Detections
Analytics

DISA VMware vSphere 8.0 ESXi STIG v2r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA VMware vSphere 8.0 ESXi STIG v2r1

Updated: 3/31/2025

Authority: DISA STIG

Plugin: VMware

Revision: 1.1

Estimated Item Count: 54

File Details

Filename: DISA_VMware_vSphere_8.0_ESXi_STIG_v2r1.audit

Size: 152 kB

MD5: 574cef226ec2ba20593f2eccdc1c323c
SHA256: 65ef06610ae3dc50512fcb5999c56580337ea88312413de44cfa11cd0fee42d9

Audit Items

DescriptionCategories
ESXI-80-000005 The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
ESXI-80-000006 The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
ESXI-80-000008 The ESXi host must enable lockdown mode.
ESXI-80-000010 The ESXi host client must be configured with an idle session timeout.
ESXI-80-000015 The ESXi must produce audit records containing information to establish what type of events occurred.
ESXI-80-000035 The ESXi host must enforce password complexity by configuring a password quality policy.
ESXI-80-000043 The ESXi host must prohibit password reuse for a minimum of five generations.
ESXI-80-000047 The ESXi host must be configured to disable nonessential capabilities by disabling the Managed Object Browser (MOB).
ESXI-80-000049 The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.
ESXI-80-000068 The ESXi host must set a timeout to automatically end idle shell sessions after fifteen minutes.
ESXI-80-000111 The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.
ESXI-80-000113 The ESXi host must allocate audit record storage capacity to store at least one week's worth of audit records.
ESXI-80-000114 The ESXi host must offload logs via syslog.
ESXI-80-000124 The ESXi host must synchronize internal information system clocks to an authoritative time source.
ESXI-80-000145 The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.
ESXI-80-000160 The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
ESXI-80-000161 The ESXi host must maintain the confidentiality and integrity of information during transmission by exclusively enabling Transport Layer Security (TLS) 1.2.
ESXI-80-000189 The ESXi host DCUI.Access list must be verified.
ESXI-80-000191 The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
ESXI-80-000193 The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).
ESXI-80-000194 The ESXi host must be configured to disable nonessential capabilities by disabling the ESXi shell.
ESXI-80-000195 The ESXi host must automatically stop shell services after 10 minutes.
ESXI-80-000196 The ESXi host must set a timeout to automatically end idle DCUI sessions after 10 minutes.
ESXI-80-000198 The ESXi host must protect the confidentiality and integrity of transmitted information by isolating ESXi management traffic.
ESXI-80-000199 The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
ESXI-80-000201 The ESXi host lockdown mode exception users list must be verified.
ESXI-80-000213 The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing.
ESXI-80-000214 The ESXi host must configure the firewall to block network traffic by default.
ESXI-80-000215 The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
ESXI-80-000216 The ESXi host must configure virtual switch security policies to reject forged transmits.
ESXI-80-000217 The ESXi host must configure virtual switch security policies to reject Media Access Control (MAC) address changes.
ESXI-80-000218 The ESXi host must configure virtual switch security policies to reject promiscuous mode requests.
ESXI-80-000219 The ESXi host must restrict use of the dvFilter network application programming interface (API).
ESXI-80-000220 The ESXi host must restrict the use of Virtual Guest Tagging (VGT) on standard switches.
ESXI-80-000221 The ESXi host must have all security patches and updates installed.
ESXI-80-000222 The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.
ESXI-80-000223 The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.
ESXI-80-000224 The ESXi host must verify certificates for SSL syslog endpoints.
ESXI-80-000225 The ESXi host must enable volatile key destruction.
ESXI-80-000226 The ESXi host must configure a session timeout for the vSphere API.
ESXI-80-000227 The ESXi host must be configured with an appropriate maximum password age.
ESXI-80-000228 The ESXi Common Information Model (CIM) service must be disabled.
ESXI-80-000231 The ESXi host OpenSLP service must be disabled.
ESXI-80-000232 The ESXi host must enable audit logging.
ESXI-80-000233 The ESXi host must off-load audit records via syslog.
ESXI-80-000234 The ESXi host must enable strict x509 verification for SSL syslog endpoints.
ESXI-80-000235 The ESXi host must forward audit records containing information to establish what type of events occurred.
ESXI-80-000239 The ESXi host must configure the firewall to restrict access to services running on the host.
ESXI-80-000240 The ESXi host when using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
ESXI-80-000241 The ESXi host must not use the default Active Directory ESX Admin group.