Detections
Analytics

DISA STIG VMware vSphere 6.x ESXi v1r4

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG VMware vSphere 6.x ESXi v1r4

Updated: 5/29/2019

Authority: DISA STIG

Plugin: VMware

Revision: 1.4

Estimated Item Count: 109

File Details

Filename: DISA_STIG_VMware_vSphere_ESXi_6_v1r4.audit

Size: 209 kB

MD5: 6b21923187bcc73cbb12ebd45deff3bf
SHA256: a6aefa69a643b4c7dd9cc09a582565cd4f007a4c56413badc95e245accc98ae7

Audit Items

DescriptionCategories
ESXI-06-000001 - The VMM must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode
ESXI-06-000002 - The system must verify the DCUI.Access list.

ACCESS CONTROL

ESXI-06-000003 - The system must verify the exception users list for lockdown mode.
ESXI-06-000004 - Remote logging for ESXi hosts must be configured.

AUDIT AND ACCOUNTABILITY

ESXI-06-000005 - The system must enforce the limit of three consecutive invalid logon attempts by a user.

ACCESS CONTROL

ESXI-06-000006 - The system must enforce the unlock timeout of 15 minutes after a user account is locked out.

ACCESS CONTROL

ESXI-06-000007 - The system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
ESXI-06-000008 - The SSH daemon must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

ACCESS CONTROL

ESXI-06-000009 - The SSH daemon must be configured with the Department of Defense (DoD) login banner.
ESXI-06-000010 - The VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions.
ESXI-06-000011 - The SSH daemon must be configured to use only the SSHv2 protocol.
ESXI-06-000012 - The SSH daemon must ignore .rhosts files.
ESXI-06-000013 - The SSH daemon must not allow host-based authentication.
ESXI-06-000014 - The SSH daemon must not permit root logins.
ESXI-06-000015 - The SSH daemon must not allow authentication using an empty password.
ESXI-06-000016 - The SSH daemon must not permit user environment settings.
ESXI-06-000017 - The SSH daemon must be configured to only use Message Authentication Codes employing FIPS 140-2 crypto hash algorithms.
ESXI-06-000018 - The SSH daemon must not permit GSSAPI authentication.
ESXI-06-000019 - The SSH daemon must not permit Kerberos authentication.
ESXI-06-000020 - The SSH daemon must perform strict mode checking of home directory configuration files.
ESXI-06-000021 - The SSH daemon must not allow compression or must only allow compression after successful authentication.
ESXI-06-000022 - The SSH daemon must be configured to not allow gateway ports.
ESXI-06-000023 - The SSH daemon must be configured to not allow X11 forwarding.
ESXI-06-000024 - The SSH daemon must not accept environment variables from the client.
ESXI-06-000025 - The SSH daemon must not permit tunnels.
ESXI-06-000026 - The SSH daemon must set a timeout count on idle sessions.
ESXI-06-000027 - The SSH daemon must set a timeout interval on idle sessions.
ESXI-06-000028 - The SSH daemon must limit connections to a single session.
ESXI-06-000029 - The system must remove keys from the SSH authorized_keys file.
ESXI-06-000030 - The system must produce audit records containing information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

ESXI-06-000031 - The VMM must enforce password complexity by requiring that at least one upper-case character be used.

IDENTIFICATION AND AUTHENTICATION

ESXI-06-000032 - The system must prohibit the reuse of passwords within five iterations.
ESXI-06-000033 - The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hash algorithm.
ESXI-06-000034 - The system must disable the Managed Object Browser (MOB).

CONFIGURATION MANAGEMENT

ESXI-06-000035 - The VMM must be configured to disable non-essential capabilities by disabling SSH.

CONFIGURATION MANAGEMENT

ESXI-06-000036 - The system must disable ESXi Shell unless needed for diagnostics or troubleshooting.

CONFIGURATION MANAGEMENT

ESXI-06-000037 - The system must use Active Directory for local user authentication.
ESXI-06-000038 - The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.
ESXI-06-000039 - Active Directory ESX Admin group membership must not be used.

IDENTIFICATION AND AUTHENTICATION

ESXI-06-000040 - The system must use multifactor authentication for local access to privileged accounts.
ESXI-06-000041 - The system must set a timeout to automatically disable idle sessions after a predetermined period.

ACCESS CONTROL

ESXI-06-000042 - The system must terminate shell services after a predetermined period.

ACCESS CONTROL

ESXI-06-000043 - The system must logout of the console UI after a predetermined period.

ACCESS CONTROL

ESXI-06-000044 - The system must enable kernel core dumps.
ESXI-06-000045 - The system must enable a persistent log location for all locally stored logs.

AUDIT AND ACCOUNTABILITY

ESXI-06-000046 - The system must configure NTP time synchronization.

AUDIT AND ACCOUNTABILITY

ESXI-06-000047 - The Image Profile and VIB Acceptance Levels must be verified.
ESXI-06-000048 - The system must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
ESXI-06-000049 - The system must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
ESXI-06-000050 - The system must protect the confidentiality and integrity of transmitted information by protecting IP based mgmt traffic.