Detections
Analytics

DISA VMware vSphere 8.0 ESXi STIG v2r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA VMware vSphere 8.0 ESXi STIG v2r2

Updated: 5/5/2025

Authority: DISA STIG

Plugin: VMware

Revision: 1.1

Estimated Item Count: 53

File Details

Filename: DISA_VMware_vSphere_8.0_ESXi_STIG_v2r2.audit

Size: 149 kB

MD5: ec93b8895556b0993730c3c6ac986b86
SHA256: 6108b17dc019449e1cc26e37c4c99b1fce071c82b5bf6e5a448ae6f8e0f045b0

Audit Items

DescriptionCategories
ESXI-80-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
ESXI-80-000006 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
ESXI-80-000008 - The ESXi host must enable lockdown mode.
ESXI-80-000010 - The ESXi host client must be configured with an idle session timeout.
ESXI-80-000015 - The ESXi must produce audit records containing information to establish what type of events occurred.
ESXI-80-000035 - The ESXi host must enforce password complexity by configuring a password quality policy.
ESXI-80-000043 - The ESXi host must prohibit password reuse for a minimum of five generations.
ESXI-80-000047 - The ESXi host must be configured to disable nonessential capabilities by disabling the Managed Object Browser (MOB).
ESXI-80-000049 - The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.
ESXI-80-000068 - The ESXi host must set a timeout to automatically end idle shell sessions after fifteen minutes.
ESXI-80-000111 - The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.
ESXI-80-000113 - The ESXi host must allocate audit record storage capacity to store at least one week's worth of audit records.
ESXI-80-000114 - The ESXi host must offload logs via syslog.
ESXI-80-000124 - The ESXi host must synchronize internal information system clocks to an authoritative time source.
ESXI-80-000145 - The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.
ESXI-80-000160 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
ESXI-80-000189 - The ESXi host DCUI.Access list must be verified.
ESXI-80-000191 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
ESXI-80-000193 - The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).
ESXI-80-000194 - The ESXi host must be configured to disable nonessential capabilities by disabling the ESXi shell.
ESXI-80-000195 - The ESXi host must automatically stop shell services after 10 minutes.
ESXI-80-000196 - The ESXi host must set a timeout to automatically end idle DCUI sessions after 10 minutes.
ESXI-80-000198 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating ESXi management traffic.
ESXI-80-000199 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
ESXI-80-000201 - The ESXi host lockdown mode exception users list must be verified.
ESXI-80-000213 - The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing.
ESXI-80-000214 - The ESXi host must configure the firewall to block network traffic by default.
ESXI-80-000215 - The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
ESXI-80-000216 - The ESXi host must configure virtual switch security policies to reject forged transmits.
ESXI-80-000217 - The ESXi host must configure virtual switch security policies to reject Media Access Control (MAC) address changes.
ESXI-80-000218 - The ESXi host must configure virtual switch security policies to reject promiscuous mode requests.
ESXI-80-000219 - The ESXi host must restrict use of the dvFilter network application programming interface (API).
ESXI-80-000220 - The ESXi host must restrict the use of Virtual Guest Tagging (VGT) on standard switches.
ESXI-80-000221 - The ESXi host must have all security patches and updates installed.
ESXI-80-000222 - The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.
ESXI-80-000223 - The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.
ESXI-80-000224 - The ESXi host must verify certificates for SSL syslog endpoints.
ESXI-80-000225 - The ESXi host must enable volatile key destruction.
ESXI-80-000226 - The ESXi host must configure a session timeout for the vSphere API.
ESXI-80-000227 - The ESXi host must be configured with an appropriate maximum password age.
ESXI-80-000228 - The ESXi Common Information Model (CIM) service must be disabled.
ESXI-80-000231 - The ESXi host OpenSLP service must be disabled.
ESXI-80-000232 - The ESXi host must enable audit logging.
ESXI-80-000233 - The ESXi host must off-load audit records via syslog.
ESXI-80-000234 - The ESXi host must enable strict x509 verification for SSL syslog endpoints.
ESXI-80-000235 - The ESXi host must forward audit records containing information to establish what type of events occurred.
ESXI-80-000239 - The ESXi host must configure the firewall to restrict access to services running on the host.
ESXI-80-000240 - The ESXi host when using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
ESXI-80-000241 - The ESXi host must not use the default Active Directory ESX Admin group.
ESXI-80-000243 - The ESXi host must configure a persistent log location for all locally stored logs.