DISA STIG VMware vSphere 7.0 ESXi v1r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG VMware vSphere 7.0 ESXi v1r2

Updated: 4/3/2025

Authority: DISA STIG

Plugin: VMware

Revision: 1.2

Estimated Item Count: 49

Audit Items

DescriptionCategories
ESXI-70-000001 - Access to the ESXi host must be limited by enabling lockdown mode.
ESXI-70-000002 - The ESXi host must verify the DCUI.Access list.
ESXI-70-000003 - The ESXi host must verify the exception users list for lockdown mode.
ESXI-70-000004 - Remote logging for ESXi hosts must be configured.
ESXI-70-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
ESXI-70-000006 - The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.
ESXI-70-000007 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
ESXI-70-000008 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
ESXI-70-000030 - The ESXi host must produce audit records containing information to establish what type of events occurred.
ESXI-70-000031 - The ESXi host must be configured with a sufficiently complex password policy.
ESXI-70-000032 - The ESXi host must prohibit the reuse of passwords within five iterations.
ESXI-70-000034 - The ESXi host must disable the Managed Object Browser (MOB).
ESXI-70-000035 - The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).
ESXI-70-000036 - The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.
ESXI-70-000037 - The ESXi host must use Active Directory for local user authentication.
ESXI-70-000038 - ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
ESXI-70-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
ESXI-70-000041 - The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes.
ESXI-70-000042 - The ESXi host must terminate shell services after 10 minutes.
ESXI-70-000043 - The ESXi host must log out of the console UI after two minutes.
ESXI-70-000045 - The ESXi host must enable a persistent log location for all locally stored logs.
ESXI-70-000046 - The ESXi host must configure NTP time synchronization.
ESXI-70-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
ESXI-70-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
ESXI-70-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
ESXI-70-000053 - Simple Network Management Protocol (SNMP) must be configured properly on the ESXi host.
ESXI-70-000054 - The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.
ESXI-70-000055 - The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing.
ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default - incoming
ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default - outgoing
ESXI-70-000058 - The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
ESXI-70-000059 - All port groups on standard switches must be configured to reject forged transmits.
ESXI-70-000060 - All port groups on standard switches must be configured to reject guest Media Access Control (MAC) address changes.
ESXI-70-000061 - All port groups on standard switches must be configured to reject guest promiscuous mode requests.
ESXI-70-000062 - Use of the dvFilter network application programming interfaces (APIs) must be restricted.
ESXI-70-000063 - All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN).
ESXI-70-000064 - All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required - VGT is required.
ESXI-70-000065 - All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches.
ESXI-70-000070 - The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.
ESXI-70-000072 - The ESXi host must have all security patches and updates installed.
ESXI-70-000074 - The ESXi host must exclusively enable Transport Layer Security (TLS) 1.2 for all endpoints.
ESXI-70-000079 - The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.
ESXI-70-000081 - The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.
ESXI-70-000086 - The ESXi host must verify certificates for SSL syslog endpoints.
ESXI-70-000087 - The ESXi host must enable volatile key destruction.
ESXI-70-000088 - The ESXi host must configure a session timeout for the vSphere API.
ESXI-70-000089 - The ESXi Host Client must be configured with a session timeout.
ESXI-70-000091 - The ESXi host must be configured with an appropriate maximum password age.
ESXI-70-000097 - The ESXi Common Information Model (CIM) service must be disabled.