Rule ID
SV-256415r959010_rule
Version
V1R4
CCIs
CCI-000366
When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host, there is potential for a man-in-the-middle attack, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.
If iSCSI is not used, this is not applicable.
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> Storage >> Storage Adapters.
Select the iSCSI adapter >> Properties >> Authentication >> Method.
View the CHAP configuration and verify CHAP is required for target and host authentication.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Select AuthenticationProperties -ExpandProperty AuthenticationProperties
If iSCSI is used and CHAP is not set to "required" for both the target and host, this is a finding.
If iSCSI is used and unique CHAP secrets are not used for each host, this is a finding.From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> Storage >> Storage Adapters.
Select the iSCSI adapter >> Properties >> Authentication.
Click "Edit...". Set "Authentication Method" to "Use bidirectional CHAP" and enter a unique secret for each traffic flow direction.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "iscsi"} | Set-VMHostHba -ChapType Required -ChapName "chapname" -ChapPassword "password" -MutualChapEnabled $true -MutualChapName "mutualchapname" -MutualChapPassword "mutualpassword"