STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The vCenter Server must disable the distributed virtual switch health check.

DISA Rule

SV-243081r719486_rule

Vulnerability Number

V-243081

Group Title

SRG-APP-000516

Rule Version

VCTR-67-000012

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> Health Check.

Click the edit button and disable the "VLAN and MTU" and "Teaming and failover" checks.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}

Check Contents

From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> Health Check.

View the health check pane and verify that the "VLAN and MTU" and "Teaming and failover" checks are disabled.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$vds = Get-VDSwitch
$vds.ExtensionData.Config.HealthCheckConfig

If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding.

Vulnerability Number

V-243081

Documentable

False

Rule Version

VCTR-67-000012

Severity Override Guidance

From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> Health Check.

View the health check pane and verify that the "VLAN and MTU" and "Teaming and failover" checks are disabled.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$vds = Get-VDSwitch
$vds.ExtensionData.Config.HealthCheckConfig

If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding.

Check Content Reference

M

Target Key

5399

Comments