DISA STIG VMware vSphere 6.x ESXi OS v1r5

Audit Details

Name: DISA STIG VMware vSphere 6.x ESXi OS v1r5

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.6

Estimated Item Count: 29

File Details

Filename: DISA_STIG_VMware_vSphere_ESXi_6_Bare_Metal_Host_v1r5.audit

Size: 42.6 kB

MD5: 8031c3cb736d685075ef4923b9b5b2b0
SHA256: d494960cbe78d8a6398bfbb38d3d4d998aa7df16f3ddd9632ed4e7f1f0d43e0e

Audit Items

DescriptionCategories
ESXI-06-000009 - The SSH daemon must be configured with the Department of Defense (DoD) login banner.

ACCESS CONTROL

ESXI-06-000010 - The VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions.

ACCESS CONTROL

ESXI-06-000011 - The SSH daemon must be configured to use only the SSHv2 protocol.

ACCESS CONTROL

ESXI-06-000012 - The SSH daemon must ignore .rhosts files.

IDENTIFICATION AND AUTHENTICATION

ESXI-06-000013 - The SSH daemon must not allow host-based authentication.

CONFIGURATION MANAGEMENT

ESXI-06-000014 - The SSH daemon must not permit root logins.

CONFIGURATION MANAGEMENT

ESXI-06-000015 - The SSH daemon must not allow authentication using an empty password.

CONFIGURATION MANAGEMENT

ESXI-06-000016 - The SSH daemon must not permit user environment settings.

CONFIGURATION MANAGEMENT

ESXI-06-000017 - The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

CONFIGURATION MANAGEMENT

ESXI-06-000018 - The SSH daemon must not permit GSSAPI authentication.

CONFIGURATION MANAGEMENT

ESXI-06-000019 - The SSH daemon must not permit Kerberos authentication.

CONFIGURATION MANAGEMENT

ESXI-06-000020 - The SSH daemon must perform strict mode checking of home directory configuration files.

CONFIGURATION MANAGEMENT

ESXI-06-000021 - The SSH daemon must not allow compression or must only allow compression after successful authentication.

CONFIGURATION MANAGEMENT

ESXI-06-000022 - The SSH daemon must be configured to not allow gateway ports.

CONFIGURATION MANAGEMENT

ESXI-06-000023 - The SSH daemon must be configured to not allow X11 forwarding.

CONFIGURATION MANAGEMENT

ESXI-06-000024 - The SSH daemon must not accept environment variables from the client.

CONFIGURATION MANAGEMENT

ESXI-06-000025 - The SSH daemon must not permit tunnels.

CONFIGURATION MANAGEMENT

ESXI-06-000026 - The SSH daemon must set a timeout count on idle sessions.

CONFIGURATION MANAGEMENT

ESXI-06-000027 - The SSH daemon must set a timeout interval on idle sessions.

CONFIGURATION MANAGEMENT

ESXI-06-000028 - The SSH daemon must limit connections to a single session.

CONFIGURATION MANAGEMENT

ESXI-06-000029 - The system must remove keys from the SSH authorized_keys file.

CONFIGURATION MANAGEMENT

ESXI-06-000032 - The system must prohibit the reuse of passwords within five iterations.

IDENTIFICATION AND AUTHENTICATION

ESXI-06-000033 - The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

CONFIGURATION MANAGEMENT

ESXI-06-000044 - The system must enable kernel core dumps.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-000047 - The Image Profile and VIB Acceptance Levels must be verified.

CONFIGURATION MANAGEMENT

ESXI-06-000056 - The system must configure the firewall to restrict access to services running on the host.

CONFIGURATION MANAGEMENT

ESXI-06-100010 - The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-100047 - The VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs by verifying Image Profile and VIP Acceptance Levels.

CONFIGURATION MANAGEMENT

ESXI-06-200047 - The VMM must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all VMM components by verifying Image Profile and VIP Acceptance Levels.

SYSTEM AND COMMUNICATIONS PROTECTION