Detections
Analytics

DISA STIG VMware vSphere 7.0 vCenter v1r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG VMware vSphere 7.0 vCenter v1r2

Updated: 6/17/2024

Authority: DISA STIG

Plugin: VMware

Revision: 1.2

Estimated Item Count: 57

File Details

Filename: DISA_STIG_VMware_vSphere_7.0_vCenter_v1r2.audit

Size: 98 kB

MD5: cfe255b8857d8c178d5bc435eae7c295
SHA256: e9d9c0ba6040d87e08ad0441234ce3aaf9803ed42dccc7f95a0dc57cfda85d09

Audit Items

DescriptionCategories
VCSA-70-000009 - The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
VCSA-70-000023 - The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user.
VCSA-70-000024 - The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before login.
VCSA-70-000034 - The vCenter Server must produce audit records containing information to establish what type of events occurred.
VCSA-70-000057 - vCenter Server plugins must be verified.
VCSA-70-000059 - The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
VCSA-70-000060 - The vCenter Server must require multifactor authentication.
VCSA-70-000069 - The vCenter Server passwords must be at least 15 characters in length.
VCSA-70-000070 - The vCenter Server must prohibit password reuse for a minimum of five generations.
VCSA-70-000071 - The vCenter Server passwords must contain at least one uppercase character.
VCSA-70-000072 - The vCenter Server passwords must contain at least one lowercase character.
VCSA-70-000073 - The vCenter Server passwords must contain at least one numeric character.
VCSA-70-000074 - The vCenter Server passwords must contain at least one special character.
VCSA-70-000077 - The vCenter Server must enable FIPS-validated cryptography.
VCSA-70-000079 - The vCenter Server must enforce a 60-day maximum password lifetime restriction.
VCSA-70-000080 - The vCenter Server must enable revocation checking for certificate-based authentication.
VCSA-70-000089 - The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.
VCSA-70-000095 - The vCenter Server users must have the correct roles assigned.
VCSA-70-000110 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
VCSA-70-000123 - The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.
VCSA-70-000145 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
VCSA-70-000148 - The vCenter Server must be configured to send logs to a central log server.
VCSA-70-000150 - vCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
VCSA-70-000158 - The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server.
VCSA-70-000195 - The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
VCSA-70-000248 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
VCSA-70-000253 - The vCenter server must enforce SNMPv3 security features where SNMP is required.
VCSA-70-000265 - The vCenter server must disable SNMPv1/2 receivers.
VCSA-70-000266 - The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
VCSA-70-000267 - The vCenter Server must disable the distributed virtual switch health check.
VCSA-70-000268 - The vCenter Server must set the distributed port group Forged Transmits policy to 'Reject' - Reject.
VCSA-70-000269 - The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to 'Reject' - Reject.
VCSA-70-000270 - The vCenter Server must set the distributed port group Promiscuous Mode policy to 'Reject' - Reject.
VCSA-70-000271 - The vCenter Server must only send NetFlow traffic to authorized collectors.
VCSA-70-000272 - The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
VCSA-70-000273 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
VCSA-70-000274 - The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
VCSA-70-000275 - The vCenter Server must configure the 'vpxuser' auto-password to be changed every 30 days - vpxuser auto-password to be changed every 30 days.
VCSA-70-000276 - The vCenter Server must configure the 'vpxuser' password to meet length policy - vpxuser password to meet length policy.
VCSA-70-000277 - The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
VCSA-70-000278 - The vCenter Server must use unique service accounts when applications connect to vCenter.
VCSA-70-000279 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
VCSA-70-000280 - The vCenter server must be configured to send events to a central log server.
VCSA-70-000281 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
VCSA-70-000282 - The vCenter Server must configure the vSAN Datastore name to a unique name.
VCSA-70-000283 - The vCenter Server must disable Username/Password and Windows Integrated Authentication.
VCSA-70-000284 - The vCenter Server must restrict access to the default roles with cryptographic permissions.
VCSA-70-000285 - The vCenter Server must restrict access to cryptographic permissions.
VCSA-70-000286 - The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
VCSA-70-000287 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).