Detections
Analytics

DISA STIG VMware vSphere 6.7 vCenter v1r3

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG VMware vSphere 6.7 vCenter v1r3

Updated: 10/31/2023

Authority: DISA STIG

Plugin: VMware

Revision: 1.2

Estimated Item Count: 61

File Details

Filename: DISA_STIG_VMware_vSphere_6.7_vCenter_v1r3.audit

Size: 92.7 kB

MD5: 78d69f3821f8bc840cc6cbd66c532c14
SHA256: fa8cfb0be2ec18d533cca191c04af4b742952140fa052708f6b662ccf2356f65

Audit Items

DescriptionCategories
VCTR-67-000001 - The vCenter Server must prohibit password reuse for a minimum of five generations.
VCTR-67-000002 - The vCenter Server must not automatically refresh client sessions.
VCTR-67-000003 - The vCenter Server must enforce a 60-day maximum password lifetime restriction.
VCTR-67-000004 - The vCenter Server must terminate management sessions after 10 minutes of inactivity.
VCTR-67-000005 - The vCenter Server users must have the correct roles assigned.
VCTR-67-000007 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
VCTR-67-000008 - The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
VCTR-67-000009 - The vCenter Server must implement Active Directory authentication.
VCTR-67-000010 - The vCenter Server must limit the use of the built-in SSO administrative account.
VCTR-67-000012 - The vCenter Server must disable the distributed virtual switch health check.
VCTR-67-000013 - The vCenter Server must set the distributed port group Forged Transmits policy to reject.
VCTR-67-000014 - The vCenter Server must set the distributed port group MAC Address Change policy to reject.
VCTR-67-000015 - The vCenter Server must set the distributed port group Promiscuous Mode policy to reject.
VCTR-67-000016 - The vCenter Server must only send NetFlow traffic to authorized collectors.
VCTR-67-000018 - The vCenter Server must configure all port groups to a value other than that of the native VLAN.
VCTR-67-000019 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
VCTR-67-000020 - The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches.
VCTR-67-000023 - The vCenter Server must configure the vpxuser auto-password to be changed every 30 days.
VCTR-67-000024 - The vCenter Server must configure the vpxuser password meets length policy.
VCTR-67-000025 - The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects.
VCTR-67-000026 - The vCenter Server must check the privilege reassignment after restarts.
VCTR-67-000029 - The vCenter Server must enable all tasks to be shown to Administrators in the Web Client.
VCTR-67-000031 - The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.
VCTR-67-000033 - The vCenter Server must use a least-privileges assignment for the vCenter Server database user.
VCTR-67-000034 - The vCenter Server must use unique service accounts when applications connect to vCenter.
VCTR-67-000035 - vCenter Server plugins must be verified.
VCTR-67-000036 - The vCenter Server must produce audit records containing information to establish what type of events occurred.
VCTR-67-000039 - The vCenter Server passwords must be at least 15 characters in length.
VCTR-67-000040 - The vCenter Server passwords must contain at least one uppercase character.
VCTR-67-000041 - The vCenter Server passwords must contain at least one lowercase character.
VCTR-67-000042 - The vCenter Server passwords must contain at least one numeric character.
VCTR-67-000043 - The vCenter Server passwords must contain at least one special character.
VCTR-67-000045 - The vCenter Server must limit the maximum number of failed login attempts to three.
VCTR-67-000046 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
VCTR-67-000047 - The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
VCTR-67-000051 - The vCenter Server users must have the correct roles assigned.
VCTR-67-000052 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
VCTR-67-000054 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
VCTR-67-000055 - The vCenter Server must configure the vSAN Datastore name to a unique name.
VCTR-67-000057 - The vCenter Server must enable TLS 1.2 exclusively.
VCTR-67-000058 - The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority.
VCTR-67-000059 - The vCenter Server must enable certificate based authentication.
VCTR-67-000060 - The vCenter Server must enable revocation checking for certificate-based authentication.
VCTR-67-000061 - The vCenter Server must disable Password and Windows integrated authentication.
VCTR-67-000062 - The vCenter Server must enable the login banner for vSphere Client.
VCTR-67-000063 - The vCenter Server must restrict access to the cryptographic role.
VCTR-67-000064 - The vCenter Server must restrict access to cryptographic permissions.
VCTR-67-000065 - The vCenter Server must have Mutual CHAP configured for vSAN iSCSI targets.
VCTR-67-000066 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
VCTR-67-000067 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP).