DISA STIG VMWare ESXi Server 5 STIG v1r9

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG VMWare ESXi Server 5 STIG v1r9

Updated: 3/16/2017

Authority: DISA STIG

Plugin: VMware

Revision: 1.5

Estimated Item Count: 135

Audit Items

DescriptionCategories
ESXI5-VMNET-000001 - All dvPortgroup VLAN IDs must be fully documented
ESXI5-VMNET-000002 - All dvSwitch Private VLAN IDs must be fully documented
ESXI5-VMNET-000003 - All virtual switches must have a clear network label

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000004 - Virtual switch VLANs must be fully documented and have only the required VLANs

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000005 - All vSwitch and VLAN IDs must be fully documented - 'vSwitch labels'

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000006 - All IP-based storage traffic must be isolated
ESXI5-VMNET-000007 - Only authorized administrators must have access to virtual networking components
ESXI5-VMNET-000008 - All physical switch ports must be configured with spanning tree disabled
ESXI5-VMNET-000009 - All port groups must be configured with a clear network label

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000010 - All port groups must be configured to a value other than that of the native VLAN
ESXI5-VMNET-000011 - All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT)

CONFIGURATION MANAGEMENT

ESXI5-VMNET-000012 - All port groups must not be configured to VLAN values reserved by upstream physical switches
ESXI5-VMNET-000013 - The system must ensure that the virtual switch Forged Transmits policy is set to reject

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI5-VMNET-000014 - The system must ensure that the dvPortgroup Forged Transmits policy is set to reject

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI5-VMNET-000015 - The system must ensure the dvPortGroup MAC Address Change policy is set to reject

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI5-VMNET-000016 - The system must ensure the virtual switches MAC Address Change policy is set to reject

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI5-VMNET-000017 - Non-negotiate must be configured for trunk links between physical switches and virtual switches in VST mod
ESXI5-VMNET-000018 - The system must ensure the virtual switch Promiscuous Mode policy is set to reject

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI5-VMNET-000019 - The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI5-VMNET-000020 - The system must ensure there are no unused ports on a distributed virtual port group
ESXI5-VMNET-000021 - vMotion traffic must be isolated
ESXI5-VMNET-000023 - Access to the management network must be strictly controlled
ESXI5-VMNET-000024 - Access to the management network must be strictly controlled through a network jump box
ESXI5-VMNET-000025 - Spanning tree enabled and BPDU guard and Portfast disabled on the upstream port for VMs that route/bridge traffic
ESXI5-VMNET-000026 - The system must disable the autoexpand option for VDS dvPortgroups
ESXI5-VMNET-000036 - IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch
ESXI5-VMNET-000046 - All IP-based storage traffic must be isolated using a vSwitch containing management-only port groups
GEN000100-ESXI5-000062 - The operating system must be a supported release

SYSTEM AND INFORMATION INTEGRITY

GEN000240-ESXI5-000058 - The system clock must be synchronized to an authoritative DoD time source

AUDIT AND ACCOUNTABILITY

GEN000380-ESXI5-000043 - The GID assigned to a user must exist
GEN000585-ESXI5-000080 - The system must enforce the entire password during authentication
GEN000790-ESXI5-000085 - The system must prevent the use of dictionary words for passwords (V-39246)
GEN000790-ESXI5-000085 - The system must prevent the use of dictionary words for passwords (V-39418)
GEN000940-ESXI5-000042 - The root account's executable search path must be the vendor default and must contain only absolute paths
GEN000945-ESXI5-000333 - The root accounts library search path must be the system default and must contain only absolute paths
GEN000950-ESXI5-444 - The root accounts list of preloaded libraries must be empty
GEN001375-ESXI5-000086 - For systems using DNS resolution, at least two name servers must be configured

SYSTEM AND COMMUNICATIONS PROTECTION

GEN002120-ESXI5-000045 - The /etc/shells (or equivalent) file must exist
GEN002140-ESXI5-000046 - All shells referenced in /etc/passwd must be listed in the /etc/shells file, except shells preventing logins
GEN002260-ESXI5-000047 - The system must be checked for extraneous device files at least weekly
GEN002400-ESXI5-10047 - The system must be checked weekly for unauthorized setuid files and unauthorized changes to authorized setuid files
GEN002420-ESXI5-00878 - Removable media, remote file systems and file systems that do not contain setuid files must be mounted nosuid
GEN002430-ESXI5 - Removable media, remote file systems and file systems that do not contain device files must be mounted nodev
GEN002460-ESXI5-20047 - The system must be checked weekly for unauthorized setgid files and unauthorized changes to authorized setgid files
GEN003510-ESXI5-006660 - Kernel core dumps must be disabled unless needed
GEN005300-ESXI5-000099 - SNMP communities, users, and passphrases must be changed from the default
GEN005440-ESXI5-000078 - The system must not be used as a syslog server (log host) for systems external to the enclave

AUDIT AND ACCOUNTABILITY

GEN005460-ESXI5-000060 - The system must only use remote syslog servers justified and documented using site-defined procedures

AUDIT AND ACCOUNTABILITY

GEN005501-ESXI5-9778 - The SSH client must be configured to only use the SSHv2 protocol
GEN005515-ESXI5-000100 - The SSH daemon must be configured to not allow TCP connection forwarding