search

vmware / dod-compliance-and-automation

Security hardening content for VMware solutions to US Department of Defense standards
Other
151 stars 61 forks source link

[vSphere][7.0][ESXI-70-000054] InSpec should determine if iSCSI is actually used #123

Open pbarrette opened 1 year ago

pbarrette commented 1 year ago

Is your feature request related to a problem? Please describe.

The ESXI-70-000054 control is only marked as NA if there are no iSCSI HBAs present.

Many systems have NICs which provide hardware iSCSI functionality that cannot be disabled, but the functionality is not used. Additionally, when not connected to a target, the authentication cannot be set to require Mutual CHAP.

If there are no iSCSI targets or datastores, then the control should be marked as NA and the authentication method of the NIC is irrelevant.

Describe the solution you'd like

The control should first determine if iSCSI targets or datastores exist. If no targets exist, the control should be marked as NA.

Describe alternatives you've considered

As this is a CAT-I item, it takes time to explain and display to auditors that the result is a false positive.

Additional context

It may be possible to use "Get-VMHost -Name #{vmhost} | Get-VMHostHba -Type iSCSI | Get-IScsiHbaTarget"

If there is nothing returned, iSCSI is not in use.

rlakey commented 1 year ago

Hi @pbarrette what kind of NICs are you using? Just curious which ones do not allow you to disable iSCSI.

pbarrette commented 1 year ago

HPE FlexFabric 10Gb 2-port 556FLR-SFP+

It shows up in Storage adapters as: Emulex OneConnect OCe14000 iSCSI CNA

I don't see any obvious way to disable it.

I've temporarily bypassed it with:

      iscsi_hbas = powercli_command(command).stdout

      command = "Get-VMHost -Name #{vmhost} | Get-VMHostHba -Type iSCSI | Get-IScsiHbaTarget"
      iscsi_targets = powercli_command(command).stdout

      if iscsi_hbas.empty?
        describe '' do
          skip 'There are no iSCSI HBAs present so this control is Not Applicable'
        end
      elsif iscsi_targets.empty?
        describe '' do
          skip 'There are no iSCSI Targets present so this control is Not Applicable'
        end
      else
        command1 = "Get-VMHost -Name #{vmhost} | Get-VMHostHba | Where {$_.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty MutualChapEnabled"

But I don't have any iSCSI datastores, so I can't verify that it will still flag a true positive.

rlakey commented 1 year ago

Ok I believe there should be a way on those. Something similar to this https://support.hpe.com/hpesc/public/docDisplay?docId=kc0105837en_us&docLocale=en_US

I recall being able to change the "personality" on those to enable/disable things like FCoE and iSCSI but its been a while and i don't have any to look at now.

pbarrette commented 1 year ago

I'll look into that, but the control is still NA because iSCSI is not in use even though an adapter is present.

I still believe that the scan should account for this.

pstearns commented 1 year ago

Not sure if this will help your use case, but I use the following:

  if !vmhosts.empty?
    vmhosts.each do |vmhost|
      command = "Get-VMHost -Name #{vmhost} | Get-VMHostHba | Where {$_.Type -eq 'iscsi'}"
      iscsi_hbas = powercli_command(command).stdout
      if iscsi_hbas.empty?
        describe 'iSCSI is not used, test' do
          subject {iscsi_hbas}
          it{ should be_empty }
        end
      else
        command1 = "Get-VMHost -Name #{vmhost} | Get-VMHostHba | Where {$_.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty MutualChapEnabled"
        command2 = "Get-VMHost -Name #{vmhost} | Get-VMHostHba | Where {$_.Type -eq 'iscsi'} | Select-Object -ExpandProperty AuthenticationProperties | Select-Object -ExpandProperty ChapType"
        describe powercli_command(command1) do
          its('stdout.strip') { should cmp 'True' }
        end
        describe powercli_command(command2) do
          its('stdout.strip') { should cmp 'Required' }
        end
      end
    end

This allowed it to pass the check if no iSCSI HBAs are present. Then in my wrapper script I update the comments and change item to Not Applicable.

My ckl output:

Finding Details:
All Automated tests passed for the control 

 PASS -- iSCSI is not used, test is expected to be empty
Comments
There are no iSCSI HBAs present so this control is Not Applicable
rlakey commented 1 year ago

There are other requirements though to disable unneeded functionality or capabilities where we would really want to not see iSCSI HBAs potentially with an IP hanging out on the network and being another vector for attack.

pbarrette commented 1 year ago

There's no way to disable iSCSI on the NIC of the 556FLR.

In the end, I just ended up disabling the driver in ESXi. Not the ideal solution for somebody who might have an iSCSI target on one NIC, but not attached to a different, identical NIC.