DISA STIG VMWare ESXi 5 Virtual Machine STIG v2r1

Audit Details

Name: DISA STIG VMWare ESXi 5 Virtual Machine STIG v2r1

Updated: 4/25/2022

Authority: DISA STIG

Plugin: VMware

Revision: 1.1

Estimated Item Count: 54

File Details

Filename: DISA_STIG_VMware_ESXi-VirtualMachine_5_v2r1.audit

Size: 306 kB

MD5: 98a79e2af5c2a0eb22fd895fccc15fc8
SHA256: b8b6ee4d6403ef77d180c8b2897bbc34d0f31f26e5bea944dcdfa845e72f77ea

Audit Items

DescriptionCategories
ESXI5-VM-000001 - The system must control virtual machine access to host resources - 'Memory limit'

CONFIGURATION MANAGEMENT

ESXI5-VM-000001 - The system must control virtual machine access to host resources - 'Memory reservation'

CONFIGURATION MANAGEMENT

ESXI5-VM-000001 - The system must control virtual machine access to host resources - 'Memory share'

CONFIGURATION MANAGEMENT

ESXI5-VM-000002 - The system must disable tools auto install.

CONFIGURATION MANAGEMENT

ESXI5-VM-000003 - The system must explicitly disable copy operations.

CONFIGURATION MANAGEMENT

ESXI5-VM-000004 - The system must explicitly disable drag and drop operations.

CONFIGURATION MANAGEMENT

ESXI5-VM-000005 - The system must explicitly disable any GUI functionality for copy/paste operations.

CONFIGURATION MANAGEMENT

ESXI5-VM-000006 - The system must explicitly disable paste operations.

CONFIGURATION MANAGEMENT

ESXI5-VM-000007 - The system must disable virtual disk shrinking.

CONFIGURATION MANAGEMENT

ESXI5-VM-000008 - The system must disable virtual disk erasure.

CONFIGURATION MANAGEMENT

ESXI5-VM-000009 - The system must disable HGFS file transfers.

CONFIGURATION MANAGEMENT

ESXI5-VM-000010 - The system must not use independent, non-persistent disks.

CONFIGURATION MANAGEMENT

ESXI5-VM-000011 - The system must disable VM-to-VM communication through VMCI.

CONFIGURATION MANAGEMENT

ESXI5-VM-000012 - The system must disable VM logging, unless required.

CONFIGURATION MANAGEMENT

ESXI5-VM-000013 - The system must disable VM Monitor Control during normal operation.

CONFIGURATION MANAGEMENT

ESXI5-VM-000014 - The unexposed feature keyword isolation.tools.ghi.autologon.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000015 - The unexposed feature keyword isolation.bios.bbs.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000016 - The unexposed feature keyword isolation.tools.getCreds.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000017 - The unexposed feature keyword isolation.tools.ghi.launchmenu.change must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000018 - The unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000019 - The unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000020 - The unexposed feature keyword isolation.ghi.host.shellAction.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000021 - The unexposed feature keyword isolation.tools.dispTopoRequest.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000022 - The unexposed feature keyword isolation.tools.trashFolderState.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000023 - The unexposed feature keyword isolation.tools.ghi.trayicon.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000024 - The unexposed feature keyword isolation.tools.unity.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000025 - The unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000026 - The unexposed feature keyword isolation.tools.unity.push.update.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000027 - The unexposed feature keyword isolation.tools.unity.taskbar.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000028 - The unexposed feature keyword isolation.tools.unityActive.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000029 - The unexposed feature keyword isolation.tools.unity.windowContents.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000030 - The unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000031 - The unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be initialized to decrease the VMs potential attack vectors.

CONFIGURATION MANAGEMENT

ESXI5-VM-000033 - The system must disable VIX messages from the VM.

CONFIGURATION MANAGEMENT

ESXI5-VM-000034 - The system must disconnect unauthorized floppy devices.

CONFIGURATION MANAGEMENT

ESXI5-VM-000035 - The system must disconnect unauthorized IDE devices.

CONFIGURATION MANAGEMENT

ESXI5-VM-000036 - The system must disconnect unauthorized parallel devices.

CONFIGURATION MANAGEMENT

ESXI5-VM-000037 - The system must disconnect unauthorized serial devices.

CONFIGURATION MANAGEMENT

ESXI5-VM-000038 - The system must disconnect unauthorized USB devices.

CONFIGURATION MANAGEMENT

ESXI5-VM-000039 - The system must limit sharing of console connections.

CONFIGURATION MANAGEMENT

ESXI5-VM-000041 - The system must limit VM logging records.

CONFIGURATION MANAGEMENT

ESXI5-VM-000042 - The system must limit VM logging record contents.

CONFIGURATION MANAGEMENT

ESXI5-VM-000043 - The system must limit informational messages from the VM to the VMX file.

CONFIGURATION MANAGEMENT

ESXI5-VM-000044 - The system must minimize use of the VM console.

CONFIGURATION MANAGEMENT

ESXI5-VM-000045 - The system must prevent unauthorized removal, connection and modification of devices by setting the isolation.device.connectable.disable keyword to true.

CONFIGURATION MANAGEMENT

ESXI5-VM-000046 - The system must prevent unauthorized removal, connection and modification of devices.

CONFIGURATION MANAGEMENT

ESXI5-VM-000047 - The system must not send host information to guests.

CONFIGURATION MANAGEMENT

ESXI5-VM-000049 - The system must use secure protocols for virtual serial port access.

CONFIGURATION MANAGEMENT

ESXI5-VM-000050 - The system must use templates to deploy VMs whenever possible.

CONFIGURATION MANAGEMENT

ESXI5-VM-000051 - The system must control access to VMs through the dvfilter network APIs.

CONFIGURATION MANAGEMENT