DISA STIG VMware vSphere 7.0 vCenter v1r3

Audit Details

Name: DISA STIG VMware vSphere 7.0 vCenter v1r3

Updated: 6/17/2024

Authority: DISA STIG

Plugin: VMware

Revision: 1.1

Estimated Item Count: 57

File Details

Filename: DISA_STIG_VMware_vSphere_7.0_vCenter_v1r3.audit

Size: 114 kB

MD5: 2ed92d77c7826a220c37a97a6954e3be
SHA256: 95bcc765df8646e573d613f9cff61c30d888aeb1c5c11e9727bb9dc9690d2e5c

Audit Items

DescriptionCategories
VCSA-70-000009 - The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

VCSA-70-000023 - The vCenter Server must enforce the limit of three consecutive invalid login attempts by a user.

ACCESS CONTROL

VCSA-70-000024 - The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before login.

ACCESS CONTROL

VCSA-70-000034 - The vCenter Server must produce audit records containing information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

VCSA-70-000057 - vCenter Server plugins must be verified.

CONFIGURATION MANAGEMENT

VCSA-70-000059 - The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

VCSA-70-000060 - The vCenter Server must require multifactor authentication.

AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

VCSA-70-000069 - The vCenter Server passwords must be at least 15 characters in length.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000070 - The vCenter Server must prohibit password reuse for a minimum of five generations.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000071 - The vCenter Server passwords must contain at least one uppercase character.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000072 - The vCenter Server passwords must contain at least one lowercase character.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000073 - The vCenter Server passwords must contain at least one numeric character.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000074 - The vCenter Server passwords must contain at least one special character.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000077 - The vCenter Server must enable FIPS-validated cryptography.

IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

VCSA-70-000079 - The vCenter Server must enforce a 60-day maximum password lifetime restriction.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000080 - The vCenter Server must enable revocation checking for certificate-based authentication.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000089 - The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

VCSA-70-000095 - The vCenter Server users must have the correct roles assigned.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

VCSA-70-000110 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).

SYSTEM AND COMMUNICATIONS PROTECTION

VCSA-70-000123 - The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.

ACCESS CONTROL

VCSA-70-000145 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.

ACCESS CONTROL

VCSA-70-000148 - The vCenter Server must be configured to send logs to a central log server.

AUDIT AND ACCOUNTABILITY

VCSA-70-000150 - vCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

VCSA-70-000158 - The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server.

AUDIT AND ACCOUNTABILITY

VCSA-70-000195 - The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.

SYSTEM AND COMMUNICATIONS PROTECTION

VCSA-70-000248 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP).

CONFIGURATION MANAGEMENT

VCSA-70-000253 - The vCenter server must enforce SNMPv3 security features where SNMP is required.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000265 - The vCenter server must disable SNMPv1/2 receivers.

IDENTIFICATION AND AUTHENTICATION

VCSA-70-000266 - The vCenter Server must require an administrator to unlock an account locked due to excessive login failures.

ACCESS CONTROL

VCSA-70-000267 - The vCenter Server must disable the distributed virtual switch health check.

CONFIGURATION MANAGEMENT

VCSA-70-000268 - The vCenter Server must set the distributed port group Forged Transmits policy to 'Reject'.

CONFIGURATION MANAGEMENT

VCSA-70-000269 - The vCenter Server must set the distributed port group Media Access Control (MAC) Address Change policy to 'Reject'.

CONFIGURATION MANAGEMENT

VCSA-70-000270 - The vCenter Server must set the distributed port group Promiscuous Mode policy to 'Reject'.

CONFIGURATION MANAGEMENT

VCSA-70-000271 - The vCenter Server must only send NetFlow traffic to authorized collectors.

CONFIGURATION MANAGEMENT

VCSA-70-000272 - The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).

CONFIGURATION MANAGEMENT

VCSA-70-000273 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.

CONFIGURATION MANAGEMENT

VCSA-70-000274 - The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.

CONFIGURATION MANAGEMENT

VCSA-70-000275 - The vCenter Server must configure the 'vpxuser' auto-password to be changed every 30 days.

CONFIGURATION MANAGEMENT

VCSA-70-000276 - The vCenter Server must configure the 'vpxuser' password to meet length policy.

CONFIGURATION MANAGEMENT

VCSA-70-000277 - The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.

CONFIGURATION MANAGEMENT

VCSA-70-000278 - The vCenter Server must use unique service accounts when applications connect to vCenter.

CONFIGURATION MANAGEMENT

VCSA-70-000279 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.

CONFIGURATION MANAGEMENT

VCSA-70-000280 - The vCenter server must be configured to send events to a central log server.

AUDIT AND ACCOUNTABILITY

VCSA-70-000281 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.

CONFIGURATION MANAGEMENT

VCSA-70-000282 - The vCenter Server must configure the vSAN Datastore name to a unique name.

CONFIGURATION MANAGEMENT

VCSA-70-000283 - The vCenter Server must disable Username/Password and Windows Integrated Authentication.

CONFIGURATION MANAGEMENT

VCSA-70-000284 - The vCenter Server must restrict access to the default roles with cryptographic permissions.

CONFIGURATION MANAGEMENT

VCSA-70-000285 - The vCenter Server must restrict access to cryptographic permissions.

CONFIGURATION MANAGEMENT

VCSA-70-000286 - The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.

CONFIGURATION MANAGEMENT

VCSA-70-000287 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).

CONFIGURATION MANAGEMENT