DISA STIG VMware vSphere vCenter 6.x v1r3

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG VMware vSphere vCenter 6.x v1r3

Updated: 9/11/2017

Authority: DISA STIG

Plugin: VMware

Revision: 1.1

Estimated Item Count: 50

File Details

Filename: DISA_STIG_VMware_vSphere_vCenter_6_v1r3.audit

Size: 77.3 kB

MD5: 88693cb2801fdf57f8f4199adee7d36a
SHA256: c7461fa7056daad3e33e8676330d80c13e0a8654d8aa9df6c9e2787dcdf3ff7b

Audit Items

DescriptionCategories
VCWN-06-000001 - The system must prohibit password reuse for a minimum of five generations.
VCWN-06-000002 - The system must not automatically refresh client sessions.
VCWN-06-000003 - The system must enforce a 60-day maximum password lifetime restriction.
VCWN-06-000004 - The system must terminate management sessions after 10 minutes of inactivity.
VCWN-06-000005 - The vCenter Server users must have the correct roles assigned.
VCWN-06-000007 - The system must limit the effects of information-flooding types of Denial of Service (DoS) attacks.
VCWN-06-000008 - The system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events.
VCWN-06-000009 - The system must use Active Directory authentication.
VCWN-06-000010 - The system must limit the use of the built-in SSO administrative account.
VCWN-06-000012 - The system must disable the distributed virtual switch health check.
VCWN-06-000013 - The distributed port group Forged Transmits policy must be set to reject.
VCWN-06-000014 - The system must ensure the distributed port group MAC Address Change policy is set to reject.
VCWN-06-000015 - The system must ensure the distributed port group Promiscuous Mode policy is set to reject.
VCWN-06-000016 - The system must only send NetFlow traffic to authorized collectors.
VCWN-06-000017 - The system must not override port group settings at the port level on distributed switches.
VCWN-06-000018 - All port groups must be configured to a value other than that of the native VLAN.
VCWN-06-000019 - All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
VCWN-06-000020 - All port groups must not be configured to VLAN values reserved by upstream physical switches.
VCWN-06-000021 - The system must enable SSL for Network File Copy (NFC).

SYSTEM AND COMMUNICATIONS PROTECTION

VCWN-06-000022 - The vCenter Server services must be ran using a service account instead of a built-in Windows account.
VCWN-06-000023 - The system must ensure the vpxuser auto-password change meets policy.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000024 - The system must ensure the vpxuser password meets length policy.

IDENTIFICATION AND AUTHENTICATION

VCWN-06-000025 - The system must disable the managed object browser at all times, when not required for troubleshooting or maintenance.
VCWN-06-000026 - Privilege re-assignment must be checked after the vCenter Server restarts.
VCWN-06-000027 - The system must minimize access to the vCenter server.
VCWN-06-000028 - Log files must be cleaned up after failed installations of the vCenter Server.
VCWN-06-000029 - The system must enable all tasks to be shown to Administrators in the Web Client.
VCWN-06-000030 - The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.
VCWN-06-000031 - Connectivity between Update Manager and public patch repos restricted by use of a separate Update Manager Download Server.
VCWN-06-000032 - A least-privileges assignment must be used for the Update Manager database user.
VCWN-06-000033 - A least-privileges assignment must be used for the vCenter Server database user.
VCWN-06-000034 - The system must use unique service accounts when applications connect to vCenter.
VCWN-06-000035 - vSphere Client plugins must be verified.
VCWN-06-000036 - The system must produce audit records containing information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

VCWN-06-000039 - Passwords must be at least 15 characters in length.
VCWN-06-000040 - Passwords must contain at least one uppercase character.
VCWN-06-000041 - Passwords must contain at least one lowercase character.
VCWN-06-000042 - Passwords must contain at least one numeric character.
VCWN-06-000043 - Passwords must contain at least one special character.
VCWN-06-000045 - The system must limit the maximum number of failed login attempts to three.
VCWN-06-000046 - The system must set the interval for counting failed login attempts to at least 15 minutes.
VCWN-06-000047 - The system must require an administrator to unlock an account locked due to excessive login failures.
VCWN-06-000048 - The system must alert administrators on permission creation operations.
VCWN-06-000049 - The system must alert administrators on permission deletion operations.
VCWN-06-000050 - The system must alert administrators on permission update operations.
VCWN-06-000051 - The system must protect the confidentiality and integrity of transmitted info by isolating IP-based storage traffic.
VCWN-06-000052 - The system must enable the VSAN Health Check.
VCWN-06-000053 - The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted.
VCWN-06-000054 - The system must configure the VSAN Datastore name to a unique name.
VCWN-06-100005 - The vCenter Server users must have the correct roles assigned.