DISA STIG VMware vSphere 6.x ESXi v1r5

Audit Details

Name: DISA STIG VMware vSphere 6.x ESXi v1r5

Updated: 6/17/2024

Authority: DISA STIG

Plugin: VMware

Revision: 1.13

Estimated Item Count: 80

File Details

Filename: DISA_STIG_VMware_vSphere_ESXi_6_v1r5.audit

Size: 204 kB

MD5: 16477ecdcd9c1d2e4882405ba7a27261
SHA256: 5324210a1fce635c4f58cbbf4d81cfab95e1615e563496b5298a972368c7b10f

Audit Items

DescriptionCategories
ESXI-06-000001 - The VMM must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.

ACCESS CONTROL

ESXI-06-000002 - The system must verify the DCUI.Access list.

CONFIGURATION MANAGEMENT

ESXI-06-000003 - The system must verify the exception users list for lockdown mode.

CONFIGURATION MANAGEMENT

ESXI-06-000004 - Remote logging for ESXi hosts must be configured.

ACCESS CONTROL

ESXI-06-000005 - The system must enforce the limit of three consecutive invalid logon attempts by a user.

ACCESS CONTROL

ESXI-06-000006 - The system must enforce the unlock timeout of 15 minutes after a user account is locked out.

ACCESS CONTROL

ESXI-06-000007 - The system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

ACCESS CONTROL

ESXI-06-000008 - The SSH daemon must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

ACCESS CONTROL

ESXI-06-000030 - The system must produce audit records containing information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

ESXI-06-000031 - The VMM must enforce password complexity by requiring that at least one upper-case character be used.

IDENTIFICATION AND AUTHENTICATION

ESXI-06-000034 - The system must disable the Managed Object Browser (MOB).

CONFIGURATION MANAGEMENT

ESXI-06-000035 - The VMM must be configured to disable non-essential capabilities by disabling SSH.

CONFIGURATION MANAGEMENT

ESXI-06-000036 - The system must disable ESXi Shell unless needed for diagnostics or troubleshooting.

CONFIGURATION MANAGEMENT

ESXI-06-000037 - The system must use Active Directory for local user authentication.

IDENTIFICATION AND AUTHENTICATION

ESXI-06-000038 - The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.

IDENTIFICATION AND AUTHENTICATION

ESXI-06-000039 - Active Directory ESX Admin group membership must not be used.

IDENTIFICATION AND AUTHENTICATION

ESXI-06-000040 - The system must use multifactor authentication for local access to privileged accounts.

IDENTIFICATION AND AUTHENTICATION

ESXI-06-000041 - The system must set a timeout to automatically disable idle sessions after a predetermined period.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-000042 - The system must terminate shell services after a predetermined period.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-000043 - The system must logout of the console UI after a predetermined period.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-000045 - The system must enable a persistent log location for all locally stored logs.

AUDIT AND ACCOUNTABILITY

ESXI-06-000046 - The system must configure NTP time synchronization.

AUDIT AND ACCOUNTABILITY

ESXI-06-000048 - The system must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-000049 - The system must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-000050 - The system must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-000051 - The system must protect the confidentiality and integrity of transmitted information.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-000052 - The system must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible.

SYSTEM AND COMMUNICATIONS PROTECTION

ESXI-06-000053 - SNMP must be configured properly.

CONFIGURATION MANAGEMENT

ESXI-06-000054 - The system must enable bidirectional CHAP authentication for iSCSI traffic.

CONFIGURATION MANAGEMENT

ESXI-06-000055 - The system must disable Inter-VM transparent page sharing.

CONFIGURATION MANAGEMENT

ESXI-06-000057 - The system must configure the firewall to block network traffic by default - Incoming

CONFIGURATION MANAGEMENT

ESXI-06-000057 - The system must configure the firewall to block network traffic by default - Outgoing

CONFIGURATION MANAGEMENT

ESXI-06-000058 - The system must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.

CONFIGURATION MANAGEMENT

ESXI-06-000059 - The virtual switch Forged Transmits policy must be set to reject.

CONFIGURATION MANAGEMENT

ESXI-06-000060 - The virtual switch MAC Address Change policy must be set to reject.

CONFIGURATION MANAGEMENT

ESXI-06-000061 - The virtual switch Promiscuous Mode policy must be set to reject.

CONFIGURATION MANAGEMENT

ESXI-06-000062 - The system must prevent unintended use of the dvFilter network APIs.

CONFIGURATION MANAGEMENT

ESXI-06-000063 - All port groups must be configured to a value other than that of the native VLAN.

CONFIGURATION MANAGEMENT

ESXI-06-000064 - All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.

CONFIGURATION MANAGEMENT

ESXI-06-000065 - All port groups must not be configured to VLAN values reserved by upstream physical switches.

CONFIGURATION MANAGEMENT

ESXI-06-000066 - The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.

CONFIGURATION MANAGEMENT

ESXI-06-000067 - All physical switch ports must be configured with spanning tree disabled.

CONFIGURATION MANAGEMENT

ESXI-06-000068 - Virtual switch VLANs must be fully documented and have only the required VLANs.

CONFIGURATION MANAGEMENT

ESXI-06-000070 - The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.

CONFIGURATION MANAGEMENT

ESXI-06-000071 - The system must verify the integrity of the installation media before installing ESXi.

CONFIGURATION MANAGEMENT

ESXI-06-000072 - The system must have all security patches and updates installed.

CONFIGURATION MANAGEMENT

ESXI-06-000073 - The system must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

CONFIGURATION MANAGEMENT

ESXI-06-000074 - The system must enable the VSAN Health Check.

CONFIGURATION MANAGEMENT

ESXI-06-000075 - The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted by use of an external proxy server.

CONFIGURATION MANAGEMENT

ESXI-06-000076 - The system must configure the VSAN Datastore name to a unique name.

CONFIGURATION MANAGEMENT