Detections
Analytics

Item Search

NameAudit NamePluginCategory
ESXI-70-000001 - Access to the ESXi host must be limited by enabling lockdown mode.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

ACCESS CONTROL

ESXI-70-000002 - The ESXi host must verify the DCUI.Access list.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

ESXI-70-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

ACCESS CONTROL

ESXI-70-000038 - ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

IDENTIFICATION AND AUTHENTICATION

ESXI-70-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

IDENTIFICATION AND AUTHENTICATION

ESXI-70-000042 - The ESXi host must terminate shell services after 10 minutes.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000043 - The ESXi host must log out of the console UI after two minutes.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000054 - The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default - outgoingDISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

ESXI-70-000061 - All port groups on standard switches must be configured to reject guest promiscuous mode requests.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

ESXI-70-000063 - All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN).DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

ESXI-70-000064 - All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

ESXI-70-000070 - The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

ESXI-70-000079 - The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

ESXI-70-000087 - The ESXi host must enable volatile key destruction.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

ESXI-70-000089 - The ESXi Host Client must be configured with a session timeout.DISA STIG VMware vSphere 7.0 ESXi v1r4VMware

CONFIGURATION MANAGEMENT

VCLD-70-000001 - VAMI must limit the number of simultaneous requests.DISA STIG VMware vSphere 7.0 VAMI v1r2Unix

ACCESS CONTROL

VCLD-70-000005 - VAMI must generate log records for system startup and shutdown.DISA STIG VMware vSphere 7.0 VAMI v1r2Unix

AUDIT AND ACCOUNTABILITY

VCLD-70-000007 - VAMI log files must only be accessible by privileged users.DISA STIG VMware vSphere 7.0 VAMI v1r2Unix

AUDIT AND ACCOUNTABILITY

VCLD-70-000008 - The rsyslog must be configured to monitor VAMI logs.DISA STIG VMware vSphere 7.0 VAMI v1r2Unix

AUDIT AND ACCOUNTABILITY

VCLD-70-000018 - VAMI must protect against or limit the effects of HTTP types of denial-of-service (DoS) attacks - Content-Type.DISA STIG VMware vSphere 7.0 VAMI v1r2Unix

SYSTEM AND COMMUNICATIONS PROTECTION

VCLD-70-000019 - VAMI must set the encoding for all text Multipurpose Internet Mail Extensions (MIME) types to UTF-8 - cgiDISA STIG VMware vSphere 7.0 VAMI v1r2Unix

SYSTEM AND INFORMATION INTEGRITY

VCLD-70-000019 - VAMI must set the encoding for all text Multipurpose Internet Mail Extensions (MIME) types to UTF-8 - erbDISA STIG VMware vSphere 7.0 VAMI v1r2Unix

SYSTEM AND INFORMATION INTEGRITY

VCLD-70-000019 - VAMI must set the encoding for all text Multipurpose Internet Mail Extensions (MIME) types to UTF-8 - plDISA STIG VMware vSphere 7.0 VAMI v1r2Unix

SYSTEM AND INFORMATION INTEGRITY

VCLD-70-000025 - VAMI must force clients to select the most secure cipher.DISA STIG VMware vSphere 7.0 VAMI v1r2Unix

CONFIGURATION MANAGEMENT

VCLD-70-000026 - VAMI must disable client-initiated Transport Layer Security (TLS) renegotiation.DISA STIG VMware vSphere 7.0 VAMI v1r2Unix

CONFIGURATION MANAGEMENT

VCPG-70-000001 - VMware Postgres must limit the number of connections.DISA STIG VMware vSphere 7.0 PostgreSQL v1r2Unix

ACCESS CONTROL

VCPG-70-000008 - VMware Postgres must be configured to use the correct port.DISA STIG VMware vSphere 7.0 PostgreSQL v1r2Unix

CONFIGURATION MANAGEMENT

VCPG-70-000015 - VMware Postgres must not allow schema access to unauthorized accounts.DISA STIG VMware vSphere 7.0 PostgreSQL v1r2Unix

SYSTEM AND COMMUNICATIONS PROTECTION

VCPG-70-000019 - 'Rsyslog' must be configured to monitor VMware Postgres logs.DISA STIG VMware vSphere 7.0 PostgreSQL v1r2Unix

AUDIT AND ACCOUNTABILITY

VCRP-70-000004 - Envoy must use only Transport Layer Security (TLS) 1.2 for the protection of client connections.DISA STIG VMware vSphere 7.0 RhttpProxy v1r1Unix

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

VCRP-70-000007 - Envoy (rhttpproxy) log files must be shipped via syslog to a central log server.DISA STIG VMware vSphere 7.0 RhttpProxy v1r1Unix

AUDIT AND ACCOUNTABILITY

VCSA-70-000009 - The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

VCSA-70-000060 - The vCenter Server must require multifactor authentication.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

VCSA-70-000072 - The vCenter Server passwords must contain at least one lowercase character.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000253 - The vCenter server must enforce SNMPv3 security features where SNMP is required.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000267 - The vCenter Server must disable the distributed virtual switch health check.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000272 - The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000274 - The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000276 - The vCenter Server must configure the 'vpxuser' password to meet length policy.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000277 - The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000278 - The vCenter Server must use unique service accounts when applications connect to vCenter.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000280 - The vCenter server must be configured to send events to a central log server.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

AUDIT AND ACCOUNTABILITY

VCSA-70-000284 - The vCenter Server must restrict access to the default roles with cryptographic permissions.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000286 - The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000287 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000289 - The vCenter Server must use a limited privilege account when adding a Lightweight Directory Access Protocol (LDAP) identity source.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT

VCSA-70-000293 - vCenter task and event retention must be set to at least 30 days.DISA STIG VMware vSphere 7.0 vCenter v1r3VMware

CONFIGURATION MANAGEMENT