CIS VMware ESXi 7.0 v1.4.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS VMware ESXi 7.0 v1.4.0 L1

Updated: 7/16/2025

Authority: CIS

Plugin: VMware

Revision: 1.3

Estimated Item Count: 52

File Details

Filename: CIS_VMware_ESXi_7.0_v1.4.0_L1.audit

Size: 143 kB

MD5: 407340488dbfbe7a0caa78d3f8d68dde

SHA256: baec6d3c36b6c127975f4a987bd99002b6312dc6ead561ad6766dd2b382bd05b

Audit Items

Description	Categories
1.1 (L1) Ensure ESXi is properly patched
2.1 (L1) Ensure NTP time synchronization is configured properly
2.2 (L1) Ensure the ESXi host firewall is configured to restrict access to services running on the host
2.3 (L1) Ensure Managed Object Browser (MOB) is disabled
2.6 (L1) Ensure dvfilter API is not configured if not used
2.8 (L1) Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory
3.2 (L1) Ensure persistent logging is configured for all ESXi hosts
3.3 (L1) Ensure remote logging is configured for ESXi hosts
4.2 (L1) Ensure passwords are required to be complex
4.3 (L1) Ensure the maximum failed login attempts is set to 5
4.4 (L1) Ensure account lockout is set to 15 minutes
4.5 (L1) Ensure previous 5 passwords are prohibited
4.7 (L1) Ensure only authorized users and groups belong to the esxAdminsGroup group
4.8 (L1) Ensure the Exception Users list is properly configured
5.1 (L1) Ensure the DCUI timeout is set to 600 seconds or less
5.2 (L1) Ensure the ESXi shell is disabled
5.3 (L1) Ensure SSH is disabled
5.4 (L1) Ensure CIM access is limited
5.5 (L1) Ensure Normal Lockdown mode is enabled
5.8 (L1) Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less
5.9 (L1) Ensure the shell services timeout is set to 1 hour or less
5.10 (L1) Ensure DCUI has a trusted users list for lockdown mode
6.1 (L1) Ensure bidirectional CHAP authentication for iSCSI traffic is enabled
6.3 (L1) Ensure storage area network (SAN) resources are segregated properly
7.1 (L1) Ensure the vSwitch Forged Transmits policy is set to reject
7.2 (L1) Ensure the vSwitch MAC Address Change policy is set to reject
7.3 (L1) Ensure the vSwitch Promiscuous Mode policy is set to reject
7.4 (L1) Ensure port groups are not configured to the value of the native VLAN
7.5 (L1) Ensure port groups are not configured to VLAN values reserved by upstream physical switches
7.6 (L1) Ensure port groups are not configured to VLAN 4095 and 0 except for Virtual Guest Tagging (VGT)
7.7 (L1) Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collector
7.8 (L1) Ensure port-level configuration overrides are disabled.
8.2.1 (L1) Ensure unnecessary floppy devices are disconnected
8.2.3 (L1) Ensure unnecessary parallel ports are disconnected
8.2.4 (L1) Ensure unnecessary serial ports are disconnected
8.2.5 (L1) Ensure unnecessary USB devices are disconnected
8.2.6 (L1) Ensure unauthorized modification and disconnection of devices is disabled
8.2.7 (L1) Ensure unauthorized connection of devices is disabled
8.2.8 (L1) Ensure PCI and PCIe device passthrough is disabled
8.3.1 (L1) Ensure unnecessary or superfluous functions inside VMs are disabled
8.3.2 (L1) Ensure use of the VM console is limited
8.3.3 (L1) Ensure secure protocols are used for virtual serial port access
8.3.4 (L1) Ensure standard processes are used for VM deployment
8.4.1 (L1) Ensure access to VMs through the dvfilter network APIs is configured correctly
8.4.21 (L1) Ensure VM Console Copy operations are disabled
8.4.22 (L1) Ensure VM Console Drag and Drop operations is disabled
8.4.23 (L1) Ensure VM Console GUI Options is disabled
8.4.24 (L1) Ensure VM Console Paste operations are disabled
8.6.2 (L1) Ensure virtual disk shrinking is disabled
8.6.3 (L1) Ensure virtual disk wiping is disabled

Detections

Analytics

CIS VMware ESXi 7.0 v1.4.0 L1

Warning! Audit Deprecated

Audit Details

File Details

Audit Items