CIS VMware ESXi 7.0 v1.1.0 Level 1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS VMware ESXi 7.0 v1.1.0 Level 1

Updated: 7/25/2023

Authority: CIS

Plugin: VMware

Revision: 1.14

Estimated Item Count: 55

Audit Items

1.1 Ensure ESXi is properly patched
2.1 Ensure NTP time synchronization is configured properly
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the host
2.3 Ensure Managed Object Browser (MOB) is disabled
2.5 Ensure SNMP is configured properly - 'community name private does not exist'
2.5 Ensure SNMP is configured properly - 'community name public does not exist'
2.6 Ensure dvfilter API is not configured if not used
2.8 Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory
3.2 Ensure persistent logging is configured for all ESXi hosts
3.3 Ensure remote logging is configured for ESXi hosts
4.2 Ensure passwords are required to be complex
4.3 Ensure the maximum failed login attempts is set to 5
4.4 Ensure account lockout is set to 15 minutes
4.5 Ensure previous 5 passwords are prohibited
4.7 Ensure only authorized users and groups belong to the esxAdminsGroup group
4.8 Ensure the Exception Users list is properly configured
5.1 Ensure the DCUI timeout is set to 600 seconds or less
5.2 Ensure the ESXi shell is disabled
5.3 Ensure SSH is disabled
5.4 Ensure CIM access is limited
5.5 Ensure Normal Lockdown mode is enabled
5.8 Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less
5.9 Ensure the shell services timeout is set to 1 hour or less
5.10 Ensure DCUI has a trusted users list for lockdown mode
6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled
6.3 Ensure storage area network (SAN) resources are segregated properly
7.1 Ensure the vSwitch Forged Transmits policy is set to reject
7.2 Ensure the vSwitch MAC Address Change policy is set to reject
7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject
7.4 Ensure port groups are not configured to the value of the native VLAN
7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switches
7.6 Ensure port groups are not configured to VLAN 4095 and 0 except for Virtual Guest Tagging (VGT)
7.7 Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collector
7.8 Ensure port-level configuration overrides are disabled.
8.1.1 Ensure informational messages from the VM to the VMX file are limited
8.2.1 Ensure unnecessary floppy devices are disconnected
8.2.3 Ensure unnecessary parallel ports are disconnected
8.2.4 Ensure unnecessary serial ports are disconnected
8.2.5 Ensure unnecessary USB devices are disconnected
8.2.6 Ensure unauthorized modification and disconnection of devices is disabled
8.2.7 Ensure unauthorized connection of devices is disabled
8.2.8 Ensure PCI and PCIe device passthrough is disabled
8.3.1 Ensure unnecessary or superfluous functions inside VMs are disabled
8.3.2 Ensure use of the VM console is limited
8.3.3 Ensure secure protocols are used for virtual serial port access
8.3.4 Ensure standard processes are used for VM deployment
8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly
8.4.21 Ensure VM Console Copy operations are disabled
8.4.22 Ensure VM Console Drag and Drop operations is disabled
8.4.23 Ensure VM Console GUI Options is disabled