The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject".
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258937 | VCSA-80-000270 | SV-258937r934469_rule | CCI-000366 | medium |
| Description | ||||
| When promiscuous mode is enabled for a virtual switch, all virtual machines connected to the port group have the potential of reading all packets across that network, meaning only the virtual machines connected to that port group. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2023-10-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-258937r934469_chk)
If distributed switches are not used, this is not applicable.
From the vSphere Client, go to "Networking".
Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies.
Verify "Promiscuous Mode" is set to "Reject".
or
From a PowerCLI command prompt while connected to the vCenter server, run the following commands:
Get-VDSwitch | Get-VDSecurityPolicy
Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy
If the "Promiscuous Mode" policy is set to accept, this is a finding.
Fix Text (F-62586r934468_fix)
From the vSphere Client, go to "Networking".
Select a distributed switch >> Select a port group >> Configure >> Settings >> Policies.
Click "Edit".
Click the "Security" tab.
Set "Promiscuous Mode" to "Reject".
Click "OK".
or
From a PowerCLI command prompt while connected to the vCenter server, run the following commands:
Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false
Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false