CIS Security Compliance alerts persist in Aria Operations despite ESXi remediation
search cancel

CIS Security Compliance alerts persist in Aria Operations despite ESXi remediation

book

Article ID: 430966

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

ESXi hosts may show as Non-Compliant for CIS L1/L2 Profiles in Aria Operations even after the host settings appear to be corrected locally.

The following Alerts may be seen in Operations > Alerts page:

  • ESXi Host is violating CIS L1 Profile (v8 and above)

  • ESXi Host is violating CIS L1/L2 Profile (v8 and above)

Symptoms in the alerts include:

  • The SNMP Server startup policy is violating the recommended value (Configuration | Security | Service:SNMP Server | Policy "on" = "on")

  • The SSH connection banner is not set (Configuration | Security | SSH Connection Banner Message Configured "false" = "false")

  • The lockdown mode to restrict access to ESXi is not set to desired value (Configuration | Security | Lockdown | Lockdown Mode "lockdownDisabled" != "lockdownNormal")

    • The ESXi Host is violating CIS L1 Profile alert is suggesting to have Lockdown Mode as "Normal" whereas the ESXi Host is violating CIS L1/L2 Profile alert is suggesting to have Lockdown Mode as "Strict".

  • ESXi.set-cimsfcb-watchdog-policy-off - The SFCBD Watch dog service policy is On (Configuration | Security | Service:SFCB service | Policy "on" = "on")

Environment

Aria Operations 8.18.x

Cause

  1. Metadata Sync: Aria Operations reads SSH banner status from the vCenter Advanced System Setting Config.Etc.Issue, not directly from the ESXi /etc/ssh/banner file.

  2. Policy Conflict: CIS L1 and L2 definitions have contradictory Lockdown Mode requirements. (Note: Aria Operations provides compliance scanning of the environment against Center for Internet Security (CIS) benchmark recommendations, but Broadcom does not publish the benchmarks. For more details, download the benchmark from the CIS website - CIS Benchmarks)

  3. Service Config: CIS requires SNMP and CIM services to be set to "Manual" startup to prevent unauthorized persistent access.

Resolution

  1. For SSH Banner: Navigate to vCenter > Hosts and Clusters > ESXi Host > Configure > System > Advanced System Settings. Edit Config.Etc.Issue and enter the banner text.

  2. For Startup Policies: Change the Startup Policy for SNMP and CIM (SFCBD) services to "Start and stop manually" from vCenter > Hosts and Clusters > ESXi Host > Configure > System.

  3. For Lockdown Conflicts: Edit the Alert Definition from Aria Operations > Operations > Configurations > Alert Definitions for the CIS L1/L2 Profile in Aria Operations and remove the "Lockdown Mode Strict" symptom if "Normal" is your environment's standard.

Compliance status in Aria Operations is updated upon the next collection cycle after the vCenter metadata is corrected.

Powered by Wolken Software