VMware: VM Host: Authentication Setting

Description

The VMware: VM Host: Authentication Setting test is used to verify an ESXi host is configured to use a directory service such as Active Directory.

The vmhost_authentication_object element is used by a vmhost_authentication_test to define the name and connection string of the vmhost to be evaluated.

The vmhost_authentication_state element holds information regarding the domain membership status of the specified vmhost.

Technical Details

Artifact Parameters

vmware.vmhost.authentication_setting

Name

Type

Description

name

string

The name of the setting. i.e. Domain Membership Status.

vmhost_name

string

The name of the ESXi host to limit collection to. Set to NA if not applicable.
NOTE: The name parameter is governed by a constraint allowing only the following values:

  • NA

  • VMHost

  • Domain

  • TrustedDomains

  • DomainMembershipStatus

Supported Test Types

  • VMware: VM Host: Authn: Domain Membership

Test Type Parameters

vmware.vmhost.authentication.domain_member

Name

Type

Description

operator

string

Comparison operation.

domain_membership_status

string

Value from constraint.
NOTE: The domain_membership_status parameter is governed by a constraint allowing only the following values:

  • NA

  • ClientTrustBroken

  • InconsistentTrust

  • NoServers

  • Ok

  • OtherProblem

  • ServerTrustBroken

  • Unknown

NOTE: The operator parameter is governed by a constraint allowing only the following values:

  • bitwise and

  • bitwise or

  • case insensitive equals

  • case insensitive not equal

  • equals

  • greater than

  • greater than or equal

  • less than

  • less than or equal

  • pattern match

  • not equal

  • set white list

  • set is empty

Generated Content

vmware.vmhost.authentication.domain_member

XCCDF+AE

This is what the AE check looks like, inside a Rule, in the XCCDF.

<xccdf:check system="https://benchmarks.cisecurity.org/ae/0.5">
  <xccdf:check-content>
    <ae:artifact_expression id="xccdf_org.cisecurity.benchmarks_ae_[SECTION-NUMBER]">
      <ae:artifact_oval_id>[ARTIFACT-OVAL-ID]</ae:artifact_oval_id>
      <ae:title>[ARTIFACT-TITLE]</ae:title>
      <ae:artifact type="[ARTIFACT-TYPE-NAME]" />
        <ae:parameters>
          <ae:parameter dt="string" name="name">[name.value]</ae:parameter>
          <ae:parameter dt="string" name="vmhost_name">[vmhost_name.value]</ae:parameter>
        </ae:parameters>
      </ae:artifact>
      <ae:test type="[TEST-TYPE-NAME]">
        <ae:parameters>
          <ae:parameter dt="string" name="operator">[operator.value]</ae:parameter>
          <ae:parameter dt="string" name="domain_membership_status">[domain_membership_status.value]</ae:parameter>
        </ae:parameters>
      </ae:test>
      <ae:profiles>
        <ae:profile idref="xccdf_org.cisecurity.benchmarks_profile_Level_1" />
      </ae:profiles>
    </ae:artifact_expression>
  </xccdf:check-content>
</xccdf:check>

SCAP

XCCDF

For vmware.vmhost.authentication_setting vmware.vmhost.authentication.domain_member artifacts, an XCCDF Value element is generated.

<Value

id=”xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var” operator=”[operator.value]” type=”string”> <title>[RECOMMENDATION-TITLE]</title> <description>This value is used in Rule: [RECOMMENDATION-TITLE]</description> <value>[value.value]</value>

</Value>

For vmware.vmhost.authentication_setting vmware.vmhost.authentication.domain_member artifacts, the XCCDF check looks like this.

<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  <check-export
    export-name="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
    value-id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var" />
  <check-export
    export-name="oval:org.cisecurity.benchmarks:var:100000"
    value-id="xccdf_org.cisecurity.benchmarks_value_esxi.connection" />
  <check-content-ref
    href="[BENCHMARK-TITLE]-oval.xml"
    name="oval:org.cisecurity.benchmarks.[PLATFORM]:def:[ARTIFACT-OVAL-ID]" />
</check>
OVAL

Test

<vmhost_authentication_test
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#esxi"
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:tst:[ARTIFACT-OVAL-ID]"
  check_existence="at_least_one_exists"
  check="all"
  comment="[ARTIFACT-TITLE]"
  version="1">
  <object object_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]" />
  <state state_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]" />
</vmhost_authentication_test>

Object

<vmhost_authentication_object
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#esxi"
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]"
  comment="[ARTIFACT-TITLE]"
  version="1">
  <connection_string var_ref="oval:org.cisecurity.benchmarks:var:100000" />
  <vmhost_name operation="pattern match">.*</vmhost_name>
</vmhost_authentication_object>

State

<vmhost_authentication_state
  xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#esxi"
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]"
  comment="[ARTIFACT-TITLE]"
  version="1">
  <domain_membership_status
    datatype="string"
    operation="[operation.value]"
    var_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]" />
</vmhost_authentication_state>

Variable

<external_variable
  id="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
  datatype="string"
  version="1"
  comment="This value is used in Rule: [RECOMMENDATION-TITLE]" />

YAML

artifact-expression:
  artifact-unique-id: "[ARTIFACT-OVAL-ID]"
  artifact-title: "[ARTIFACT-TITLE]"
  artifact:
    type: "[ARTIFACT-TYPE-NAME]"
    parameters:
      - parameter:
          name: "name"
          dt: "string"
          value: "[name.value]"
      - parameter:
          name: "vmhost_name"
          dt: "string"
          value: "[vmhost_name.value]"
  test:
    type: "[TEST-TYPE-NAME]"
    parameters:
      - parameter:
          name: "operator"
          dt: "string"
          value: "[operator.value]"
      - parameter:
          name: "domain_membership_status"
          dt: "string"
          value: "[domain_membership_status.value]"

JSON

{
  "artifact-expression": {
    "artifact-unique-id": "[ARTIFACT-OVAL-ID]",
    "artifact-title": "[ARTIFACT-TITLE]",
    "artifact": {
      "type": "[ARTIFACT-TYPE-NAME]",
      "parameters": [
        {
          "parameter": {
            "name": "name",
            "dt": "string",
            "value": "[name.value]"
          }
        },
        {
          "parameter": {
            "name": "vmhost_name",
            "dt": "string",
            "value": "[vmhost_name.value]"
          }
        }
      ]
    },
    "test": {
      "type": "[TEST-TYPE-NAME]",
      "parameters": [
        {
          "parameter": {
            "name": "operator",
            "dt": "string",
            "value": "[operator.value]"
          }
        },
        {
          "parameter": {
            "name": "domain_membership_status",
            "dt": "string",
            "value": "[domain_membership_status.value]"
          }
        }
      ]
    }
  }
}