VMware: VM Host: WebServerSSL
Description
The VMware: VM Host: WebServerSSL test is used to verify default self-signed certificates for ESXi communication are not used.
The vmhost_webserverssl_object element is used by a vmhost_webserverssl_test to define the name and connection string of the vmhost to be evaluated.
The vmhost_webserverssl_state element holds information regarding the default self-signed communication certificates of the specified vmhost.
Technical Details
Artifact Parameters
vmware.vmhost.webserverssl
Name |
Type |
Description |
|---|---|---|
vmhost_name |
string |
Name of the ESXi host to scope collection to. Set to NA if not applicable. |
Supported Test Types
VMware: VM Host: WebServerSSL
Test Type Parameters
vmware.vmhost.webserverssl
Name |
Type |
Description |
|---|---|---|
certificate_is_valid |
boolean |
Certificate is Valid? |
operator |
string |
Comparison operation. |
- NOTE: The
operatorparameter is governed by a constraint allowing only the following values: bitwise and
bitwise or
case insensitive equals
case insensitive not equal
equals
greater than
greater than or equal
less than
less than or equal
pattern match
not equal
set white list
set is empty
Generated Content
vmware.vmhost.webserverssl
XCCDF+AE
This is what the AE check looks like, inside a Rule, in the XCCDF.
<xccdf:check system="https://benchmarks.cisecurity.org/ae/0.5">
<xccdf:check-content>
<ae:artifact_expression id="xccdf_org.cisecurity.benchmarks_ae_[SECTION-NUMBER]">
<ae:artifact_oval_id>[ARTIFACT-OVAL-ID]</ae:artifact_oval_id>
<ae:title>[ARTIFACT-TITLE]</ae:title>
<ae:artifact type="[ARTIFACT-TYPE-NAME]" />
<ae:parameters>
<ae:parameter dt="string" name="vmhost_name">[vmhost_name.value]</ae:parameter>
</ae:parameters>
</ae:artifact>
<ae:test type="[TEST-TYPE-NAME]">
<ae:parameters>
<ae:parameter dt="boolean" name="certificate_is_valid">[certificate_is_valid.value]</ae:parameter>
<ae:parameter dt="string" name="operator">[operator.value]</ae:parameter>
</ae:parameters>
</ae:test>
<ae:profiles>
<ae:profile idref="xccdf_org.cisecurity.benchmarks_profile_Level_1" />
</ae:profiles>
</ae:artifact_expression>
</xccdf:check-content>
</xccdf:check>
SCAP
XCCDF
For vmware.vmhost.webserverssl vmware.vmhost.webserverssl artifacts, an XCCDF Value element is generated.
<Value
id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var"
operator="[operator.value]"
type="boolean">
<title>[RECOMMENDATION-TITLE]</title>
<description>This value is used in Rule: [RECOMMENDATION-TITLE]</description>
<value>[value.value]</value>
</Value>
For vmware.vmhost.webserverssl vmware.vmhost.webserverssl artifacts, the XCCDF check looks like this.
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export
export-name="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
value-id="xccdf_org.cisecurity.benchmarks_value_[ARTIFACT-OVAL-ID]_var" />
<check-export
export-name="oval:org.cisecurity.benchmarks:var:100000"
value-id="xccdf_org.cisecurity.benchmarks_value_esxi.connection" />
<check-content-ref
href="[BENCHMARK-TITLE]-oval.xml"
name="oval:org.cisecurity.benchmarks.[PLATFORM]:def:[ARTIFACT-OVAL-ID]" />
</check>
OVAL
Test
<vmhost_webserverssl_test
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#esxi"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:tst:[ARTIFACT-OVAL-ID]"
check_existence="at_least_one_exists"
check="all"
comment="[ARTIFACT-TITLE]"
version="1">
<object object_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]" />
<state state_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]" />
</vmhost_webserverssl_test>
Object
<vmhost_webserverssl_object
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#esxi"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:obj:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<connection_string var_ref="oval:org.cisecurity.benchmarks:var:100000" />
<vmhost_name operation="pattern match">.*</vmhost_name>
</vmhost_webserverssl_object>
State
<vmhost_webserverssl_state
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#esxi"
id="oval:org.cisecurity.benchmarks.[PLATFORM]:ste:[ARTIFACT-OVAL-ID]"
comment="[ARTIFACT-TITLE]"
version="1">
<certificate_is_valid
datatype="boolean"
operation="[operation.value]"
var_ref="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]" />
</certificate_is_valid>
</vmhost_webserverssl_state>
Variable
<external_variable
id="oval:org.cisecurity.benchmarks.[PLATFORM]:var:[ARTIFACT-OVAL-ID]"
datatype="boolean"
version="1"
comment="This value is used in Rule: [RECOMMENDATION-TITLE]" />
YAML
artifact-expression:
artifact-unique-id:" [ARTIFACT-OVAL-ID]"
artifact-title: "[ARTIFACT-TITLE]"
artifact:
type: "[ARTIFACT-TYPE-NAME]"
parameters:
- parameter:
name: "vmhost_name"
dt: "string"
value: "[vmhost_name.value]"
test:
type: "[TEST-TYPE-NAME]"
parameters:
- parameter:
name: "certificate_is_valid"
dt: "boolean"
value: "[certificate_is_valid.value]"
- parameter:
name: "operator"
dt: "string"
value: "[operator.value]"
JSON
{
"artifact-expression": {
"artifact-unique-id": "[ARTIFACT-OVAL-ID]",
"artifact-title": "[ARTIFACT-TITLE]",
"artifact": {
"type": "[ARTIFACT-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "vmhost_name",
"dt": "string",
"value": "[vmhost_name.value]"
}
}
]
},
"test": {
"type": "[TEST-TYPE-NAME]",
"parameters": [
{
"parameter": {
"name": "certificate_is_valid",
"dt": "boolean",
"value": "[certificate_is_valid.value]"
}
},
{
"parameter": {
"name": "operator",
"dt": "string",
"value": "[operator.value]"
}
}
]
}
}
}