STIGQter STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.

DISA Rule

SV-243094r719525_rule

Vulnerability Number

V-243094

Group Title

SRG-APP-000516

Rule Version

VCTR-67-000031

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Update Manager Server to use a separate Update Manager Download Server; the use of physical media to transfer updated files to the Update Manager server (air gap model) must be enforced and documented with organization policies.

Configure the Update Manager Download Server and enable the Download Service. Patches must not be directly accessible to the Update Manager Server application from the internet.

To configure a web server or local disk repository as a download source (i.e., "Direct connection to Internet" must not be selected as the source), from the vSphere Client/vCenter Server system, click "Update Manager" under "Solutions and Applications".

On the "Configuration" tab, under "Settings", click "Download Settings".

In the "Download Sources" pane, select "Use a shared repository".

Enter the <site-specific> path or the URL to the shared repository.

Click "Validate URL" to validate the path.

Click "Apply".

Check Contents

Check the following conditions:

1. The Update Manager must be configured to use the Update Manager Download Server.

2. The use of physical media to transfer update files to the Update Manager server (air gap model example: separate Update Manager Download Server, which may source vendor patches externally via the internet versus an internal, organization-defined source) must be enforced with site policies.

From the vSphere Client, click Update Manager >> Settings >> Administrative Settings >> Patch Setup and click the "Change Download Source" button.

Verify that the "Download patches from a UMDS shared repository" radio button is selected and that a valid UMDS repository is supplied.

If "Direct connection to Internet" is configured, this is a finding.

If all of the above conditions are not met, this is a finding.

Vulnerability Number

V-243094

Documentable

False

Rule Version

VCTR-67-000031

Severity Override Guidance

Check the following conditions:

1. The Update Manager must be configured to use the Update Manager Download Server.

2. The use of physical media to transfer update files to the Update Manager server (air gap model example: separate Update Manager Download Server, which may source vendor patches externally via the internet versus an internal, organization-defined source) must be enforced with site policies.

From the vSphere Client, click Update Manager >> Settings >> Administrative Settings >> Patch Setup and click the "Change Download Source" button.

Verify that the "Download patches from a UMDS shared repository" radio button is selected and that a valid UMDS repository is supplied.

If "Direct connection to Internet" is configured, this is a finding.

If all of the above conditions are not met, this is a finding.

Check Content Reference

M

Target Key

5399

Comments