DISA STIG VMWare ESXi Server 5 STIG v2r1

Audit Details

Name: DISA STIG VMWare ESXi Server 5 STIG v2r1

Updated: 4/25/2022

Authority: DISA STIG

Plugin: VMware

Revision: 1.1

Estimated Item Count: 133

File Details

Filename: DISA_STIG_VMware_ESXi-Server_5_v2r1.audit

Size: 249 kB

MD5: d422cc205aadd71db9dcdf86fc746cd3
SHA256: 4a190ee3c3d2516d47a911ae1f81eaf22e392da26e032c86425f849c35df6ffe

Audit Items

DescriptionCategories
ESXI5-VMNET-000001 - All dvPortgroup VLAN IDs must be fully documented.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000002 - All dvSwitch Private VLAN IDs must be fully documented.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000003 - All virtual switches must have a clear network label.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000004 - Virtual switch VLANs must be fully documented and have only the required VLANs.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000005 - All vSwitch and VLAN IDs must be fully documented - 'vSwitch labels'

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000006 - All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000007 - Only authorized administrators must have access to virtual networking components.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000008 - All physical switch ports must be configured with spanning tree disabled.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000009 - All port groups must be configured with a clear network label.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000010 - All port groups must be configured to a value other than that of the native VLAN.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000011 - All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT) - VGT

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000012 - All port groups must not be configured to VLAN values reserved by upstream physical switches.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000013 - The system must ensure that the virtual switch Forged Transmits policy is set to reject.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000014 - The system must ensure that the dvPortgroup Forged Transmits policy is set to reject.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000015 - The system must ensure the dvPortGroup MAC Address Change policy is set to reject.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000016 - The system must ensure the virtual switch MAC Address Change policy is set to reject.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000017 - The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000018 - The system must ensure the virtual switch Promiscuous Mode policy is set to reject.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000019 - The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000020 - The system must ensure there are no unused ports on a distributed virtual port group.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000021 - vMotion traffic must be isolated.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000023 - Access to the management network must be strictly controlled through a network gateway.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000024 - Access to the management network must be strictly controlled through a network jump box.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000025 - Spanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000026 - The system must disable the autoexpand option for VDS dvPortgroups.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000036 - All IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch.

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000046 - All IP-based storage traffic must be isolated using a vSwitch containing management-only port groups.

CONFIGURATION MANAGEMENT

GEN000100-ESXI5-000062 - The operating system must be a supported release.

CONFIGURATION MANAGEMENT

GEN000240-ESXI5-000058 - The system clock must be synchronized to an authoritative DoD time source.

CONFIGURATION MANAGEMENT

GEN000380-ESXI5-000043 - The GID assigned to a user must exist.

CONFIGURATION MANAGEMENT

GEN000585-ESXI5-000080 - The system must enforce the entire password during authentication.

CONFIGURATION MANAGEMENT

GEN000790-ESXI5-000085 - The system must prevent the use of dictionary words for passwords - V-39246

CONFIGURATION MANAGEMENT

GEN000790-ESXI5-000085 - The system must prevent the use of dictionary words for passwords - V-39418

CONFIGURATION MANAGEMENT

GEN000940-ESXI5-000042 - The root accounts executable search path must be the vendor default and must contain only absolute paths.

CONFIGURATION MANAGEMENT

GEN000945-ESXI5-000333 - The root accounts library search path must be the system default and must contain only absolute paths.

CONFIGURATION MANAGEMENT

GEN000950-ESXI5-444 - The root accounts list of preloaded libraries must be empty.

CONFIGURATION MANAGEMENT

GEN001375-ESXI5-000086 - For systems using DNS resolution, at least two name servers must be configured.

CONFIGURATION MANAGEMENT

GEN002120-ESXI5-000045 - The /etc/shells (or equivalent) file must exist - or equivalent file must exist

CONFIGURATION MANAGEMENT

GEN002140-ESXI5-000046 - All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.

CONFIGURATION MANAGEMENT

GEN002260-ESXI5-000047 - The system must be checked for extraneous device files at least weekly.

CONFIGURATION MANAGEMENT

GEN002400-ESXI5-10047 - The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.

CONFIGURATION MANAGEMENT

GEN002420-ESXI5-00878 - Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option.

CONFIGURATION MANAGEMENT

GEN002430-ESXI5 - Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option.

CONFIGURATION MANAGEMENT

GEN002460-ESXI5-20047 - The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.

CONFIGURATION MANAGEMENT

GEN003510-ESXI5-006660 - Kernel core dumps must be disabled unless needed.

CONFIGURATION MANAGEMENT

GEN005300-ESXI5-000099 - SNMP communities, users, and passphrases must be changed from the default.

CONFIGURATION MANAGEMENT

GEN005440-ESXI5-000078 - The system must not be used as a syslog server (log host) for systems external to the enclave - log host for systems external to the enclave

CONFIGURATION MANAGEMENT

GEN005460-ESXI5-000060 - The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.

CONFIGURATION MANAGEMENT

GEN005501-ESXI5-9778 - The SSH client must be configured to only use the SSHv2 protocol.

CONFIGURATION MANAGEMENT

GEN005515-ESXI5-000100 - The SSH daemon must be configured to not allow TCP connection forwarding.

CONFIGURATION MANAGEMENT