| DISA STIG VMware vSphere ESXi 6 Security Technical Implementation Guide Version 1 Release 5 | |
| ESXI-06-000009 - The SSH daemon must be configured with the Department of Defense (DoD) login banner. | ACCESS CONTROL |
| ESXI-06-000010 - The VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000011 - The SSH daemon must be configured to use only the SSHv2 protocol. | ACCESS CONTROL |
| ESXI-06-000012 - The SSH daemon must ignore .rhosts files. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000013 - The SSH daemon must not allow host-based authentication. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000014 - The SSH daemon must not permit root logins. | ACCESS CONTROL |
| ESXI-06-000015 - The SSH daemon must not allow authentication using an empty password. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000016 - The SSH daemon must not permit user environment settings. | CONFIGURATION MANAGEMENT |
| ESXI-06-000017 - The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000018 - The SSH daemon must not permit GSSAPI authentication. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000019 - The SSH daemon must not permit Kerberos authentication. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000020 - The SSH daemon must perform strict mode checking of home directory configuration files. | CONFIGURATION MANAGEMENT |
| ESXI-06-000021 - The SSH daemon must not allow compression or must only allow compression after successful authentication. | CONFIGURATION MANAGEMENT |
| ESXI-06-000022 - The SSH daemon must be configured to not allow gateway ports. | CONFIGURATION MANAGEMENT |
| ESXI-06-000023 - The SSH daemon must be configured to not allow X11 forwarding. | CONFIGURATION MANAGEMENT |
| ESXI-06-000024 - The SSH daemon must not accept environment variables from the client. | CONFIGURATION MANAGEMENT |
| ESXI-06-000025 - The SSH daemon must not permit tunnels. | CONFIGURATION MANAGEMENT |
| ESXI-06-000026 - The SSH daemon must set a timeout count on idle sessions. | ACCESS CONTROL |
| ESXI-06-000027 - The SSH daemon must set a timeout interval on idle sessions. | ACCESS CONTROL |
| ESXI-06-000028 - The SSH daemon must limit connections to a single session. | ACCESS CONTROL |
| ESXI-06-000029 - The system must remove keys from the SSH authorized_keys file. | CONFIGURATION MANAGEMENT |
| ESXI-06-000032 - The system must prohibit the reuse of passwords within five iterations. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000033 - The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-06-000044 - The system must enable kernel core dumps. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-000047 - The Image Profile and VIB Acceptance Levels must be verified. | CONFIGURATION MANAGEMENT |
| ESXI-06-000056 - The system must configure the firewall to restrict access to services running on the host. | CONFIGURATION MANAGEMENT |
| ESXI-06-100010 - The SSH daemon must be configured to only use FIPS 140-2 approved ciphers. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-06-100047 - The VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs by verifying Image Profile and VIP Acceptance Levels. | CONFIGURATION MANAGEMENT |
| ESXI-06-200047 - The VMM must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all VMM components by verifying Image Profile and VIP Acceptance Levels. | CONFIGURATION MANAGEMENT |
