Third-party vulnerability assessments, such as Nessus credentialed scans, are scheduled or actively executing against the VCSA operating system. The automated audit workflows and command sets utilized by these scanners can introduce performance contention or security exposures if specific operational protocols are not strictly followed.

8.0 U3

Third-party scanning tools execute standard Photon OS/Linux audit command sets against the VCSA. While the functional commands (such as package queries) are non-destructive, executing these automated audit workflows without adhering to strict security and operational constraints introduces performance and security risks.

Adhere to the following guidelines when configuring and executing credentialed scans against the VCSA:

1. Service Account Creation: Create a dedicated, local service account strictly for the vulnerability scan. Delete or disable this account immediately after the scan completes. Do not use the root account for automated scans, as this violates security hardening standards and increases risk exposure.

2. Scheduling: Execute all vulnerability scans exclusively during off-peak hours. Scanning operations, particularly processes invoking rpm -qa, can cause high CPU contention and performance degradation on the appliance.

3. Shell Configuration: Ensure the console interface is reverted to appliancesh immediately post-scan.

4. Remediation Constraint: Never update a VCSA package manually to remediate a vulnerability finding. Modifying base packages manually leads to system corruption. All remediation must be applied exclusively through official Broadcom patches to maintain a supported configuration.

Knowledge Base Articles:

• Scanning tool reports vulnerability on vCenter including internal ports
  
  
• Credentialed Network Scan
  
  
• Troubleshooting Unauthenticated Scan Issue with Tenable Integration in vCenter Server
  
  
• VMware Virtual Appliances and customizations to operating system and included packages
  
  
• "Access to the content is restricted. Contact the administrator for future details" when trying to access Updates tab in vCenter 8.x

Documentation & Advisories:

• Managing Local User Accounts in vCenter Server: Managing Local User Accounts in vCenter Server

• vSphere Security: vSphere Security

• VMware Security Advisories (VMSAs): VMware Security Advisories

• Tenable VMWare Scan Configuration: Configure vSphere Scanning