Revision 1.1Dec 12, 2018
Informational Update
- ESXI5-VMNET-000001 - All dvPortgroup VLAN IDs must be fully documented
- ESXI5-VMNET-000002 - All dvSwitch Private VLAN IDs must be fully documented
- ESXI5-VMNET-000006 - All IP-based storage traffic must be isolated
- ESXI5-VMNET-000007 - Only authorized administrators must have access to virtual networking components
- ESXI5-VMNET-000008 - All physical switch ports must be configured with spanning tree disabled
- ESXI5-VMNET-000010 - All port groups must be configured to a value other than that of the native VLAN
- ESXI5-VMNET-000012 - All port groups must not be configured to VLAN values reserved by upstream physical switches
- ESXI5-VMNET-000017 - Non-negotiate must be configured for trunk links between physical switches and virtual switches in VST mod
- ESXI5-VMNET-000020 - The system must ensure there are no unused ports on a distributed virtual port group
- ESXI5-VMNET-000021 - vMotion traffic must be isolated
- ESXI5-VMNET-000023 - Access to the management network must be strictly controlled
- ESXI5-VMNET-000024 - Access to the management network must be strictly controlled through a network jump box
- ESXI5-VMNET-000025 - Spanning tree enabled and BPDU guard and Portfast disabled on the upstream port for VMs that route/bridge traffic
- ESXI5-VMNET-000026 - The system must disable the autoexpand option for VDS dvPortgroups
- ESXI5-VMNET-000036 - IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch
- ESXI5-VMNET-000046 - All IP-based storage traffic must be isolated using a vSwitch containing management-only port groups
- GEN000380-ESXI5-000043 - The GID assigned to a user must exist
- GEN000585-ESXI5-000080 - The system must enforce the entire password during authentication
- GEN000790-ESXI5-000085 - The system must prevent the use of dictionary words for passwords (V-39246)
- GEN000790-ESXI5-000085 - The system must prevent the use of dictionary words for passwords (V-39418)
- GEN000940-ESXI5-000042 - The root account's executable search path must be the vendor default and must contain only absolute paths
- GEN000945-ESXI5-000333 - The root accounts library search path must be the system default and must contain only absolute paths
- GEN000950-ESXI5-444 - The root accounts list of preloaded libraries must be empty
- GEN002120-ESXI5-000045 - The /etc/shells (or equivalent) file must exist
- GEN002140-ESXI5-000046 - All shells referenced in /etc/passwd must be listed in the /etc/shells file, except shells preventing logins
- GEN002260-ESXI5-000047 - The system must be checked for extraneous device files at least weekly
- GEN002400-ESXI5-10047 - The system must be checked weekly for unauthorized setuid files and unauthorized changes to authorized setuid files
- GEN002420-ESXI5-00878 - Removable media, remote file systems and file systems that do not contain setuid files must be mounted nosuid
- GEN002430-ESXI5 - Removable media, remote file systems and file systems that do not contain device files must be mounted nodev
- GEN002460-ESXI5-20047 - The system must be checked weekly for unauthorized setgid files and unauthorized changes to authorized setgid files
- GEN003510-ESXI5-006660 - Kernel core dumps must be disabled unless needed
- GEN005300-ESXI5-000099 - SNMP communities, users, and passphrases must be changed from the default
- GEN005501-ESXI5-9778 - The SSH client must be configured to only use the SSHv2 protocol
- GEN005515-ESXI5-000100 - The SSH daemon must be configured to not allow TCP connection forwarding
- GEN005516-ESXI5-703 - The SSH client must be configured to not allow TCP forwarding
- GEN005517-ESXI5-000101 - The SSH daemon must be configured to not allow gateway ports
- GEN005518-ESXI5-704 - The SSH client must be configured to not allow gateway ports
- GEN005519-ESXI5-000102 - The SSH daemon must be configured to not allow X11 forwarding
- GEN005520-ESXI5-705 - The SSH client must be configured to not allow X11 forwarding
- GEN005528-ESXI5-000106 - The SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale
- GEN005529-ESXI5-708 - The SSH client must not send environment variables to the server or must only send those pertaining to locale
- GEN005530-ESXI5-000107 - The SSH daemon must not permit user environment settings
- GEN005531-ESXI5-000108 - The SSH daemon must not permit tunnels.
- GEN005532-ESXI5-709 - The SSH client must not permit tunnels
- GEN005536-ESXI5-000110 - The SSH daemon must perform strict mode checking of home directory configuration files
- GEN005539-ESXI5-000113 - The SSH daemon must not allow compression or must only allow compression after successful authentication
- GEN005570-ESXI5-000115 - System must be configured with a default gateway for IPv6 if the system uses IPv6, unless it is a router
- GEN005900-ESXI5-00891 - The nosuid option must be enabled on all NFS client mounts
- GEN007841-ESXI5-000120 - Wireless network adapters must be disabled.
- GEN008460-ESXI5-000121 - The system must have USB disabled unless needed
- GEN008480-ESXI5-000122 - The system must have USB Mass Storage disabled unless needed
- GEN008500-ESXI5-000123 - The system must have IEEE 1394 (Firewire) disabled unless needed
- GEN008600-ESXI5-000050 - The system must be configured to only boot from the system boot device
- GEN008640-ESXI5-000055 - The system must not use removable media as the boot loader
- GEN008680-ESXI5-000056 - If the system boots from removable media, it must be stored in a safe or similarly secured container
- SRG-OS-000023-ESXI5 - The SSH daemon must be configured with the Department of Defense (DoD) logon banner
- SRG-OS-000027-ESXI5 - The SSH daemon must limit connections to a single session
- SRG-OS-000033-ESXI5 - The operating system must use cryptography to protect the confidentiality of remote access sessions
- SRG-OS-000056-ESXI5 - The system must use time sources local to the enclave
- SRG-OS-000069-ESXI5 - The system must require that passwords contain at least one uppercase alphabetic character
- SRG-OS-000070-ESXI5 - The system must require passwords contain at least one lowercase alphabetic character (V-39256)
- SRG-OS-000071-ESXI5 - The system must require that passwords contain at least one numeric character
- SRG-OS-000072-ESXI5 - System must require at least 4 characters changed between old and new passwords during a password change
- SRG-OS-000077-ESXI5 - The system must prohibit the reuse of passwords within five iterations
- SRG-OS-000078-ESXI5 - The system must require that passwords contain a minimum of 14 characters
- SRG-OS-000080-ESXI5 - BIOS or system controllers supporting password protection must have admin accounts configured, and no others
- SRG-OS-000090-ESXI5 - The system must verify the integrity of the installation media before installing ESXi
- SRG-OS-000092-ESXI5 - The system must enable lockdown mode to restrict remote access
- SRG-OS-000095-ESXI5 - Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled
- SRG-OS-000104-ESXI5 - All accounts must be assigned unique User Identification Numbers (UIDs)
- SRG-OS-000109-ESXI5 - The system must not permit root logins using remote access programs, such as SSH
- SRG-OS-000112-ESXI5 - The SSH daemon must be configured to only use the SSHv2 protocol
- SRG-OS-000113-ESXI5 - The OS must use org-defined replay-resistant auth mechanisms for network access to non-privileged accounts
- SRG-OS-000120-ESXI5 - Password hashes stored on the system must be generated using FIPS 140-2 approved crypto hashing algorithm
- SRG-OS-000121-ESXI5 - All accounts on the system must have unique user or account names
- SRG-OS-000132-ESXI5 - vSphere management traffic must be on a restricted network
- SRG-OS-000144-ESXI5 - The OS must monitor/control communications at external boundary of the IS and at key internal boundaries
- SRG-OS-000147-ESXI5 - OS, at managed interfaces, must deny network traffic by default and must allow network traffic by exception
- SRG-OS-000152-ESXI5 - The OS must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices
- SRG-OS-000157-ESXI5 - The SSH client must be configured to not use CBC-based ciphers
- SRG-OS-000158-ESXI5 - SSH client must be configured to only use Message Authentication Codes (MACs) with FIPS 140-2 approved crypto
- SRG-OS-000159-ESXI5 - The SSH client must be configured to only use FIPS 140-2 approved ciphers
- SRG-OS-000193-ESXI5 - The Image Profile and VIB Acceptance Levels must be verified
- SRG-OS-000231-ESXI5 - The operating system must enforce requirements for remote connections to the information system
- SRG-OS-000248-ESXI5 - There must be no .rhosts or hosts.equiv files on the system
- SRG-OS-000250-ESXI5 - SSH daemon must be configured to only use Message Authentication Codes (MACs) with FIPS 140-2 approved crypto
- SRG-OS-000266-ESXI5 - The system must require that passwords contain at least one special character
- SRG-OS-99999-ESXI5-000137 - The system must disable the Managed Object Browser (MOB)
- SRG-OS-99999-ESXI5-000139 - The system must not provide root/admin level access to CIM-based hardware monitor tools or other 3rd party apps
- SRG-OS-99999-ESXI5-000147 - The system must ensure uniqueness of CHAP authentication secrets
- SRG-OS-99999-ESXI5-000150 - SAN resources must be masked and zoned appropriately
- SRG-OS-99999-ESXI5-000152 - Keys from SSH authorized_keys file must be removed
- SRG-OS-99999-ESXI5-000156 - The contents of exposed configuration files must be verified
- SRG-OS-99999-ESXI5-000158 - Unauthorized kernel modules must not be loaded on the host
- SRG-OS-99999-ESXI5-000160 - The system must use the vSphere Auth Proxy to protect passwords when adding ESXi hosts to Active Directory
- SRG-OS-99999-ESXI5-000161 - The system must zero out VMDK files prior to deletion
Miscellaneous
- Metadata updated.
- References updated.