Aria Operations CIS Benchmark Reports Non-Compliance After ESXi Hardening
search cancel

Aria Operations CIS Benchmark Reports Non-Compliance After ESXi Hardening

book

Article ID: 426780

calendar_today

Updated On:

Products

VCF Operations VMware Aria Operations (formerly vRealize Operations) 8.x

Issue/Introduction

Users may observe that Aria Operations CIS Benchmark alerts continue to trigger for ESXi hosts even after hardening measures have been applied. This creates the appearance of "False Positives" or a failure of the compliance engine to recognize the current host configuration.

Eg:

The alerts are triggered based on specific Symptom Definitions within the Compliance Management pack. Examples of the triggered alerts include:

Symptom Description Observed Value vs. Threshold Condition
Password Max Days 90 != 99,999 Critical: Triggered because current value does not equal threshold.
SFCBD Watchdog Policy "on" = "on" Critical: Triggered because the policy matches the "forbidden" state.
Host Client Timeout 300 < 900 Critical: Triggered because value is less than the required minimum.

Environment

Aria Operations 8.18.x

Cause

Investigation confirms that these alerts are working as designed. There are no false positives found in the reporting engine.

Reasoning: The CIS Benchmark compliance check in Aria Operations uses specific logical comparators (==, !=, >, <) to evaluate host security. The alerts trigger whenever the ESXi host configuration matches the "Violating" logic defined in the symptom

Resolution

To resolve these compliance alerts, you must align the ESXi host configuration exactly with the expected values defined in the Aria Operations CIS Benchmark, or customize the Symptom Definitions to match your organization's specific security policy.

Option 1: Align Host Configuration

Adjust the ESXi host settings to meet the threshold values identified in the alert:

  • Set Password Max Days to 99,999.

  • Set SFCBD Watchdog service policy to Off.

  • Increase Host Client Session Timeout to 900 or higher.

Option 2: Modify Symptom Definitions

If your organization's hardening standard differs from the default CIS Benchmark:

  1. Navigate to Alerts > Symptom Definitions.

  2. Locate the specific CIS symptom (e.g., Password Max Days).

  3. Clone the default policy to make it editable.

  4. Adjust the Threshold or Comparator to reflect your internal security requirements.

  5. Save the policy and allow Aria Operations to perform a new collection cycle.

Powered by Wolken Software