DISA STIG VMware vSphere 6.7 vCenter v1r4

Audit Details

Name: DISA STIG VMware vSphere 6.7 vCenter v1r4

Updated: 6/17/2024

Authority: DISA STIG

Plugin: VMware

Revision: 1.1

Estimated Item Count: 62

File Details

Filename: DISA_STIG_VMware_vSphere_6.7_vCenter_v1r4.audit

Size: 106 kB

MD5: 4b38ae1042ce425f151dbcbff9c0fa27
SHA256: f39ab69f3021c9e3324f680a945c7099419f28fb7c19858304d47d607dd48a2c

Audit Items

DescriptionCategories
VCTR-67-000001 - The vCenter Server must prohibit password reuse for a minimum of five generations.

IDENTIFICATION AND AUTHENTICATION

VCTR-67-000002 - The vCenter Server must not automatically refresh client sessions.

SYSTEM AND COMMUNICATIONS PROTECTION

VCTR-67-000003 - The vCenter Server must enforce a 60-day maximum password lifetime restriction.

IDENTIFICATION AND AUTHENTICATION

VCTR-67-000004 - The vCenter Server must terminate management sessions after 10 minutes of inactivity.

SYSTEM AND COMMUNICATIONS PROTECTION

VCTR-67-000005 - The vCenter Server users must have the correct roles assigned.

SYSTEM AND COMMUNICATIONS PROTECTION

VCTR-67-000007 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).

CONFIGURATION MANAGEMENT

VCTR-67-000008 - The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.

AUDIT AND ACCOUNTABILITY

VCTR-67-000009 - The vCenter Server must implement Active Directory authentication.

IDENTIFICATION AND AUTHENTICATION

VCTR-67-000010 - The vCenter Server must limit the use of the built-in SSO administrative account.

IDENTIFICATION AND AUTHENTICATION

VCTR-67-000012 - The vCenter Server must disable the distributed virtual switch health check.

CONFIGURATION MANAGEMENT

VCTR-67-000013 - The vCenter Server must set the distributed port group Forged Transmits policy to reject.

CONFIGURATION MANAGEMENT

VCTR-67-000014 - The vCenter Server must set the distributed port group MAC Address Change policy to reject.

CONFIGURATION MANAGEMENT

VCTR-67-000015 - The vCenter Server must set the distributed port group Promiscuous Mode policy to reject.

CONFIGURATION MANAGEMENT

VCTR-67-000016 - The vCenter Server must only send NetFlow traffic to authorized collectors.

CONFIGURATION MANAGEMENT

VCTR-67-000018 - The vCenter Server must configure all port groups to a value other than that of the native VLAN.

CONFIGURATION MANAGEMENT

VCTR-67-000019 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.

CONFIGURATION MANAGEMENT

VCTR-67-000020 - The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches.

CONFIGURATION MANAGEMENT

VCTR-67-000023 - The vCenter Server must configure the vpxuser auto-password to be changed every 30 days.

CONFIGURATION MANAGEMENT

VCTR-67-000024 - The vCenter Server must configure the vpxuser password meets length policy.

CONFIGURATION MANAGEMENT

VCTR-67-000025 - The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects.

CONFIGURATION MANAGEMENT

VCTR-67-000026 - The vCenter Server must check the privilege reassignment after restarts.

CONFIGURATION MANAGEMENT

VCTR-67-000029 - The vCenter Server must enable all tasks to be shown to Administrators in the Web Client.

CONFIGURATION MANAGEMENT

VCTR-67-000031 - The vCenter Server must restrict the connectivity between Update Manager and public patch repositories by use of a separate Update Manager Download Server.

CONFIGURATION MANAGEMENT

VCTR-67-000033 - The vCenter Server must use a least-privileges assignment for the vCenter Server database user.

CONFIGURATION MANAGEMENT

VCTR-67-000034 - The vCenter Server must use unique service accounts when applications connect to vCenter.

CONFIGURATION MANAGEMENT

VCTR-67-000035 - vCenter Server plugins must be verified.

CONFIGURATION MANAGEMENT

VCTR-67-000036 - The vCenter Server must produce audit records containing information to establish what type of events occurred.

SYSTEM AND INFORMATION INTEGRITY

VCTR-67-000039 - The vCenter Server passwords must be at least 15 characters in length.

IDENTIFICATION AND AUTHENTICATION

VCTR-67-000040 - The vCenter Server passwords must contain at least one uppercase character.

IDENTIFICATION AND AUTHENTICATION

VCTR-67-000041 - The vCenter Server passwords must contain at least one lowercase character.

IDENTIFICATION AND AUTHENTICATION

VCTR-67-000042 - The vCenter Server passwords must contain at least one numeric character.

IDENTIFICATION AND AUTHENTICATION

VCTR-67-000043 - The vCenter Server passwords must contain at least one special character.

IDENTIFICATION AND AUTHENTICATION

VCTR-67-000045 - The vCenter Server must limit the maximum number of failed login attempts to three.

ACCESS CONTROL

VCTR-67-000046 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.

ACCESS CONTROL

VCTR-67-000047 - The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.

ACCESS CONTROL

VCTR-67-000051 - The vCenter Server users must have the correct roles assigned.

SYSTEM AND COMMUNICATIONS PROTECTION

VCTR-67-000052 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

CONFIGURATION MANAGEMENT

VCTR-67-000054 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.

CONFIGURATION MANAGEMENT

VCTR-67-000055 - The vCenter Server must configure the vSAN Datastore name to a unique name.

CONFIGURATION MANAGEMENT

VCTR-67-000057 - The vCenter Server must enable TLS 1.2 exclusively.

CONFIGURATION MANAGEMENT

VCTR-67-000058 - The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority.

CONFIGURATION MANAGEMENT

VCTR-67-000059 - The vCenter Server must enable certificate based authentication.

CONFIGURATION MANAGEMENT

VCTR-67-000060 - The vCenter Server must enable revocation checking for certificate-based authentication.

CONFIGURATION MANAGEMENT

VCTR-67-000061 - The vCenter Server must disable Password and Windows integrated authentication.

CONFIGURATION MANAGEMENT

VCTR-67-000062 - The vCenter Server must enable the login banner for vSphere Client.

CONFIGURATION MANAGEMENT

VCTR-67-000063 - The vCenter Server must restrict access to the cryptographic role.

CONFIGURATION MANAGEMENT

VCTR-67-000064 - The vCenter Server must restrict access to cryptographic permissions.

CONFIGURATION MANAGEMENT

VCTR-67-000065 - The vCenter Server must have Mutual CHAP configured for vSAN iSCSI targets.

CONFIGURATION MANAGEMENT

VCTR-67-000066 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).

CONFIGURATION MANAGEMENT

VCTR-67-000067 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP).

CONFIGURATION MANAGEMENT