The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-258965	SRG-APP-000516	VCSA-80-000300	SV-258965r961863_rule	2024-12-16	2

Description
The vSphere Distributed Virtual Switch can enable port mirroring sessions allowing traffic to be mirrored from one source to a destination. If port mirroring is configured unknowingly this could allow an attacker to observe network traffic of virtual machines.

ℹ️ Check
If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Port Mirroring. Review any configured "Port Mirroring" sessions. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch \| select Name,@{N="Port Mirroring Sessions";E={$_.ExtensionData.Config.VspanSession.Name}} If there are any unauthorized port mirroring sessions configured, this is a finding.

ℹ️ Check

If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Port Mirroring. Review any configured "Port Mirroring" sessions. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch | select Name,@{N="Port Mirroring Sessions";E={$_.ExtensionData.Config.VspanSession.Name}} If there are any unauthorized port mirroring sessions configured, this is a finding.

✔️ Fix
From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Port Mirroring. Select the unauthorized "Port Mirroring" session and click "Remove". Click "OK".