CIS VMware ESXi 6.7 v1.2.0 Level 1

Audit Details

Name: CIS VMware ESXi 6.7 v1.2.0 Level 1

Updated: 7/7/2022

Authority: CIS

Plugin: VMware

Revision: 1.4

Estimated Item Count: 57

File Details

Filename: CIS_VMware_ESXi_6.7_v1.2.0_L1.audit

Size: 178 kB

MD5: 3c561a25c8bde0af020e4a1b8caaf665
SHA256: f194732233ba713a334a7513c7eacb18c7b693b82b45887337dc326ff815e0a1

Audit Items

DescriptionCategories
1.1 Ensure ESXi is properly patched

SYSTEM AND INFORMATION INTEGRITY

2.1 Ensure NTP time synchronization is configured properly

AUDIT AND ACCOUNTABILITY

2.3 Ensure Managed Object Browser (MOB) is disabled

ACCESS CONTROL, MEDIA PROTECTION

2.5 Ensure SNMP is configured properly - 'community name private does not exist'

SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure SNMP is configured properly - 'community name public does not exist'

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Ensure dvfilter API is not configured if not used

SYSTEM AND COMMUNICATIONS PROTECTION

2.8 Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory

ACCESS CONTROL

2.9 Ensure VDS health check is disabled

AUDIT AND ACCOUNTABILITY

3.2 Ensure persistent logging is configured for all ESXi hosts

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.3 Ensure remote logging is configured for ESXi hosts

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

4.2 Ensure passwords are required to be complex

IDENTIFICATION AND AUTHENTICATION

4.3 Ensure the maximum failed login attempts is set to 5

ACCESS CONTROL

4.4 Ensure account lockout is set to 15 minutes

ACCESS CONTROL

4.5 Ensure Active Directory is used for local user authentication

ACCESS CONTROL

4.6 Ensure only authorized users and groups belong to the esxAdminsGroup group

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

4.7 Ensure the Exception Users list is properly configured

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION

5.1 Ensure the DCUI timeout is set to 600 seconds or less

ACCESS CONTROL

5.3 Ensure the ESXi shell is disabled

CONFIGURATION MANAGEMENT

5.4 Ensure SSH is disabled

CONFIGURATION MANAGEMENT

5.5 Ensure CIM access is limited

CONFIGURATION MANAGEMENT

5.6 Ensure Lockdown mode is enabled

ACCESS CONTROL

5.8 Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less

ACCESS CONTROL

5.9 Ensure the shell services timeout is set to 1 hour or less

ACCESS CONTROL

5.10 Ensure DCUI has a trusted users list for lockdown mode

IDENTIFICATION AND AUTHENTICATION

6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled

SYSTEM AND COMMUNICATIONS PROTECTION

6.2 Ensure the uniqueness of CHAP authentication secrets for iSCSI traffic

IDENTIFICATION AND AUTHENTICATION

6.3 Ensure storage area network (SAN) resources are segregated properly

SYSTEM AND COMMUNICATIONS PROTECTION

7.1 Ensure the vSwitch Forged Transmits policy is set to reject

SECURITY ASSESSMENT AND AUTHORIZATION

7.2 Ensure the vSwitch MAC Address Change policy is set to reject

SECURITY ASSESSMENT AND AUTHORIZATION

7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject

SECURITY ASSESSMENT AND AUTHORIZATION

7.4 Ensure port groups are not configured to the value of the native VLAN

SECURITY ASSESSMENT AND AUTHORIZATION

7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switches

SECURITY ASSESSMENT AND AUTHORIZATION

7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT)

SYSTEM AND INFORMATION INTEGRITY

7.7 Ensure Virtual Disributed Switch Netflow traffic is sent to an authorized collector

SYSTEM AND INFORMATION INTEGRITY

7.8 Ensure port-level configuration overrides are disabled.

SECURITY ASSESSMENT AND AUTHORIZATION

8.1.1 Ensure informational messages from the VM to the VMX file are limited

AUDIT AND ACCOUNTABILITY

8.2.1 Ensure unnecessary floppy devices are disconnected

CONFIGURATION MANAGEMENT

8.2.3 Ensure unnecessary parallel ports are disconnected

CONFIGURATION MANAGEMENT

8.2.4 Ensure unnecessary serial ports are disconnected

CONFIGURATION MANAGEMENT

8.2.5 Ensure unnecessary USB devices are disconnected

CONFIGURATION MANAGEMENT

8.2.6 Ensure unauthorized modification and disconnection of devices is disabled

CONFIGURATION MANAGEMENT

8.2.7 Ensure unauthorized connection of devices is disabled

CONFIGURATION MANAGEMENT

8.2.8 Ensure PCI and PCIe device passthrough is disabled

CONFIGURATION MANAGEMENT

8.3.1 Ensure unnecessary or superfluous functions inside VMs are disabled

CONFIGURATION MANAGEMENT

8.3.2 Ensure use of the VM console is limited

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

8.3.3 Ensure secure protocols are used for virtual serial port access

CONFIGURATION MANAGEMENT

8.3.4 Ensure standard processes are used for VM deployment

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

8.4.21 Ensure VM Console Copy operations are disabled

CONFIGURATION MANAGEMENT

8.4.22 Ensure VM Console Drag and Drop operations is disabled

CONFIGURATION MANAGEMENT