UCF STIG Viewer Logo

VMware ESXi Server 5.0 Security Technical Implementation Guide


Overview

Date Finding Count (133)
2017-01-06 CAT I (High): 14 CAT II (Med): 87 CAT III (Low): 32
STIG Description
The VMware ESXi Version 5 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-39428 High If the system boots from removable media, it must be stored in a safe or similarly secured container.
V-39429 High The operating system must be a supported release.
V-39415 High The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-39411 High The operating system must use cryptography to protect the confidentiality of remote access sessions.
V-39413 High The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-39412 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-39384 High The system must be configured to only boot from the system boot device.
V-39387 High The system must verify the integrity of the installation media before installing ESXi.
V-39386 High Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
V-39252 High There must be no .rhosts or hosts.equiv files on the system.
V-39407 High The Image Profile and VIB Acceptance Levels must be verified.
V-39277 High The system must not use removable media as the boot loader.
V-39372 High The system must ensure the dvPortGroup MAC Address Change policy is set to reject.
V-39373 High The system must ensure the virtual switch MAC Address Change policy is set to reject.
V-39392 Medium The system must set a timeout for the ESXi Shell to automatically disable itself after a predetermined period.
V-39420 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-39422 Medium Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option.
V-39423 Medium The nosuid option must be enabled on all NFS client mounts.
V-39425 Medium The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
V-39426 Medium The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
V-39414 Medium The SSH client must be configured to only use the SSHv2 protocol.
V-39417 Medium The system must ensure proper SNMP configuration.
V-39416 Medium The system must require that passwords contain at least one special character.
V-39410 Medium The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
V-39301 Medium The system must ensure the vpxuser auto-password change meets policy.
V-39418 Medium The system must prevent the use of dictionary words for passwords.
V-39302 Medium The system must ensure the vpxuser password meets length policy.
V-39385 Medium The system must enable lockdown mode to restrict remote access.
V-39381 Medium Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option.
V-39383 Medium The root accounts list of preloaded libraries must be empty.
V-39382 Medium The root accounts library search path must be the system default and must contain only absolute paths.
V-39253 Medium The SSH daemon must limit connections to a single session.
V-39389 Medium All accounts must be assigned unique User Identification Numbers (UIDs).
V-39388 Medium All accounts on the system must have unique user or account names.
V-39255 Medium The system must require that passwords contain at least one uppercase alphabetic character.
V-39254 Medium The system must use time sources local to the enclave.
V-39300 Medium The system must ensure the vpxuser auto-password change meets policy.
V-39402 Medium The SSH client must be configured to not use CBC-based ciphers.
V-39403 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-39400 Medium Access to the management network must be strictly controlled through a network gateway.
V-39401 Medium Access to the management network must be strictly controlled through a network jump box.
V-39404 Medium The SSH client must be configured to only use FIPS 140-2 approved ciphers.
V-39405 Medium The operating system must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
V-39408 Medium Remote logging for ESXi hosts must be configured.
V-39409 Medium The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.
V-39259 Medium The system must require at least four characters be changed between the old and new passwords during a password change.
V-39393 Medium vSphere management traffic must be on a restricted network.
V-39390 Medium The system must disable SSH.
V-39391 Medium The system must not permit root logins using remote access programs, such as SSH.
V-39396 Medium The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices.
V-39397 Medium The operating system must monitor and control communications at the external boundary of the information system and at key internal boundaries within the system.
V-39394 Medium The SSH daemon must be configured with the Department of Defense (DoD) logon banner.
V-39395 Medium The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
V-39398 Medium The operating system, at managed interfaces, must deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
V-39399 Medium The operating system must enforce requirements for remote connections to the information system.
V-39246 Medium The system must prevent the use of dictionary words for passwords.
V-39247 Medium SNMP communities, users, and passphrases must be changed from the default.
V-73127 Medium Wireless network adapters must be disabled.
V-39275 Medium The /etc/shells (or equivalent) file must exist.
V-39276 Medium All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
V-39271 Medium The SSH client must be configured to not allow X11 forwarding.
V-39270 Medium The SSH client must not permit tunnels.
V-39273 Medium The root accounts executable search path must be the vendor default and must contain only absolute paths.
V-39279 Medium The system must not be used as a syslog server (log host) for systems external to the enclave.
V-39278 Medium The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
V-39256 Medium The system must require passwords contain at least one lowercase alphabetic character.
V-39369 Medium All port groups must not be configured to VLAN values reserved by upstream physical switches.
V-39368 Medium All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT).
V-39367 Medium All port groups must be configured to a value other than that of the native VLAN.
V-39262 Medium The system must require that passwords contain a minimum of 14 characters.
V-39263 Medium The system must enforce the entire password during authentication.
V-39260 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-39261 Medium The system must prohibit the reuse of passwords within five iterations.
V-39266 Medium The SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale.
V-39267 Medium The SSH daemon must not permit user environment settings.
V-39264 Medium System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
V-39265 Medium The SSH daemon must be configured to not allow X11 forwarding.
V-39268 Medium The SSH daemon must not permit tunnels.
V-39269 Medium The SSH client must not send environment variables to the server or must only send those pertaining to locale.
V-39374 Medium The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.
V-39375 Medium The system must ensure the virtual switch Promiscuous Mode policy is set to reject.
V-39376 Medium The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject.
V-39370 Medium The system must ensure that the virtual switch Forged Transmits policy is set to reject.
V-39371 Medium The system must ensure that the dvPortgroup Forged Transmits policy is set to reject.
V-39297 Medium The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications.
V-39296 Medium The system must disable the Managed Object Browser (MOB).
V-39295 Medium The system must disable ESXi Shell unless needed for diagnostics or troubleshooting.
V-39294 Medium The system must disable DCUI to prevent local administrative control.
V-39293 Medium Persistent logging for all ESXi hosts must be configured.
V-39292 Medium NTP time synchronization must be configured.
V-39347 Medium Keys from SSH authorized_keys file must be removed.
V-39258 Medium The system must require that passwords contain at least one numeric character.
V-39355 Medium Kernel core dumps must be disabled unless needed.
V-39352 Medium The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.
V-39353 Medium The system must zero out VMDK files prior to deletion.
V-39350 Medium The contents of exposed configuration files must be verified.
V-39351 Medium Unauthorized kernel modules must not be loaded on the host.
V-39285 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-39286 Medium The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
V-39287 Medium The DHCP client must be disabled if not used.
V-39430 Medium The system clock must be synchronized to an authoritative DoD time source.
V-39249 Low The SSH client must be configured to not allow TCP forwarding.
V-39424 Low The system must be checked for extraneous device files at least weekly.
V-39427 Low For systems using DNS resolution, at least two name servers must be configured.
V-39304 Low SAN resources must be masked and zoned appropriately.
V-39303 Low The system must ensure uniqueness of CHAP authentication secrets.
V-39380 Low The system must disable the autoexpand option for VDS dvPortgroups.
V-39251 Low The SSH client must be configured to not allow gateway ports.
V-39250 Low The SSH daemon must be configured to not allow gateway ports.
V-39248 Low The SSH daemon must be configured to not allow TCP connection forwarding.
V-39274 Low The GID assigned to a user must exist.
V-39366 Low All port groups must be configured with a clear network label.
V-39365 Low All physical switch ports must be configured with spanning tree disabled.
V-39364 Low Only authorized administrators must have access to virtual networking components.
V-39363 Low All IP-based storage traffic must be isolated using a vSwitch containing management-only port groups.
V-39362 Low All IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch.
V-39361 Low All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor.
V-39360 Low All vSwitch and VLAN IDs must be fully documented.
V-39378 Low vMotion traffic must be isolated.
V-39379 Low Spanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic.
V-39377 Low The system must ensure there are no unused ports on a distributed virtual port group.
V-39299 Low The system must enable SSL for NFC.
V-39298 Low The system must enable bidirectional CHAP authentication for iSCSI traffic.
V-39291 Low The system must have IEEE 1394 (Firewire) disabled unless needed.
V-39349 Low Active Directory ESX Admin group membership must be verified unused.
V-39348 Low The system must use Active Directory for local user authentication for accounts other than root and the vpxuser.
V-39346 Low The system must prevent unintended use of dvfilter network APIs.
V-39356 Low All dvPortgroup VLAN IDs must be fully documented.
V-39357 Low All dvSwitch Private VLAN IDs must be fully documented.
V-39358 Low All virtual switches must have a clear network label.
V-39359 Low Virtual switch VLANs must be fully documented and have only the required VLANs.
V-39288 Low The system must have USB disabled unless needed.
V-39289 Low The system must have USB Mass Storage disabled unless needed.