STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The vCenter Server must configure the vSAN Datastore name to a unique name.

DISA Rule

SV-243111r719576_rule

Vulnerability Number

V-243111

Group Title

SRG-APP-000516

Rule Version

VCTR-67-000055

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

From the vSphere Client, go to Hosts and Clusters >> select a vSAN Enabled Cluster >> Datastores.

Right-click on the datastore named "vsanDatastore" and select "Rename".

Rename the datastore based on site-specific naming standards.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){
Write-Host "vSAN Enabled Cluster found"
$Clusters = Get-Cluster | where {$_.VsanEnabled}
Foreach ($clus in $clusters){
$clus | Get-Datastore | where {$_.type -match "vsan"} | Set-Datastore -Name $(($clus.name) + "_vSAN_Datastore")
}
}
else{
Write-Host "vSAN is not enabled, this finding is not applicable"
}

Check Contents

If no clusters are enabled for vSAN, this is not applicable.

From the vSphere Client, go to Hosts and Clusters >> select a vSAN Enabled Cluster >> Datastores.

Review the datastores.

Identify any datastores with "vSAN" as the datastore type.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){
Write-Host "vSAN Enabled Cluster found"
Get-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match "vsan"}
}
else{
Write-Host "vSAN is not enabled, this finding is not applicable"
}

If vSAN is enabled and the datastore is named "vsanDatastore", this is a finding.

Vulnerability Number

V-243111

Documentable

False

Rule Version

VCTR-67-000055

Severity Override Guidance

If no clusters are enabled for vSAN, this is not applicable.

From the vSphere Client, go to Hosts and Clusters >> select a vSAN Enabled Cluster >> Datastores.

Review the datastores.

Identify any datastores with "vSAN" as the datastore type.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

If($(Get-Cluster | where {$_.VsanEnabled} | Measure).Count -gt 0){
Write-Host "vSAN Enabled Cluster found"
Get-Cluster | where {$_.VsanEnabled} | Get-Datastore | where {$_.type -match "vsan"}
}
else{
Write-Host "vSAN is not enabled, this finding is not applicable"
}

If vSAN is enabled and the datastore is named "vsanDatastore", this is a finding.

Check Content Reference

M

Target Key

5399

Comments