Detections
Analytics

DISA VMware vSphere 8.0 vCenter STIG v2r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA VMware vSphere 8.0 vCenter STIG v2r1

Updated: 3/31/2025

Authority: DISA STIG

Plugin: VMware

Revision: 1.1

Estimated Item Count: 67

File Details

Filename: DISA_VMware_vSphere_8.0_vCenter_STIG_v2r1.audit

Size: 114 kB

MD5: 94140870106dea7cfc88241d4c936278
SHA256: 974bf9f5b47d71daec2afbb07a4f15b548987326414affc040ef37a953daba46

Audit Items

DescriptionCategories
VCSA-80-000009 The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
VCSA-80-000023 The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user.
VCSA-80-000024 The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before logon.
VCSA-80-000034 The vCenter Server must produce audit records containing information to establish what type of events occurred.
VCSA-80-000057 vCenter Server plugins must be verified.
VCSA-80-000059 The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
VCSA-80-000060 The vCenter Server must require multifactor authentication.
VCSA-80-000069 The vCenter Server passwords must be at least 15 characters in length.
VCSA-80-000070 The vCenter Server must prohibit password reuse for a minimum of five generations.
VCSA-80-000071 The vCenter Server passwords must contain at least one uppercase character.
VCSA-80-000072 The vCenter Server passwords must contain at least one lowercase character.
VCSA-80-000073 The vCenter Server passwords must contain at least one numeric character.
VCSA-80-000074 The vCenter Server passwords must contain at least one special character.
VCSA-80-000077 The vCenter Server must enable FIPS-validated cryptography.
VCSA-80-000079 The vCenter Server must enforce a 90-day maximum password lifetime restriction.
VCSA-80-000080 The vCenter Server must enable revocation checking for certificate-based authentication.
VCSA-80-000089 The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.
VCSA-80-000095 The vCenter Server user roles must be verified.
VCSA-80-000110 The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
VCSA-80-000123 The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.
VCSA-80-000145 The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
VCSA-80-000148 The vCenter Server must be configured to send logs to a central log server.
VCSA-80-000150 The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
VCSA-80-000158 The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server.
VCSA-80-000195 The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
VCSA-80-000196 The vCenter Server must enable data at rest encryption for vSAN.
VCSA-80-000248 The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
VCSA-80-000253 The vCenter server must enforce SNMPv3 security features where SNMP is required.
VCSA-80-000265 The vCenter server must disable SNMPv1/2 receivers.
VCSA-80-000266 The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.
VCSA-80-000267 The vCenter Server must disable the distributed virtual switch health check.
VCSA-80-000268 The vCenter Server must set the distributed port group Forged Transmits policy to "Reject".
VCSA-80-000269 The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to "Reject".
VCSA-80-000270 The vCenter Server must set the distributed port group Promiscuous Mode policy to "Reject".
VCSA-80-000271 The vCenter Server must only send NetFlow traffic to authorized collectors.
VCSA-80-000272 The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
VCSA-80-000273 The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
VCSA-80-000274 The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
VCSA-80-000275 The vCenter Server must configure the "vpxuser" auto-password to be changed every 30 days.
VCSA-80-000276 The vCenter Server must configure the "vpxuser" password to meet length policy.
VCSA-80-000277 The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
VCSA-80-000278 The vCenter Server must use unique service accounts when applications connect to vCenter.
VCSA-80-000279 The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
VCSA-80-000280 The vCenter server must be configured to send events to a central log server.
VCSA-80-000281 The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
VCSA-80-000282 The vCenter Server must configure the vSAN Datastore name to a unique name.
VCSA-80-000283 The vCenter Server must disable Username/Password and Windows Integrated Authentication.
VCSA-80-000284 The vCenter Server must restrict access to the default roles with cryptographic permissions.
VCSA-80-000285 The vCenter Server must restrict access to cryptographic permissions.
VCSA-80-000286 The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.