Alerts in the VMware Aria Operations CSA Compliance Pack for VMware Cloud Foundation

Alert Definition	Symptom Name
vCenter Server is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	vCenter.set-time-keeping - Configure vCenter Server timekeeping SSH Access is not restricted vCenter.set-firewall - Firewall is not configured The number of Network interface controllers is violating the recommended value vCenter.set-remote-logging - Remote logging is not enabled vCenter.set-file-based-backup-recovery - File-Based Backup and Recovery is not Configured

Alert Definition

Symptom Name

vCenter Server is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)

vCenter.set-time-keeping - Configure vCenter Server timekeeping

SSH Access is not restricted

vCenter.set-firewall - Firewall is not configured

The number of Network interface controllers is violating the recommended value

vCenter.set-remote-logging - Remote logging is not enabled

vCenter.set-file-based-backup-recovery - File-Based Backup and Recovery is not Configured

Alert Definition	Symptom Name
ESXi Host is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	Non-compliant ESXi Shell service startup policy ESXi Shell service is running ESXi.set-account-lockout - The count of failed login attempts before which the account gets locked out is not set to recommended value as per CSA Compliance Guidelines ESXi.verify-acceptance-level-supported - Image Profile and VIB Acceptance Levels are none of VMware Certified, VMware Accepted or Partner Supported ESXi.disable-mob - Managed Object Browser (MOB) is activated ESXi.enable-remote-syslog - Remote logging is not configured for ESXi hosts ESXi.enable-ad-auth - Local user authentication is not configured with LDAP ESXi.ad-auth-proxy-domain-membership-status - The Domain membership status is not set The welcome message is not set The SSH connection banner is not set The exception users list is violating the recommended value ESXi.config-persistent-logs - Persistent logging is not configured for all ESXi host ESXi.config-ntp - NTP Server property is not configured ESXi.config-ntp - NTP Daemon policy is not enabled ESXi.config-ntp - NTP Daemon service is not running ESXi.set-dcui-access - DCUI.Access is not to recommended value as per CSA Compliance Guidelines ESXi.enable-chap-auth - Bidirectional CHAP is not enabled, authentication for iSCSI traffic ESXi.set-disable-deprecated-ssl-tls - Deactivate deprecated SSL or TLS protocols ESXi.set-hyperthread-security-warning - Warning for potential hyperthreading security vulnerability is suppressed ESXi.set-slp-svc-stop - The SLP service is running ESXi.set-slp-policy-off - The SLP service policy is On ESXi.set-shell-warning-enabled - Warning for support and troubleshooting interfaces is suppressed The lockdown mode is not set to recommended value as per CSA Compliance Guidelines ESXi.set-shell-interactive-timeout - Timeout configured for idle ESXi Shell and SSH sessions is not set to recommended value as per CSA Compliance Guidelines vNetwork.enable-bpdu-filter - BPDU filter on the ESXi host to prevent being locked out of physical switch ports with Portfast and BPDU Guard is not enabled ESXi.set-security-password-history - The Password reuse history configured for ESXi Shell and SSH sessions is not set to recommended value as per CSA Compliance Guidelines ESXi.TransparentPageSharing-intra-enabled - The default setting for intra-VM TPS is not correct ESXi.set-account-auto-unlock-time - The time after which a locked account is automatically unlocked is not set to recommended value as per CSA Compliance Guidelines ESXi.set-dcui-timeout - The idle connections to DCUI to terminate left over login session is not set to recommended value as per CSA Compliance Guidelines vNetwork.verify-dvfilter-bind - Users and processes without privileges can make use of dvfilter network APIs ESXi.set-info-logging-level - The log level is not set to info ESXi.set-password-policies - Password policy is not set to recommended value as per CSA Compliance Guidelines The SNMP Server startup policy is violating the recommended value ESXi.config-snmp - SNMP service is running The ESXi host client sessions timeout is not set to recommended value as per CSA Compliance Guidelines The maximum number of days between password changes is not set to recommended value as per CSA Compliance Guidelines ESXi.set-cimsfcb-watchdog-policy-off - The SFCBD Watch dog service policy is On ESXi.set-cimsfcb-watchdog-svc-stop - The SFCBD Watch dog service is running ESXi.set-ssh-policy-off - The SSH service policy is On ESXi.set-ssh-svc-stop - The SSH service is running

Alert Definition

Symptom Name

ESXi Host is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)

Non-compliant ESXi Shell service startup policy

ESXi Shell service is running

ESXi.set-account-lockout - The count of failed login attempts before which the account gets locked out is not set to recommended value as per CSA Compliance Guidelines

ESXi.verify-acceptance-level-supported - Image Profile and VIB Acceptance Levels are none of VMware Certified, VMware Accepted or Partner Supported

ESXi.disable-mob - Managed Object Browser (MOB) is activated

ESXi.enable-remote-syslog - Remote logging is not configured for ESXi hosts

ESXi.enable-ad-auth - Local user authentication is not configured with LDAP

ESXi.ad-auth-proxy-domain-membership-status - The Domain membership status is not set

The welcome message is not set

The SSH connection banner is not set

The exception users list is violating the recommended value

ESXi.config-persistent-logs - Persistent logging is not configured for all ESXi host

ESXi.config-ntp - NTP Server property is not configured

ESXi.config-ntp - NTP Daemon policy is not enabled

ESXi.config-ntp - NTP Daemon service is not running

ESXi.set-dcui-access - DCUI.Access is not to recommended value as per CSA Compliance Guidelines

ESXi.enable-chap-auth - Bidirectional CHAP is not enabled, authentication for iSCSI traffic

ESXi.set-disable-deprecated-ssl-tls - Deactivate deprecated SSL or TLS protocols

ESXi.set-hyperthread-security-warning - Warning for potential hyperthreading security vulnerability is suppressed

ESXi.set-slp-svc-stop - The SLP service is running

ESXi.set-slp-policy-off - The SLP service policy is On

ESXi.set-shell-warning-enabled - Warning for support and troubleshooting interfaces is suppressed

The lockdown mode is not set to recommended value as per CSA Compliance Guidelines

ESXi.set-shell-interactive-timeout - Timeout configured for idle ESXi Shell and SSH sessions is not set to recommended value as per CSA Compliance Guidelines

vNetwork.enable-bpdu-filter - BPDU filter on the ESXi host to prevent being locked out of physical switch ports with Portfast and BPDU Guard is not enabled

ESXi.set-security-password-history - The Password reuse history configured for ESXi Shell and SSH sessions is not set to recommended value as per CSA Compliance Guidelines

ESXi.TransparentPageSharing-intra-enabled - The default setting for intra-VM TPS is not correct

ESXi.set-account-auto-unlock-time - The time after which a locked account is automatically unlocked is not set to recommended value as per CSA Compliance Guidelines

ESXi.set-dcui-timeout - The idle connections to DCUI to terminate left over login session is not set to recommended value as per CSA Compliance Guidelines

vNetwork.verify-dvfilter-bind - Users and processes without privileges can make use of dvfilter network APIs

ESXi.set-info-logging-level - The log level is not set to info

ESXi.set-password-policies - Password policy is not set to recommended value as per CSA Compliance Guidelines

The SNMP Server startup policy is violating the recommended value

ESXi.config-snmp - SNMP service is running

The ESXi host client sessions timeout is not set to recommended value as per CSA Compliance Guidelines

The maximum number of days between password changes is not set to recommended value as per CSA Compliance Guidelines

ESXi.set-cimsfcb-watchdog-policy-off - The SFCBD Watch dog service policy is On

ESXi.set-cimsfcb-watchdog-svc-stop - The SFCBD Watch dog service is running

ESXi.set-ssh-policy-off - The SSH service policy is On

ESXi.set-ssh-svc-stop - The SSH service is running

Alert Definition	Symptom Name
Virtual Machine is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	VM.disable-console-copy - Copy/paste operations are activated VM.disable-console-drag-n-drop - Copy/paste operations are activated VM.disable-console-paste - Copy/paste operations are activated VM.disable-disk-shrinking-shrink - Virtual disk shrinking is activated VM.disable-disk-shrinking-wiper - Virtual disk shrinking is activated VM.disable-independent-nonpersistent - Independent nonpersistent disks are being used VM.disconnect-devices-floppy - Floppy drive connected CD-ROM connected VM.disconnect-devices-parallel - Parallel port connected VM.disconnect-devices-serial - Serial port connected USB controller connected Non-compliant max number of remote console connections VM.limit-setinfo-size - Informational messages from the VM to the VMX file is not set to recommended value as per CSA Compliance Guidelines VM.prevent-device-interaction-connect - Users and processes without privileges can remove, connect and modify devices VM.restrict-host-info - Guests can recieve host information VM.verify-network-filter - Access to VMs are not controlled through dvfilter network APIs VM.set-guest-session-locked - The console session is not locked VM.disable-non-essential-3D-features Configure system security parameters - Deactivate 3D features on Server and desktop virtual machines VM.set-vmotion-encrypted - The configured vMotion encryption is not set to recommended value as per CSA Compliance Guidelines VM logging is not deactivated VM.set-logs-size - The configured log size is not set to recommended value as per CSA Compliance Guidelines VM.set-retained-logs-count - The number of retained VM diagnostic logs is not set to recommended value as per CSA Compliance Guidelines VM.verify-PCI-Passthrough - PCI pass through device is configured on the virtual machine

Alert Definition

Symptom Name

Virtual Machine is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)

VM.disable-console-copy - Copy/paste operations are activated

VM.disable-console-drag-n-drop - Copy/paste operations are activated

VM.disable-console-paste - Copy/paste operations are activated

VM.disable-disk-shrinking-shrink - Virtual disk shrinking is activated

VM.disable-disk-shrinking-wiper - Virtual disk shrinking is activated

VM.disable-independent-nonpersistent - Independent nonpersistent disks are being used

VM.disconnect-devices-floppy - Floppy drive connected

CD-ROM connected

VM.disconnect-devices-parallel - Parallel port connected

VM.disconnect-devices-serial - Serial port connected

USB controller connected

Non-compliant max number of remote console connections

VM.limit-setinfo-size - Informational messages from the VM to the VMX file is not set to recommended value as per CSA Compliance Guidelines

VM.prevent-device-interaction-connect - Users and processes without privileges can remove, connect and modify devices

VM.restrict-host-info - Guests can recieve host information

VM.verify-network-filter - Access to VMs are not controlled through dvfilter network APIs

VM.set-guest-session-locked - The console session is not locked

VM.disable-non-essential-3D-features Configure system security parameters - Deactivate 3D features on Server and desktop virtual machines

VM.set-vmotion-encrypted - The configured vMotion encryption is not set to recommended value as per CSA Compliance Guidelines

VM logging is not deactivated

VM.set-logs-size - The configured log size is not set to recommended value as per CSA Compliance Guidelines

VM.set-retained-logs-count - The number of retained VM diagnostic logs is not set to recommended value as per CSA Compliance Guidelines

VM.verify-PCI-Passthrough - PCI pass through device is configured on the virtual machine

Alert Definition	Symptom Name
Distributed Switch is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	vNetwork.limit-network-healthcheck - VDS network healthcheck for VLAN and MTU Health Check is enabled

Alert Definition	Symptom Name
Distributed Port Group is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	vNetwork.reject-forged-transmit-dvportgroup - The Forged Transmits policy is not set to reject vNetwork.reject-mac-changes-dvportgroup - The MAC Address Changes policy is not set to reject Distributed Port Group is not an uplink vNetwork.reject-promiscuous-mode-dvportgroup - The Promiscuous Mode policy is not set to reject

Alert Definition

Symptom Name

Distributed Port Group is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)

vNetwork.reject-forged-transmit-dvportgroup - The Forged Transmits policy is not set to reject

vNetwork.reject-mac-changes-dvportgroup - The MAC Address Changes policy is not set to reject

Distributed Port Group is not an uplink

vNetwork.reject-promiscuous-mode-dvportgroup - The Promiscuous Mode policy is not set to reject

Alert Definition	Symptom Name
NSX Instance is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	NSX Manager Hardening is disabled NSX Manager hasn't enforced a minimum 15-character password length as per CSA Compliance Guidelines VMWare Identity Manager integration is not enabled in NSX Manager SNMP v2c Traps are configured. NSX Manager's Auth Policy 'API Lockout Period' is not set to recommended value. NSX Manager's Auth Policy 'CLI Maximum Auth Failures' is not set to recommended value. NSX Manager's Auth Policy 'CLI Lockout Period' is not set to recommended value. NSX Manager's Auth Policy 'API Maximum Auth Failures' is not set to recommended value. NSX Manager is not configured to conduct backups on an organizational defined schedule. SNMP v2c Polling are configured. System clock is not configured with the UTC timezone. TLS v1.1 is enabled. NSX manager communication to LDAP server for authentication is not using LDAPS. NSX Manager's Auth Policy 'API Reset Period' is not set to recommended value. The audit, guestuser1, or guestuser2 local accounts are active. SFTP server not configured for backup. NTP Service is not configured properly Logging-servers are not configured with log level as 'INFO'. Logging-servers are not configured with protocol of 'tcp' or 'li-tls' or 'tls'. Management Service 'http' have session_timeout set to non-recommended value. Management Service 'http' have 'Client API Rate Limit' not set to recommended value. Management Service 'http' have 'Client API Concurrency Limit' not set to recommended value. Management Service 'http' have 'Global API Concurrency Limit' not set to recommended value. SSH Service is activated

Alert Definition

Symptom Name

NSX Instance is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)

NSX Manager Hardening is disabled

NSX Manager hasn't enforced a minimum 15-character password length as per CSA Compliance Guidelines

VMWare Identity Manager integration is not enabled in NSX Manager

SNMP v2c Traps are configured.

NSX Manager's Auth Policy 'API Lockout Period' is not set to recommended value.

NSX Manager's Auth Policy 'CLI Maximum Auth Failures' is not set to recommended value.

NSX Manager's Auth Policy 'CLI Lockout Period' is not set to recommended value.

NSX Manager's Auth Policy 'API Maximum Auth Failures' is not set to recommended value.

NSX Manager is not configured to conduct backups on an organizational defined schedule.

SNMP v2c Polling are configured.

System clock is not configured with the UTC timezone.

TLS v1.1 is enabled.

NSX manager communication to LDAP server for authentication is not using LDAPS.

NSX Manager's Auth Policy 'API Reset Period' is not set to recommended value.

The audit, guestuser1, or guestuser2 local accounts are active.

SFTP server not configured for backup.

NTP Service is not configured properly

Logging-servers are not configured with log level as 'INFO'.

Logging-servers are not configured with protocol of 'tcp' or 'li-tls' or 'tls'.

Management Service 'http' have session_timeout set to non-recommended value.

Management Service 'http' have 'Client API Rate Limit' not set to recommended value.

Management Service 'http' have 'Client API Concurrency Limit' not set to recommended value.

Management Service 'http' have 'Global API Concurrency Limit' not set to recommended value.

SSH Service is activated

Alert Definition	Symptom Name
Logical Switch is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	NSX Logical Segment is not configured with a Spoof Guard Profile that has Port Binding enabled.

Alert Definition	Symptom Name
NSX Management Cluster is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	Management cluster management status unstable Virtual IP (VIP) is not configured for NSX Management Cluster. Management node count is less than 3.

Alert Definition

Symptom Name

NSX Management Cluster is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)

Management cluster management status unstable

Virtual IP (VIP) is not configured for NSX Management Cluster.

Management node count is less than 3.

Alert Definition	Symptom Name
SDDC Manager is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	File based backups are used and an external SFTP server is not configured SDDC Manager must be configured with NTP servers SSL certificate should be issued by a trusted certificate authority on the SDDC Manager SDDC Manager must schedule automatic password rotation SDDC Manager must be deployed with FIPs mode enabled

Alert Definition

Symptom Name

SDDC Manager is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)

File based backups are used and an external SFTP server is not configured

SDDC Manager must be configured with NTP servers

SSL certificate should be issued by a trusted certificate authority on the SDDC Manager

SDDC Manager must schedule automatic password rotation

SDDC Manager must be deployed with FIPs mode enabled

Alert Definition	Symptom Name
vSAN Instance is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)	Internet Access is not enabled for vSAN Clusters Proxy server is not configured for Internet Connectivity for vSAN Clusters

Alert Definition

Symptom Name

vSAN Instance is violating VMware Cloud Foundation Compliance based on Cloud Security Alliance Guidelines.(v4.2 and above)

Internet Access is not enabled for vSAN Clusters

Proxy server is not configured for Internet Connectivity for vSAN Clusters

Alerts in the CSA Compliance Pack