| 1.1 Ensure ESXi is properly patched | SYSTEM AND INFORMATION INTEGRITY |
| 1.4 Ensure the default value of individual salt per vm is configured | SYSTEM AND INFORMATION INTEGRITY |
| 2.1 Ensure NTP time synchronization is configured properly | AUDIT AND ACCOUNTABILITY |
| 2.3 Ensure Managed Object Browser (MOB) is disabled | CONFIGURATION MANAGEMENT |
| 2.5 Ensure SNMP is configured properly - 'community name private does not exist' | IDENTIFICATION AND AUTHENTICATION |
| 2.5 Ensure SNMP is configured properly - 'community name public does not exist' | IDENTIFICATION AND AUTHENTICATION |
| 2.6 Ensure dvfilter API is not configured if not used | ACCESS CONTROL |
| 2.8 Ensure vSphere Authentication Proxy is used when adding hosts to Active Directory | IDENTIFICATION AND AUTHENTICATION |
| 2.9 Ensure VDS health check is disabled | CONFIGURATION MANAGEMENT |
| 3.2 Ensure persistent logging is configured for all ESXi hosts | AUDIT AND ACCOUNTABILITY |
| 3.3 Ensure remote logging is configured for ESXi hosts | AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure passwords are required to be complex | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Ensure Active Directory is used for local user authentication - Review Domain | |
| 4.4 Ensure only authorized users and groups belong to the esxAdminsGroup group | ACCESS CONTROL |
| 4.5 Ensure the Exception Users list is properly configured | ACCESS CONTROL |
| 4.6 Ensure account lockout is set to 15 minutes | ACCESS CONTROL |
| 4.7 Ensure the maximum failed login attempts is set to 3 | ACCESS CONTROL |
| 5.1 Ensure the DCUI timeout is set to 600 seconds or less | ACCESS CONTROL |
| 5.3 Ensure the ESXi shell is disabled | CONFIGURATION MANAGEMENT |
| 5.4 Ensure SSH is disabled | CONFIGURATION MANAGEMENT |
| 5.5 Ensure CIM access is limited | IDENTIFICATION AND AUTHENTICATION |
| 5.6 Ensure Lockdown mode is enabled | ACCESS CONTROL |
| 5.8 Ensure idle ESXi shell and SSH sessions time out after 300 seconds or less | ACCESS CONTROL |
| 5.9 Ensure the shell services timeout is set to 1 hour or less | ACCESS CONTROL |
| 5.10 Ensure DCUI has a trusted users list for lockdown mode | ACCESS CONTROL |
| 6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled | IDENTIFICATION AND AUTHENTICATION |
| 6.2 Ensure the uniqueness of CHAP authentication secrets for iSCSI traffic | IDENTIFICATION AND AUTHENTICATION |
| 6.3 Ensure storage area network (SAN) resources are segregated properly | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1 Ensure the vSwitch Forged Transmits policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Ensure the vSwitch MAC Address Change policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure port groups are not configured to the value of the native VLAN | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switches | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT) | CONFIGURATION MANAGEMENT |
| 7.7 Ensure Virtual Disributed Switch Netflow traffic is sent to an authorized collector | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.8 Ensure port-level configuration overrides are disabled. | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.1 Ensure informational messages from the VM to the VMX file are limited | AUDIT AND ACCOUNTABILITY |
| 8.2.1 Ensure unnecessary floppy devices are disconnected | MEDIA PROTECTION |
| 8.2.3 Ensure unnecessary parallel ports are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.4 Ensure unnecessary serial ports are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.5 Ensure unnecessary USB devices are disconnected | CONFIGURATION MANAGEMENT |
| 8.2.6 Ensure unauthorized modification and disconnection of devices is disabled | ACCESS CONTROL |
| 8.2.7 Ensure unauthorized connection of devices is disabled | ACCESS CONTROL |
| 8.2.8 Ensure PCI and PCIe device passthrough is disabled | CONFIGURATION MANAGEMENT |
| 8.3.1 Ensure unnecessary or superfluous functions inside VMs are disabled | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3.2 Ensure use of the VM console is limited | IDENTIFICATION AND AUTHENTICATION |
| 8.3.3 Ensure secure protocols are used for virtual serial port access | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3.4 Ensure templates are used whenever possible to deploy VMs | CONFIGURATION MANAGEMENT |
| 8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly | |
| 8.4.2 Ensure VMsafe Agent Address is configured correctly | SYSTEM AND INFORMATION INTEGRITY |
