1.1 (L1) Host hardware must have auditable, authentic, and up to date system and device firmware | SYSTEM AND SERVICES ACQUISITION |
1.2 (L1) Host hardware must enable UEFI Secure Boot | SYSTEM AND SERVICES ACQUISITION |
1.3 (L1) Host hardware must enable Intel TXT, if available | CONFIGURATION MANAGEMENT, MAINTENANCE |
1.4 (L1) Host hardware must enable and configure a TPM 2.0 | CONFIGURATION MANAGEMENT, MAINTENANCE |
1.5 (L1) Host integrated hardware management controller must be secure | CONFIGURATION MANAGEMENT, MAINTENANCE |
1.6 (L1) Host integrated hardware management controller must enable time synchronization | CONFIGURATION MANAGEMENT, MAINTENANCE |
1.7 (L1) Host integrated hardware management controller must enable remote logging of events | AUDIT AND ACCOUNTABILITY |
2.1 (L1) Host must run software that has not reached End of General Support status | SYSTEM AND SERVICES ACQUISITION |
2.2 (L1) Host must have all software updates installed | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
2.3 (L1) Host must enable Secure Boot enforcement | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.5 (L1) Host must only run binaries delivered via signed VIB | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
2.6 (L1) Host must have reliable time synchronization sources | AUDIT AND ACCOUNTABILITY |
2.7 (L1) Host must have time synchronization services enabled and running | AUDIT AND ACCOUNTABILITY |
2.8 (L1) Host must require TPM-based configuration encryption | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.9 (L1) Host must not suppress warnings about unmitigated hyperthreading vulnerabilities | AUDIT AND ACCOUNTABILITY |
2.10 (L1) Host must restrict inter-VM transparent page sharing | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
3.1 (L1) Host should deactivate SSH | CONFIGURATION MANAGEMENT |
3.2 (L1) Host must deactivate the ESXi shell | CONFIGURATION MANAGEMENT |
3.3 (L1) Host must deactivate the ESXi Managed Object Browser (MOB) | ACCESS CONTROL, MEDIA PROTECTION |
3.4 (L1) Host must deactivate SLP | CONFIGURATION MANAGEMENT |
3.5 (L1) Host must deactivate CIM | CONFIGURATION MANAGEMENT |
3.6 (L1) Host should deactivate SNMP | CONFIGURATION MANAGEMENT |
3.7 (L1) Host must automatically terminate idle DCUI sessions | ACCESS CONTROL |
3.8 (L1) Host must automatically terminate idle shells | ACCESS CONTROL |
3.9 (L1) Host must automatically deactivate shell services | ACCESS CONTROL |
3.10 (L1) Host must not suppress warnings that the shell is enabled | SYSTEM AND INFORMATION INTEGRITY |
3.11 (L1) Host must enforce password complexity | IDENTIFICATION AND AUTHENTICATION |
3.12 (L1) Host must lock an account after a specified number of failed login attempts | ACCESS CONTROL |
3.13 (L1) Host must unlock accounts after a specified timeout period | ACCESS CONTROL |
3.14 (L1) Host must configure the password history setting to restrict the reuse of passwords | IDENTIFICATION AND AUTHENTICATION |
3.15 (L1) Host must be configured with an appropriate maximum password age | IDENTIFICATION AND AUTHENTICATION |
3.16 (L1) Host must configure a session timeout for the API | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
3.17 (L1) Host must automatically terminate idle host client sessions | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
3.18 (L1) Host must have an accurate DCUI.Access list | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
3.19 (L1) Host must have an accurate Exception Users list | ACCESS CONTROL, MEDIA PROTECTION |
3.20 (L1) Host must enable normal lockdown mode | ACCESS CONTROL |
3.22 (L1) Host must deny shell access for the dcui account | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
3.24 (L1) Host must display a login banner for the DCUI and Host Client | CONFIGURATION MANAGEMENT, MAINTENANCE |
3.25 (L1) Host must display a login banner for SSH connections | CONFIGURATION MANAGEMENT, MAINTENANCE |
3.26 (L1) Host must enable the highest version of TLS supported | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.1 (L1) Host must configure a persistent log location for all locally stored system logs | AUDIT AND ACCOUNTABILITY |
4.2 (L1) Host must transmit system logs to a remote log collector | AUDIT AND ACCOUNTABILITY |
4.3 (L1) Host must log sufficient information for events | AUDIT AND ACCOUNTABILITY |
4.4 (L1) Host must set the logging informational level to info | AUDIT AND ACCOUNTABILITY |
4.5 (L1) Host must deactivate log filtering | AUDIT AND ACCOUNTABILITY |
4.6 (L1) Host must enable audit record logging | AUDIT AND ACCOUNTABILITY |
4.7 (L1) Host must configure a persistent log location for all locally stored audit records | AUDIT AND ACCOUNTABILITY |
4.8 (L1) Host must store one week of audit records | AUDIT AND ACCOUNTABILITY |
4.9 (L1) Host must transmit audit records to a remote log collector | AUDIT AND ACCOUNTABILITY |
4.10 (L1) Host must verify certificates for TLS remote logging endpoints | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |