DISA STIG VMware vSphere 6.7 ESXi v1r2

Audit Details

Name: DISA STIG VMware vSphere 6.7 ESXi v1r2

Updated: 6/10/2022

Authority: DISA STIG

Plugin: VMware

Revision: 1.0

Estimated Item Count: 48

File Details

Filename: DISA_STIG_VMware_vSphere_6.7_ESXi_v1r2.audit

Size: 128 kB

MD5: 0dfa3c0a4e5890a94d7da7f685137445
SHA256: 839e821887688878a128fb01fc8c353dbb706c8d3b14b3a500cc5a5e1d2d9e41

Audit Items

DescriptionCategories
ESXI-67-000001 - Access to the ESXi host must be limited by enabling Lockdown Mode.

ACCESS CONTROL

ESXI-67-000002 - The ESXi host must verify the DCUI.Access list.

CONFIGURATION MANAGEMENT

ESXI-67-000003 - The ESXi host must verify the exception users list for Lockdown Mode.

CONFIGURATION MANAGEMENT

ESXI-67-000004 - Remote logging for ESXi hosts must be configured.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

ESXI-67-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.

ACCESS CONTROL

ESXI-67-000006 - The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out.

ACCESS CONTROL

ESXI-67-000007 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the DCUI.

ACCESS CONTROL

ESXI-67-000008 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.

ACCESS CONTROL

ESXI-67-000030 - The ESXi host must produce audit records containing information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

ESXI-67-000031 - The ESXi host must enforce password complexity by requiring that at least one uppercase character be used.

IDENTIFICATION AND AUTHENTICATION

ESXI-67-000032 - The ESXi host must prohibit the reuse of passwords within five iterations.

IDENTIFICATION AND AUTHENTICATION

ESXI-67-000034 - The ESXi host must disable the Managed Object Browser (MOB).

CONFIGURATION MANAGEMENT

ESXI-67-000035 - The ESXi host must be configured to disable nonessential capabilities by disabling SSH.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

ESXI-67-000036 - The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.

CONFIGURATION MANAGEMENT

ESXI-67-000037 - The ESXi host must use Active Directory for local user authentication.

IDENTIFICATION AND AUTHENTICATION

ESXI-67-000038 - ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.

IDENTIFICATION AND AUTHENTICATION

ESXI-67-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.

IDENTIFICATION AND AUTHENTICATION

ESXI-67-000040 - The ESXi host must use multifactor authentication for local DCUI access to privileged accounts.

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-67-000041 - The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes.

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-67-000042 - The ESXi host must terminate shell services after 10 minutes.

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-67-000043 - The ESXi host must log out of the console UI after two minutes.

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-67-000045 - The ESXi host must enable a persistent log location for all locally stored logs.

AUDIT AND ACCOUNTABILITY

ESXI-67-000046 - The ESXi host must configure NTP time synchronization.

AUDIT AND ACCOUNTABILITY

ESXI-67-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-67-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-67-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-67-000052 - The ESXi host must protect the confidentiality and integrity of transmitted information by using different TCP/IP stacks where possible.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-67-000053 - SNMP must be configured properly on the ESXi host.

CONFIGURATION MANAGEMENT

ESXI-67-000054 - The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic.

CONFIGURATION MANAGEMENT

ESXI-67-000055 - The ESXi host must disable Inter-VM transparent page sharing.

CONFIGURATION MANAGEMENT

ESXI-67-000057 - The ESXi host must configure the firewall to block network traffic by default - incoming

CONFIGURATION MANAGEMENT

ESXI-67-000057 - The ESXi host must configure the firewall to block network traffic by default - outgoing

CONFIGURATION MANAGEMENT

ESXI-67-000058 - The ESXi host must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.

CONFIGURATION MANAGEMENT

ESXI-67-000059 - The virtual switch Forged Transmits policy must be set to reject on the ESXi host.

CONFIGURATION MANAGEMENT

ESXI-67-000060 - The virtual switch MAC Address Change policy must be set to reject on the ESXi host.

CONFIGURATION MANAGEMENT

ESXI-67-000061 - The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host.

CONFIGURATION MANAGEMENT

ESXI-67-000062 - The ESXi host must prevent unintended use of the dvFilter network APIs.

CONFIGURATION MANAGEMENT

ESXI-67-000063 - For the ESXi host, all port groups must be configured to a value other than that of the native VLAN.

CONFIGURATION MANAGEMENT

ESXI-67-000064 - For the ESXi host, all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required - VGT is required.

CONFIGURATION MANAGEMENT

ESXI-67-000065 - For the ESXi host, all port groups must not be configured to VLAN values reserved by upstream physical switches.

CONFIGURATION MANAGEMENT

ESXI-67-000066 - For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in Virtual Switch Tagging (VST) mode.

CONFIGURATION MANAGEMENT

ESXI-67-000067 - All ESXi host-connected physical switch ports must be configured with spanning tree disabled.

CONFIGURATION MANAGEMENT

ESXI-67-000068 - All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs.

CONFIGURATION MANAGEMENT

ESXI-67-000070 - The ESXi host must not provide root/administrator-level access to CIM-based hardware monitoring tools or other third-party applications.

CONFIGURATION MANAGEMENT

ESXI-67-000071 - The SA must verify the integrity of the installation media before installing ESXi.

CONFIGURATION MANAGEMENT

ESXI-67-000072 - The ESXi host must have all security patches and updates installed.

CONFIGURATION MANAGEMENT

ESXI-67-000074 - The ESXi host must exclusively enable TLS 1.2 for all endpoints.

CONFIGURATION MANAGEMENT

ESXI-67-000079 - The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.

CONFIGURATION MANAGEMENT