Detections
Analytics
5.11 Ensure contents of exposed configuration files have not been modified
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Although most configurations on ESXi are controlled via an API, there are a limited set of configuration files that are used directly to govern host behavior. These files are exposed via the vSphere HTTPS-based file transfer API. These files should be monitored for modifications.WARNING: Do not attempt to monitor files that are NOT exposed via this file transfer API, since this can result in a destabilized system.
Rationale:
Any changes to these files should be correlated with an approved administrative action, such as an authorized configuration change. Tampering with these files could enable unauthorized access to the host configuration and virtual machines.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Restore all modified configuration files to a known good state by restoring backups or using other means.To help prevent future occurrences, you can back up the host configuration data after configuring or reconfiguring an ESXi host. The vicfg-cfgbackup command is available only for ESXi hosts; it is not available through a vCenter Server system connection. No equivalent ESXCLI command is supported.
To help identify future occurrences more quickly, implement a procedure to monitor the files and their contents over time to ensure they are not improperly modified. Be sure not to monitor log files and other files whose content is expected to change regularly due to system activity. Also, account for configuration file changes that are due to authorized administrative activity.
Note: Host Profiles may also be used to track configuration changes on the host; however, Host Profiles do not track all configuration changes.
Additional Information:
During a configuration backup, the serial number is backed up with the configuration. The number is restored when you restore the configuration. The number is not preserved when you run the Recovery CD (ESXi Embedded) or perform a repair operation (ESXi Installable). You can back up and restore configuration information as follows:
Back up the configuration by using the vicfg-cfgbackup command.
Run the Recovery CD or repair operation
Restore the configuration by using the vicfg-cfgbackup command.
When you restore a configuration, you must make sure that all virtual machines on the host are stopped.
See Also
Item Details
Audit Name: CIS VMware ESXi 6.7 v1.2.0 Level 2
References: CSCv7|5.1, CSCv7|5.5, CSCv7|14.9
Plugin: VMware
Control ID: 0cdd07cb037e0a32fa407d16986df2312ae566d61aff8e125580a9f7d98ba04c