DISA STIG VMware vSphere 6.7 vCenter v1r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG VMware vSphere 6.7 vCenter v1r1

Updated: 6/10/2022

Authority: Operating Systems and Applications

Plugin: VMware

Revision: 1.3

Estimated Item Count: 62

Audit Items

DescriptionCategories
VCTR-67-000001 - The vCenter Server must prohibit password reuse for a minimum of five generations.
VCTR-67-000002 - The vCenter Server must not automatically refresh client sessions.
VCTR-67-000003 - The vCenter Server must enforce a 60-day maximum password lifetime restriction.
VCTR-67-000004 - The vCenter Server must terminate management sessions after 10 minutes of inactivity.
VCTR-67-000005 - The vCenter Server users must have the correct roles assigned.
VCTR-67-000007 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
VCTR-67-000008 - The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
VCTR-67-000009 - The vCenter Server must implement Active Directory authentication.
VCTR-67-000010 - The vCenter Server must limit the use of the built-in SSO administrative account.
VCTR-67-000012 - The vCenter Server must disable the distributed virtual switch health check.
VCTR-67-000013 - The vCenter Server must set the distributed port group Forged Transmits policy to reject.
VCTR-67-000014 - The vCenter Server must set the distributed port group MAC Address Change policy to reject.
VCTR-67-000015 - The vCenter Server must set the distributed port group Promiscuous Mode policy to reject.
VCTR-67-000016 - The vCenter Server must only send NetFlow traffic to authorized collectors.
VCTR-67-000018 - The vCenter Server must configure all port groups to a value other than that of the native VLAN.
VCTR-67-000019 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
VCTR-67-000020 - The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches.
VCTR-67-000023 - The vCenter Server must configure the vpxuser auto-password to be changed every 30 days.
VCTR-67-000024 - The vCenter Server must configure the vpxuser password meets length policy.
VCTR-67-000025 - The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects.
VCTR-67-000026 - The vCenter Server must check the privilege reassignment after restarts.
VCTR-67-000029 - The vCenter Server must enable all tasks to be shown to Administrators in the Web Client.
VCTR-67-000031 - The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
VCTR-67-000033 - The vCenter Server must use a least-privileges assignment for the vCenter Server database user.
VCTR-67-000034 - The vCenter Server must use unique service accounts when applications connect to vCenter.
VCTR-67-000035 - vCenter Server plugins must be verified.
VCTR-67-000036 - The vCenter Server must produce audit records containing information to establish what type of events occurred.
VCTR-67-000039 - The vCenter Server passwords must be at least 15 characters in length.
VCTR-67-000040 - The vCenter Server passwords must contain at least one uppercase character.
VCTR-67-000041 - The vCenter Server passwords must contain at least one lowercase character.
VCTR-67-000042 - The vCenter Server passwords must contain at least one numeric character.
VCTR-67-000043 - The vCenter Server passwords must contain at least one special character.
VCTR-67-000045 - The vCenter Server must limit the maximum number of failed login attempts to three.
VCTR-67-000046 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
VCTR-67-000047 - The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
VCTR-67-000051 - The vCenter Server users must have the correct roles assigned.
VCTR-67-000052 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
VCTR-67-000053 - The vCenter Server must enable the vSAN Health Check.
VCTR-67-000054 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
VCTR-67-000055 - The vCenter Server must configure the vSAN Datastore name to a unique name.
VCTR-67-000057 - The vCenter Server must enable TLS 1.2 exclusively.
VCTR-67-000058 - The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority.
VCTR-67-000059 - The vCenter Server must enable certificate based authentication.
VCTR-67-000060 - The vCenter Server must enable revocation checking for certificate-based authentication.
VCTR-67-000061 - The vCenter Server must disable Password and Windows integrated authentication.
VCTR-67-000062 - The vCenter Server must enable the login banner for vSphere Client.
VCTR-67-000063 - The vCenter Server must restrict access to the cryptographic role.
VCTR-67-000064 - The vCenter Server must restrict access to cryptographic permissions.
VCTR-67-000065 - The vCenter Server must have Mutual CHAP configured for vSAN iSCSI targets.
VCTR-67-000066 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).