DISA STIG VMware vSphere vCenter 6.x v1r4

Audit Details

Name: DISA STIG VMware vSphere vCenter 6.x v1r4

Updated: 4/25/2022

Authority: DISA STIG

Plugin: VMware

Revision: 1.10

Estimated Item Count: 50

File Details

Filename: DISA_STIG_VMware_vSphere_vCenter_6_v1r4.audit

Size: 88.8 kB

MD5: 9bf7e77f971c07ac0e2083bb6631922d
SHA256: 2e50ed1d6d334e3a388dcf5671cb926574b34b24b961bd11a90d1b89ef1f6ecf

Audit Items

DescriptionCategories
VCWN-06-000001 - The system must prohibit password reuse for a minimum of five generations.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000002 - The system must not automatically refresh client sessions.

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-06-000003 - The system must enforce a 60-day maximum password lifetime restriction.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000004 - The system must terminate management sessions after 10 minutes of inactivity.

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-06-000005 - The vCenter Server users must have the correct roles assigned.

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-06-000007 - The system must limit the effects of information-flooding types of Denial of Service (DoS) attacks.

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-06-000008 - The system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.

AUDIT AND ACCOUNTABILITY

VCWN-06-000009 - The system must use Active Directory authentication.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000010 - The system must limit the use of the built-in SSO administrative account.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000012 - The system must disable the distributed virtual switch health check.

CONFIGURATION MANAGEMENT

VCWN-06-000013 - The distributed port group Forged Transmits policy must be set to reject.

CONFIGURATION MANAGEMENT

VCWN-06-000014 - The system must ensure the distributed port group MAC Address Change policy is set to reject.

CONFIGURATION MANAGEMENT

VCWN-06-000015 - The system must ensure the distributed port group Promiscuous Mode policy is set to reject.

CONFIGURATION MANAGEMENT

VCWN-06-000016 - The system must only send NetFlow traffic to authorized collectors.

CONFIGURATION MANAGEMENT

VCWN-06-000017 - The system must not override port group settings at the port level on distributed switches.

CONFIGURATION MANAGEMENT

VCWN-06-000018 - All port groups must be configured to a value other than that of the native VLAN.

CONFIGURATION MANAGEMENT

VCWN-06-000019 - All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.

CONFIGURATION MANAGEMENT

VCWN-06-000020 - All port groups must not be configured to VLAN values reserved by upstream physical switches.

CONFIGURATION MANAGEMENT

VCWN-06-000021 - The system must enable SSL for Network File Copy (NFC).

CONFIGURATION MANAGEMENT

VCWN-06-000022 - The vCenter Server services must be ran using a service account instead of a built-in Windows account.

CONFIGURATION MANAGEMENT

VCWN-06-000023 - The system must ensure the vpxuser auto-password change meets policy.

CONFIGURATION MANAGEMENT

VCWN-06-000024 - The system must ensure the vpxuser password meets length policy.

CONFIGURATION MANAGEMENT

VCWN-06-000025 - The system must disable the managed object browser at all times, when not required for troubleshooting or maintenance.

CONFIGURATION MANAGEMENT

VCWN-06-000026 - Privilege re-assignment must be checked after the vCenter Server restarts.

CONFIGURATION MANAGEMENT

VCWN-06-000027 - The system must minimize access to the vCenter server.

CONFIGURATION MANAGEMENT

VCWN-06-000028 - Log files must be cleaned up after failed installations of the vCenter Server.

CONFIGURATION MANAGEMENT

VCWN-06-000029 - The system must enable all tasks to be shown to Administrators in the Web Client.

CONFIGURATION MANAGEMENT

VCWN-06-000030 - The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.

CONFIGURATION MANAGEMENT

VCWN-06-000031 - Connectivity between Update Manager and public patch repos restricted by use of a separate Update Manager Download Server.

CONFIGURATION MANAGEMENT

VCWN-06-000032 - A least-privileges assignment must be used for the Update Manager database user.

CONFIGURATION MANAGEMENT

VCWN-06-000033 - A least-privileges assignment must be used for the vCenter Server database user.

CONFIGURATION MANAGEMENT

VCWN-06-000034 - The system must use unique service accounts when applications connect to vCenter.

CONFIGURATION MANAGEMENT

VCWN-06-000035 - vSphere Client plugins must be verified.

CONFIGURATION MANAGEMENT

VCWN-06-000036 - The system must produce audit records containing information to establish what type of events occurred.

SYSTEM AND INFORMATION INTEGRITY

VCWN-06-000039 - Passwords must be at least 15 characters in length.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000040 - Passwords must contain at least one uppercase character.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000041 - Passwords must contain at least one lowercase character.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000042 - Passwords must contain at least one numeric character.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000043 - Passwords must contain at least one special character.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000045 - The system must limit the maximum number of failed login attempts to three.

ACCESS CONTROL

VCWN-06-000046 - The system must set the interval for counting failed login attempts to at least 15 minutes.

ACCESS CONTROL

VCWN-06-000047 - The system must require an administrator to unlock an account locked due to excessive login failures.

ACCESS CONTROL

VCWN-06-000048 - The system must alert administrators on permission creation operations.

SYSTEM AND INFORMATION INTEGRITY

VCWN-06-000049 - The system must alert administrators on permission deletion operations.

SYSTEM AND INFORMATION INTEGRITY

VCWN-06-000050 - The system must alert administrators on permission update operations.

SYSTEM AND INFORMATION INTEGRITY

VCWN-06-000051 - The system must protect the confidentiality and integrity of transmitted info by isolating IP-based storage traffic.

CONFIGURATION MANAGEMENT

VCWN-06-000052 - The system must enable the VSAN Health Check.

CONFIGURATION MANAGEMENT

VCWN-06-000053 - The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted.

CONFIGURATION MANAGEMENT

VCWN-06-000054 - The system must configure the VSAN Datastore name to a unique name.

CONFIGURATION MANAGEMENT

VCWN-06-100005 - The vCenter Server users must have the correct roles assigned.

SYSTEM AND COMMUNICATIONS PROTECTION