
"VCENTER-000034": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "vmware_vcenter_server",
"title": "VMware vCenter Server Security Technical Implementation Guide",
"version": "1"
}
}