CIS VMware ESXi 5.5 v1.2.0 Level 1

Audit Details

Name: CIS VMware ESXi 5.5 v1.2.0 Level 1

Updated: 7/24/2023

Authority: CIS

Plugin: VMware

Revision: 1.30

Estimated Item Count: 56

File Details

Filename: CIS_VMware_ESXi_5.5_v1.2.0_L1.audit

Size: 167 kB

MD5: ac2705fffcf555591d071f60d6dda71d
SHA256: 4f25020c38dbf32e4422b14b90a39cfe9f5004bea90362f487396569d1b64201

Audit Items

DescriptionCategories
1.1 Keep ESXi system properly patched

SYSTEM AND INFORMATION INTEGRITY

1.2 Verify Image Profile and VIB Acceptance Levels

SYSTEM AND SERVICES ACQUISITION

1.3 Verify no unauthorized kernel modules are loaded on the host

SYSTEM AND SERVICES ACQUISITION

2.1 Configure NTP time synchronization

AUDIT AND ACCOUNTABILITY

2.2 Configure the ESXi host firewall to restrict access to services running on the host

ACCESS CONTROL

2.3 Disable Managed Object Browser (MOB)

ACCESS CONTROL, MEDIA PROTECTION

2.4 Do not use default self-signed certificates for ESXi communication

SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure proper SNMP configuration - 'community name private does not exist'

IDENTIFICATION AND AUTHENTICATION

2.5 Ensure proper SNMP configuration - 'community name public does not exist'

IDENTIFICATION AND AUTHENTICATION

2.6 Prevent unintended use of dvfilter network APIs

ACCESS CONTROL

2.7 Remove expired or revoked SSL certificates from the ESXi server

CONFIGURATION MANAGEMENT

3.1 Configure a centralized location to collect ESXi host core dumps

CONFIGURATION MANAGEMENT

3.2 Configure persistent logging for all ESXi host

AUDIT AND ACCOUNTABILITY

3.3 Configure remote logging for ESXi hosts

AUDIT AND ACCOUNTABILITY

4.1 Create a non-root user account for local admin access

CONFIGURATION MANAGEMENT

4.2 Establish a password policy for password complexity

IDENTIFICATION AND AUTHENTICATION

4.3 Use Active Directory for local user authentication - Enabled = 'true'

IDENTIFICATION AND AUTHENTICATION

4.3 Use Active Directory for local user authentication - Review Domain

IDENTIFICATION AND AUTHENTICATION

4.4 Verify Active Directory group membership for the 'ESX Admins' group

ACCESS CONTROL

5.2 Disable ESXi Shell unless needed for diagnostics or troubleshooting

CONFIGURATION MANAGEMENT

5.3 Disable SSH

CONFIGURATION MANAGEMENT

5.4 Limit CIM Access

CONFIGURATION MANAGEMENT

5.5 Enable lockdown mode to restrict remote access

CONFIGURATION MANAGEMENT

5.7 Set a timeout to automatically terminate idle ESXi Shell and SSH sessions

ACCESS CONTROL

5.8 Set a timeout for Shell Services

ACCESS CONTROL

5.9 Set DCUI.Access to allow trusted users to override lockdown mode

ACCESS CONTROL

6.1 Enable bidirectional CHAP authentication for iSCSI traffic.

IDENTIFICATION AND AUTHENTICATION

6.2 Ensure uniqueness of CHAP authentication secrets

IDENTIFICATION AND AUTHENTICATION

6.3 Mask and zone SAN resources appropriately

SYSTEM AND COMMUNICATIONS PROTECTION

7.1 Ensure that the vSwitch Forged Transmits policy is set to reject

SYSTEM AND COMMUNICATIONS PROTECTION

7.2 Ensure that the vSwitch MAC Address Change policy is set to reject

SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Ensure that the vSwitch Promiscuous Mode policy is set to reject

SYSTEM AND COMMUNICATIONS PROTECTION

7.4 Ensure that port groups are not configured to the value of the native VLAN

SYSTEM AND INFORMATION INTEGRITY

7.5 Ensure that port groups are not configured to VLAN values reserved by upstream physical switches

SECURITY ASSESSMENT AND AUTHORIZATION

7.6 Ensure that port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT)

CONFIGURATION MANAGEMENT

8.1.1 Limit informational messages from the VM to the VMX file

AUDIT AND ACCOUNTABILITY

8.2.6 Prevent unauthorized removal and modification of devices.

ACCESS CONTROL

8.2.7 Prevent unauthorized connection of devices.

ACCESS CONTROL

8.3.1 Disable unnecessary or superfluous functions inside VMs

CONFIGURATION MANAGEMENT

8.3.2 Minimize use of the VM console

CONFIGURATION MANAGEMENT

8.3.3 Use secure protocols for virtual serial port access

CONFIGURATION MANAGEMENT

8.3.4 Use templates to deploy VMs whenever possible

CONFIGURATION MANAGEMENT

8.4.1 Control access to VMs through the dvfilter network APIs

ACCESS CONTROL

8.4.2 Control VMsafe Agent Address

SYSTEM AND INFORMATION INTEGRITY

8.4.3 Control VMsafe Agent Port

SYSTEM AND INFORMATION INTEGRITY

8.4.4 Control VMsafe Agent Configuration

SYSTEM AND INFORMATION INTEGRITY

8.4.24 Disable VM Console Copy operations

CONFIGURATION MANAGEMENT

8.4.25 Disable VM Console Drag and Drop operations

CONFIGURATION MANAGEMENT

8.4.26 Disable VM Console GUI Options

CONFIGURATION MANAGEMENT

8.4.27 Disable VM Console Paste operations

CONFIGURATION MANAGEMENT