CIS VMware ESXi 7.0 v1.1.0 Level 1

Audit Details

Name: CIS VMware ESXi 7.0 v1.1.0 Level 1

Updated: 7/7/2022

Authority: CIS

Plugin: VMware

Revision: 1.4

Estimated Item Count: 55

File Details

Filename: CIS_VMware_ESXi_7.0_v1.1.0_L1.audit

Size: 175 kB

MD5: 1d5ee859dbe6311c20da689f2d89335d
SHA256: b94723abeaafb577c23539171573a8784774e87fe7c60dcf6b6484b393344e79

Audit Items

DescriptionCategories
1.1 Ensure ESXi is properly patched

SYSTEM AND INFORMATION INTEGRITY

2.1 Ensure NTP time synchronization is configured properly

AUDIT AND ACCOUNTABILITY

2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the host

SECURITY ASSESSMENT AND AUTHORIZATION

2.3 Ensure Managed Object Browser (MOB) is disabled

ACCESS CONTROL, MEDIA PROTECTION

2.5 Ensure SNMP is configured properly - 'community name private does not exist'

SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure SNMP is configured properly - 'community name public does not exist'

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Ensure dvfilter API is not configured if not used

SYSTEM AND COMMUNICATIONS PROTECTION

2.8 Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory

ACCESS CONTROL

3.2 Ensure persistent logging is configured for all ESXi hosts

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.3 Ensure remote logging is configured for ESXi hosts

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

4.2 Ensure passwords are required to be complex

IDENTIFICATION AND AUTHENTICATION

4.3 Ensure the maximum failed login attempts is set to 5

ACCESS CONTROL

4.4 Ensure account lockout is set to 15 minutes

ACCESS CONTROL

4.5 Ensure previous 5 passwords are prohibited

IDENTIFICATION AND AUTHENTICATION

4.7 Ensure only authorized users and groups belong to the esxAdminsGroup group

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

4.8 Ensure the Exception Users list is properly configured

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION

5.1 Ensure the DCUI timeout is set to 600 seconds or less

ACCESS CONTROL

5.2 Ensure the ESXi shell is disabled

CONFIGURATION MANAGEMENT

5.3 Ensure SSH is disabled

CONFIGURATION MANAGEMENT

5.4 Ensure CIM access is limited

CONFIGURATION MANAGEMENT

5.5 Ensure Normal Lockdown mode is enabled

ACCESS CONTROL

5.8 Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less

ACCESS CONTROL

5.9 Ensure the shell services timeout is set to 1 hour or less

ACCESS CONTROL

5.10 Ensure DCUI has a trusted users list for lockdown mode

IDENTIFICATION AND AUTHENTICATION

6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled

SYSTEM AND COMMUNICATIONS PROTECTION

6.3 Ensure storage area network (SAN) resources are segregated properly

SYSTEM AND COMMUNICATIONS PROTECTION

7.1 Ensure the vSwitch Forged Transmits policy is set to reject

SECURITY ASSESSMENT AND AUTHORIZATION

7.2 Ensure the vSwitch MAC Address Change policy is set to reject

SECURITY ASSESSMENT AND AUTHORIZATION

7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject

SECURITY ASSESSMENT AND AUTHORIZATION

7.4 Ensure port groups are not configured to the value of the native VLAN

SECURITY ASSESSMENT AND AUTHORIZATION

7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switches

SECURITY ASSESSMENT AND AUTHORIZATION

7.6 Ensure port groups are not configured to VLAN 4095 and 0 except for Virtual Guest Tagging (VGT)

SECURITY ASSESSMENT AND AUTHORIZATION

7.7 Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collector

SYSTEM AND INFORMATION INTEGRITY

7.8 Ensure port-level configuration overrides are disabled.

SECURITY ASSESSMENT AND AUTHORIZATION

8.1.1 Ensure informational messages from the VM to the VMX file are limited

AUDIT AND ACCOUNTABILITY

8.2.1 Ensure unnecessary floppy devices are disconnected

CONFIGURATION MANAGEMENT

8.2.3 Ensure unnecessary parallel ports are disconnected

CONFIGURATION MANAGEMENT

8.2.4 Ensure unnecessary serial ports are disconnected

CONFIGURATION MANAGEMENT

8.2.5 Ensure unnecessary USB devices are disconnected

CONFIGURATION MANAGEMENT

8.2.6 Ensure unauthorized modification and disconnection of devices is disabled

CONFIGURATION MANAGEMENT

8.2.7 Ensure unauthorized connection of devices is disabled

CONFIGURATION MANAGEMENT

8.2.8 Ensure PCI and PCIe device passthrough is disabled

CONFIGURATION MANAGEMENT

8.3.1 Ensure unnecessary or superfluous functions inside VMs are disabled

CONFIGURATION MANAGEMENT

8.3.2 Ensure use of the VM console is limited

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

8.3.3 Ensure secure protocols are used for virtual serial port access

CONFIGURATION MANAGEMENT

8.3.4 Ensure standard processes are used for VM deployment

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

8.4.21 Ensure VM Console Copy operations are disabled

CONFIGURATION MANAGEMENT

8.4.22 Ensure VM Console Drag and Drop operations is disabled

CONFIGURATION MANAGEMENT

8.4.23 Ensure VM Console GUI Options is disabled

CONFIGURATION MANAGEMENT