STIGQter STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The ESXi host must enable kernel core dumps.

DISA Rule

SV-239299r674826_rule

Vulnerability Number

V-239299

Group Title

SRG-OS-000269-VMM-000950

Rule Version

ESXI-67-000044

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

From the vSphere Client, select the ESXi host and right-click. Select the "Add Diagnostic Partition" option to configure a core dump diagnostic partition.

or

From a PowerCLI command prompt while connected to the ESXi host, run at least one of the following sets of commands:

To configure a core dump partition:

$esxcli = Get-EsxCli -v2
#View available partitions to configure
$esxcli.system.coredump.partition.list.Invoke()
$arguments = $esxcli.system.coredump.partition.set.CreateArgs()
$arguments.partition = "<NAA ID of target partition from output listed previously>"
$esxcli.system.coredump.partition.set.Invoke($arguments)
#You can't set the partition and enable it at the same time so now we can enable it
$arguments = $esxcli.system.coredump.partition.set.CreateArgs()
$arguments.enable = $true
$esxcli.system.coredump.partition.set.Invoke($arguments)

To configure a core dump collector:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.coredump.network.set.CreateArgs()
$arguments.interfacename = "<vmkernel port to use>"
$arguments.serverip = "<collector IP>"
$arguments.serverport = "<collector port>"
$arguments = $esxcli.system.coredump.network.set.Invoke($arguments)
$arguments = $esxcli.system.coredump.network.set.CreateArgs()
$arguments.enable = $true
$arguments = $esxcli.system.coredump.network.set.Invoke($arguments)

Check Contents

From the vSphere Client, select the ESXi host and right-click.

If the "Add Diagnostic Partition" option is greyed out, core dumps are configured.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$esxcli.system.coredump.partition.get.Invoke()
$esxcli.system.coredump.network.get.Invoke()

The first command prepares for the other two. The second command shows whether an active core dump partition is configured. The third command shows whether a network core dump collector is configured and enabled via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables.

If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding.

Vulnerability Number

V-239299

Documentable

False

Rule Version

ESXI-67-000044

Severity Override Guidance

From the vSphere Client, select the ESXi host and right-click.

If the "Add Diagnostic Partition" option is greyed out, core dumps are configured.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$esxcli.system.coredump.partition.get.Invoke()
$esxcli.system.coredump.network.get.Invoke()

The first command prepares for the other two. The second command shows whether an active core dump partition is configured. The third command shows whether a network core dump collector is configured and enabled via the "HostVNic", "NetworkServerIP", "NetworkServerPort", and "Enabled" variables.

If there is no active core dump partition or the network core dump collector is not configured and enabled, this is a finding.

Check Content Reference

M

Target Key

5326

Comments