Detections
Analytics

CIS VMware ESXi 8.0 v1.1.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS VMware ESXi 8.0 v1.1.0 L1

Updated: 7/3/2025

Authority: CIS

Plugin: VMware

Revision: 1.3

Estimated Item Count: 105

Audit Items

DescriptionCategories
1.1 (L1) Host hardware must have auditable, authentic, and up to date system and device firmware
1.2 (L1) Host hardware must enable UEFI Secure Boot
1.3 (L1) Host hardware must enable Intel TXT, if available
1.4 (L1) Host hardware must enable and configure a TPM 2.0
1.5 (L1) Host integrated hardware management controller must be secure
1.6 (L1) Host integrated hardware management controller must enable time synchronization
1.7 (L1) Host integrated hardware management controller must enable remote logging of events
2.1 (L1) Host must run software that has not reached End of General Support status
2.2 (L1) Host must have all software updates installed
2.3 (L1) Host must enable Secure Boot enforcement
2.5 (L1) Host must only run binaries delivered via signed VIB
2.6 (L1) Host must have reliable time synchronization sources
2.7 (L1) Host must have time synchronization services enabled and running
2.8 (L1) Host must require TPM-based configuration encryption
2.9 (L1) Host must not suppress warnings about unmitigated hyperthreading vulnerabilities
2.10 (L1) Host must restrict inter-VM transparent page sharing
3.1 (L1) Host should deactivate SSH
3.2 (L1) Host must deactivate the ESXi shell
3.3 (L1) Host must deactivate the ESXi Managed Object Browser (MOB)
3.4 (L1) Host must deactivate SLP
3.5 (L1) Host must deactivate CIM
3.6 (L1) Host should deactivate SNMP
3.7 (L1) Host must automatically terminate idle DCUI sessions
3.8 (L1) Host must automatically terminate idle shells
3.9 (L1) Host must automatically deactivate shell services
3.10 (L1) Host must not suppress warnings that the shell is enabled
3.11 (L1) Host must enforce password complexity
3.12 (L1) Host must lock an account after a specified number of failed login attempts
3.13 (L1) Host must unlock accounts after a specified timeout period
3.14 (L1) Host must configure the password history setting to restrict the reuse of passwords
3.15 (L1) Host must be configured with an appropriate maximum password age
3.16 (L1) Host must configure a session timeout for the API
3.17 (L1) Host must automatically terminate idle host client sessions
3.18 (L1) Host must have an accurate DCUI.Access list
3.19 (L1) Host must have an accurate Exception Users list
3.20 (L1) Host must enable normal lockdown mode
3.22 (L1) Host must deny shell access for the dcui account
3.24 (L1) Host must display a login banner for the DCUI and Host Client
3.25 (L1) Host must display a login banner for SSH connections
3.26 (L1) Host must enable the highest version of TLS supported
4.1 (L1) Host must configure a persistent log location for all locally stored system logs
4.2 (L1) Host must transmit system logs to a remote log collector
4.3 (L1) Host must log sufficient information for events
4.4 (L1) Host must set the logging informational level to info
4.5 (L1) Host must deactivate log filtering
4.6 (L1) Host must enable audit record logging
4.7 (L1) Host must configure a persistent log location for all locally stored audit records
4.8 (L1) Host must store one week of audit records
4.9 (L1) Host must transmit audit records to a remote log collector
4.10 (L1) Host must verify certificates for TLS remote logging endpoints