1.1 Ensure ESXi is properly patched | SYSTEM AND INFORMATION INTEGRITY |
2.1 Ensure NTP time synchronization is configured properly | AUDIT AND ACCOUNTABILITY |
2.3 Ensure Managed Object Browser (MOB) is disabled | CONFIGURATION MANAGEMENT |
2.5 Ensure SNMP is configured properly - 'community name private does not exist' | SYSTEM AND INFORMATION INTEGRITY |
2.5 Ensure SNMP is configured properly - 'community name public does not exist' | SYSTEM AND INFORMATION INTEGRITY |
2.6 Ensure dvfilter API is not configured if not used | SYSTEM AND INFORMATION INTEGRITY |
3.2 Ensure persistent logging is configured for all ESXi hosts | AUDIT AND ACCOUNTABILITY |
3.3 Ensure remote logging is configured for ESXi hosts | AUDIT AND ACCOUNTABILITY |
4.2 Ensure passwords are required to be complex | IDENTIFICATION AND AUTHENTICATION |
4.3 Ensure Active Directory is used for local user authentication - Enabled = 'true' | IDENTIFICATION AND AUTHENTICATION |
4.3 Ensure Active Directory is used for local user authentication - Review Domain | IDENTIFICATION AND AUTHENTICATION |
4.4 Ensure only authorized users and groups belong to the esxAdminsGroup group | ACCESS CONTROL |
4.5 Ensure the Exception Users list is properly configured | ACCESS CONTROL |
4.6 Ensure the maximum failed login attempts is set to 3 | ACCESS CONTROL |
4.7 Ensure account lockout is set to 15 minutes | ACCESS CONTROL |
5.1 Ensure the DCUI timeout is set to 600 seconds or less | ACCESS CONTROL |
5.3 Ensure the ESXi shell is disabled | SYSTEM AND INFORMATION INTEGRITY |
5.4 Ensure SSH is disabled | SYSTEM AND INFORMATION INTEGRITY |
5.5 Ensure CIM access is limited | ACCESS CONTROL |
5.6 Ensure Lockdown mode is enabled | ACCESS CONTROL |
5.8 Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less | ACCESS CONTROL |
5.9 Ensure the shell services timeout is set to 1 hour or less | ACCESS CONTROL |
5.10 Set DCUI.Access to allow trusted users to override lockdown mode | IDENTIFICATION AND AUTHENTICATION |
6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled | IDENTIFICATION AND AUTHENTICATION |
6.2 Ensure uniqueness of CHAP authentication secrets for iSCSI traffic | IDENTIFICATION AND AUTHENTICATION |
6.3 Ensure storage area network (SAN) resources are segregated properly | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
7.1 Ensure the vSwitch Forged Transmits policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
7.2 Ensure the vSwitch MAC Address Change policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
7.4 Ensure port groups are not configured to the value of the native VLAN | SYSTEM AND INFORMATION INTEGRITY |
7.5 Ensure that port groups are not configured to VLAN values reserved by upstream physical switches | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT) | SYSTEM AND INFORMATION INTEGRITY |
8.1.1 Ensure informational messages from the VM to the VMX file are limited | AUDIT AND ACCOUNTABILITY |
8.2.1 Ensure unnecessary floppy devices are disconnected | SYSTEM AND INFORMATION INTEGRITY |
8.2.3 Ensure unnecessary parallel ports are disconnected | SYSTEM AND INFORMATION INTEGRITY |
8.2.4 Ensure unnecessary serial ports are disconnected | SYSTEM AND INFORMATION INTEGRITY |
8.2.5 Ensure unnecessary USB devices are disconnected | SYSTEM AND INFORMATION INTEGRITY |
8.2.6 Ensure unauthorized modification and disconnection of devices is disabled | SYSTEM AND INFORMATION INTEGRITY |
8.2.7 Ensure unauthorized connection of devices is disabled | SYSTEM AND INFORMATION INTEGRITY |
8.3.1 Ensure unnecessary or superfluous functions inside VMs are disabled | SYSTEM AND INFORMATION INTEGRITY |
8.3.2 Ensure use of the VM console is limited | CONFIGURATION MANAGEMENT |
8.3.3 Ensure secure protocols are used for virtual serial port access | SYSTEM AND COMMUNICATIONS PROTECTION |
8.3.4 Ensure templates are used whenever possible to deploy VMs | CONFIGURATION MANAGEMENT |
8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
8.4.2 Ensure VMsafe Agent Address is configured correctly | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
8.4.3 Ensure VMsafe Agent Port is configured correctly | SYSTEM AND INFORMATION INTEGRITY |
8.4.4 Ensure VMsafe Agent is configured correctly | SYSTEM AND INFORMATION INTEGRITY |
8.4.24 Ensure VM Console Copy operations are disabled | SYSTEM AND INFORMATION INTEGRITY |
8.4.25 Ensure VM Console Drag and Drop operations is disabled | SYSTEM AND INFORMATION INTEGRITY |
8.4.26 Ensure VM Console GUI Options is disabled | SYSTEM AND INFORMATION INTEGRITY |