Detections
Analytics

Revision 1.1Mar 13, 2026

Functional Update
  • 3.20 (L1) Host must enable normal lockdown mode
Informational Update
  • 2.10 (L1) Host must restrict inter-VM transparent page sharing
  • 2.2 (L1) Host must have all software updates installed
  • 2.6 (L1) Host must have reliable time synchronization sources
  • 3.1 (L1) Host should deactivate SSH
  • 3.12 (L1) Host must lock an account after a specified number of failed login attempts
  • 3.13 (L1) Host must unlock accounts after a specified timeout period
  • 3.14 (L1) Host must configure the password history setting to restrict the reuse of passwords
  • 3.18 (L1) Host must have an accurate DCUI.Access list
  • 3.19 (L1) Host must have an accurate Exception Users list
  • 3.2 (L1) Host must deactivate the ESXi shell
  • 3.20 (L1) Host must enable normal lockdown mode
  • 3.3 (L1) Host must deactivate the ESXi Managed Object Browser (MOB)
  • 3.7 (L1) Host must automatically terminate idle DCUI sessions
  • 3.8 (L1) Host must automatically terminate idle shells
  • 3.9 (L1) Host must automatically deactivate shell services
  • 4.1 (L1) Host must configure a persistent log location for all locally stored system logs
  • 4.2 (L1) Host must transmit system logs to a remote log collector
  • 5.1 (L1) Host firewall must only allow traffic from authorized networks
  • 5.10 (L1) Host must restrict the use of Virtual Guest Tagging (VGT) on standard virtual switches
  • 5.3 (L1) Host must restrict use of the dvFilter network API
  • 5.6 (L1) Host should reject forged transmits on standard virtual switches and port groups
  • 5.7 (L1) Host should reject MAC address changes on standard virtual switches and port groups
  • 5.8 (L1) Host should reject promiscuous mode requests on standard virtual switches and port groups
  • 5.9 (L1) Host must restrict access to a default or native VLAN on standard virtual switches
  • 6.3.1 (L1) Host iSCSI client, if enabled, must employ bidirectional/mutual CHAP authentication
  • 6.3.2 (L1) Host iSCSI client, if enabled, must employ unique CHAP authentication secrets
  • 7.17 (L1) Virtual machines must deactivate console drag and drop operations
  • 7.18 (L1) Virtual machines must deactivate console copy operations
  • 7.19 (L1) Virtual machines must deactivate console paste operations
  • 7.20 (L1) Virtual machines must limit access through the \"dvfilter\" network API
  • 7.21 (L1) Virtual machines must deactivate virtual disk shrinking operations
  • 7.22 (L1) Virtual machines must deactivate virtual disk wiping operations
  • 7.24 (L1) Virtual machines must not be able to obtain host information from the hypervisor
  • 7.26 (L1) Virtual machines must limit the number of retained diagnostic logs
  • 7.27 (L1) Virtual machines must limit the size of diagnostic logs
  • 7.6 (L1) Virtual machines must limit console sharing.
Miscellaneous
  • Metadata updated.
  • Variables updated.