Details
The VMware Update Manager (vUM) and vCenter Server (vCS) are VM installable on an ESXi hypervisor host. For all ESXi hypervisors and VMs, including those of the vCS and the vUM, software and system security patches must be installed and up-to-date. For the use case where the vUM hypervisor/VM or the vCS hypervisor/VM reboots while undergoing remediation, this will halt that process. Note that for the use case where the vCS hypervisor/VM reboots, the result is a worst case scenario of a temporary, unplanned vCS outage.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Determine if both the VMware Update Manager (vUM) and vCenter Server (vCS) are installed as physical or virtual machines.
No fix is required for vCS/vUM if the vCS and vUM are both installed as physical machines.
If the vCS and vUM are installed as virtual machines, they must both be managed either manually or by a secondary installation of vCS and the vUM.
All remaining organization hypervisor hosts/VMs must be configured to receive software and security patch updates, via the vUM, on an organization-defined, regularly scheduled basis.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- Group-ID|V-39544
- Rule-ID|SV-250726r799868_rule
- STIG-ID|VCENTER-000003
- STIG-Legacy|SV-51402
- STIG-Legacy|V-39544
- Vuln-ID|V-250726