STIGQter STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

All ESXi host-connected physical switch ports must be configured with spanning tree disabled.

DISA Rule

SV-239321r674892_rule

Vulnerability Number

V-239321

Group Title

SRG-OS-000480-VMM-002000

Rule Version

ESXI-67-000067

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Note that this check refers to an entity outside the scope of the ESXi server system.

Document the upstream physical switch configuration for spanning tree protocol disablement and/or portfast configuration for all physical ports connected to ESXi hosts.

Log in to the physical switch(es) and disable spanning tree protocol and/or configure portfast for all physical ports connected to ESXi hosts.

Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream physical switches.

Check Contents

Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts.

Inspect the documentation and verify that the documentation is updated according to an organization-defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches.

Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts.

If the physical switch's spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding.

Vulnerability Number

V-239321

Documentable

False

Rule Version

ESXI-67-000067

Severity Override Guidance

Note that this check refers to an entity outside the physical scope of the ESXi server system. The configuration of upstream physical switches must be documented to ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts.

Inspect the documentation and verify that the documentation is updated according to an organization-defined frequency and/or whenever modifications are made to either ESXi hosts or the upstream physical switches.

Alternatively, log in to the physical switch and verify that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts.

If the physical switch's spanning tree protocol is not disabled or portfast is not configured for all physical ports connected to ESXi hosts, this is a finding.

Check Content Reference

M

Target Key

5326

Comments