DISA STIG VMware vSphere 7.0 ESXi v1r2

Audit Details

Name: DISA STIG VMware vSphere 7.0 ESXi v1r2

Updated: 6/17/2024

Authority: DISA STIG

Plugin: VMware

Revision: 1.1

Estimated Item Count: 49

File Details

Filename: DISA_STIG_VMware_vSphere_7.0_ESXi_v1r2.audit

Size: 143 kB

MD5: 2b01932642d198a071edc53f02aabc19
SHA256: 2edf14bbb7a67802ab548e9e37c9f0d58f530262b51e3d5980ce648653ded282

Audit Items

DescriptionCategories
ESXI-70-000001 - Access to the ESXi host must be limited by enabling lockdown mode.

ACCESS CONTROL

ESXI-70-000002 - The ESXi host must verify the DCUI.Access list.

CONFIGURATION MANAGEMENT

ESXI-70-000003 - The ESXi host must verify the exception users list for lockdown mode.

CONFIGURATION MANAGEMENT

ESXI-70-000004 - Remote logging for ESXi hosts must be configured.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

ESXI-70-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.

ACCESS CONTROL

ESXI-70-000006 - The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.

ACCESS CONTROL

ESXI-70-000007 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).

ACCESS CONTROL

ESXI-70-000008 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).

ACCESS CONTROL

ESXI-70-000030 - The ESXi host must produce audit records containing information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

ESXI-70-000031 - The ESXi host must be configured with a sufficiently complex password policy.

IDENTIFICATION AND AUTHENTICATION

ESXI-70-000032 - The ESXi host must prohibit the reuse of passwords within five iterations.

IDENTIFICATION AND AUTHENTICATION

ESXI-70-000034 - The ESXi host must disable the Managed Object Browser (MOB).

CONFIGURATION MANAGEMENT

ESXI-70-000035 - The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).

ACCESS CONTROL, CONFIGURATION MANAGEMENT

ESXI-70-000036 - The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.

CONFIGURATION MANAGEMENT

ESXI-70-000037 - The ESXi host must use Active Directory for local user authentication.

IDENTIFICATION AND AUTHENTICATION

ESXI-70-000038 - ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.

IDENTIFICATION AND AUTHENTICATION

ESXI-70-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.

IDENTIFICATION AND AUTHENTICATION

ESXI-70-000041 - The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes.

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000042 - The ESXi host must terminate shell services after 10 minutes.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000043 - The ESXi host must log out of the console UI after two minutes.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000045 - The ESXi host must enable a persistent log location for all locally stored logs.

AUDIT AND ACCOUNTABILITY

ESXI-70-000046 - The ESXi host must configure NTP time synchronization.

AUDIT AND ACCOUNTABILITY

ESXI-70-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000053 - Simple Network Management Protocol (SNMP) must be configured properly on the ESXi host.

CONFIGURATION MANAGEMENT

ESXI-70-000054 - The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.

CONFIGURATION MANAGEMENT

ESXI-70-000055 - The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing.

CONFIGURATION MANAGEMENT

ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default - incoming

CONFIGURATION MANAGEMENT

ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default - outgoing

CONFIGURATION MANAGEMENT

ESXI-70-000058 - The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.

CONFIGURATION MANAGEMENT

ESXI-70-000059 - All port groups on standard switches must be configured to reject forged transmits.

CONFIGURATION MANAGEMENT

ESXI-70-000060 - All port groups on standard switches must be configured to reject guest Media Access Control (MAC) address changes.

CONFIGURATION MANAGEMENT

ESXI-70-000061 - All port groups on standard switches must be configured to reject guest promiscuous mode requests.

CONFIGURATION MANAGEMENT

ESXI-70-000062 - Use of the dvFilter network application programming interfaces (APIs) must be restricted.

CONFIGURATION MANAGEMENT

ESXI-70-000063 - All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN).

CONFIGURATION MANAGEMENT

ESXI-70-000064 - All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required - VGT is required.

CONFIGURATION MANAGEMENT

ESXI-70-000065 - All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches.

CONFIGURATION MANAGEMENT

ESXI-70-000070 - The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.

CONFIGURATION MANAGEMENT

ESXI-70-000072 - The ESXi host must have all security patches and updates installed.

CONFIGURATION MANAGEMENT

ESXI-70-000074 - The ESXi host must exclusively enable Transport Layer Security (TLS) 1.2 for all endpoints.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-70-000079 - The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.

CONFIGURATION MANAGEMENT

ESXI-70-000081 - The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.

CONFIGURATION MANAGEMENT

ESXI-70-000086 - The ESXi host must verify certificates for SSL syslog endpoints.

CONFIGURATION MANAGEMENT

ESXI-70-000087 - The ESXi host must enable volatile key destruction.

CONFIGURATION MANAGEMENT

ESXI-70-000088 - The ESXi host must configure a session timeout for the vSphere API.

CONFIGURATION MANAGEMENT

ESXI-70-000089 - The ESXi Host Client must be configured with a session timeout.

CONFIGURATION MANAGEMENT

ESXI-70-000091 - The ESXi host must be configured with an appropriate maximum password age.

CONFIGURATION MANAGEMENT

ESXI-70-000097 - The ESXi Common Information Model (CIM) service must be disabled.

CONFIGURATION MANAGEMENT