Rule ID
SV-256347r885652_rule
Version
V1R3
CCIs
CCI-000366
Network health check is disabled by default. Once enabled, the health check packets contain information on host#, vds#, and port#, which an attacker would find useful. It is recommended that network health check be used for troubleshooting and turned off when troubleshooting is finished.
If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Health Check. View the health check pane and verify the "VLAN and MTU" and "Teaming and failover" checks are "Disabled". or From a PowerCLI command prompt while connected to the vCenter server, run the following commands: $vds = Get-VDSwitch $vds.ExtensionData.Config.HealthCheckConfig If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding.
From the vSphere Client, go to "Networking".
Select a distributed switch >> Configure >> Settings >> Health Check.
Click "Edit".
Disable the "VLAN and MTU" and "Teaming and failover" checks.
Click "OK".
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}