UCF STIG Viewer Logo

VMware ESXi v5 Security Technical Implementation Guide


Overview

Date Finding Count (861)
2013-01-15 CAT I (High): 35 CAT II (Med): 694 CAT III (Low): 132
STIG Description
The VMware ESXi v5 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
GEN002220-ESXI5-PNF High All shell files must have mode 0755 or less permissive.
GEN005200-ESXI5-PNF High X displays must not be exported to the world.
GEN001640-ESXI5-PNF High Run control scripts must not execute world-writable programs or scripts.
GEN001100-ESXI5-PNF High Root passwords must never be passed over a network in clear text form.
GEN008640-ESXI5-000055 High The system must not use removable media as the boot loader.
GEN004600-ESXI5-PNF High The SMTP service must be an up-to-date version.
ESXI5-VM-000008 High The system must disable virtual disk erasure.
GEN004220-ESXI5-PNF High Administrative accounts must not run a web browser, except as needed for local service administration.
GEN006380-ESXI5-PNF High The system must not use UDP for NIS/NIS+.
ESXI5-VMNET-000016 High The system must ensure the virtual switches MAC Address Change policy is set to reject.
ESXI5-VMNET-000015 High The system must ensure the dvPortGroup MAC Address Change policy is set to reject.
GEN008680-ESXI5-000056 High If the system boots from removable media, it must be stored in a safe or similarly secured container.
GEN004620-ESXI5-PNF High The Sendmail server must have the debug feature disabled.
GEN003850-ESXI5-PNF High The telnet daemon must not be running.
GEN005140-ESXI5-PNF High Any active TFTP daemon must be authorized and approved in the system accreditation package.
GEN005300-ESXI5-PNF High SNMP communities, users, and passphrases must be changed from the default.
GEN000100-ESXI5-000062 High The operating system must be a supported release.
SRG-OS-99999-ESXI5-000134 High The ESXi host firewall must be configured to restrict access to services running on the host.
GEN005500-ESXI5-9990 High The SSH daemon must be configured to only use the SSHv2 protocol.
GEN005080-ESXI5-PNF High The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
ESXI5-VM-000010 High The system must not use independent, nonpersistent disks.
GEN005000-ESXI5-PNF High Anonymous FTP accounts must not have a functional shell.
ESXI5-VM-000048 High The system must secure virtual machines as it would secure physical machines.
GEN008700-ESXI5-PNF High The system boot loader must require authentication.
ESXI5-VM-000001 High The system must control virtual machine access to host resources.
ESXI5-VM-000007 High The system must disable virtual disk shrinking.
GEN005100-ESXI5-PNF High The TFTP daemon must have mode 0755 or less permissive.
ESXI5-VM-000044 High The system must minimize use of the VM console.
SRG-OS-99999-ESXI5-000140 High The system must not use default self-signed certificates for ESXi communication.
GEN000560-ESXI5-PNF High The system must not have accounts configured with blank or null passwords.
GEN004640-ESXI5-PNF High The SMTP service must not have a uudecode alias active.
GEN003840-ESXI5-PNF High The rexec daemon must not be running.
GEN002040-ESXI5-PNF High There must be no .rhosts, .shosts, hosts.equiv, or shosts.equiv files on the system.
GEN003820-ESXI5-PNF High The rsh daemon must not be running.
GEN004400-ESXI5-PNF High Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
GEN000242-ESXI5-000079 Medium The system must use at least two time sources for clock synchronization.
GEN001720-ESXI5-PNF Medium All global initialization files must have mode 0444 or less permissive.
GEN000640-ESXI5-000068 Medium The system must require that passwords contain at least one special character.
SRG-OS-000101-ESXI5-PNF Medium The operating system must conduct backups of operating system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.
GEN001470-ESXI5-PNF Medium The /etc/passwd file must not contain password hashes.
GEN004950-ESXI5-PNF Medium The ftpusers file must not have an extended ACL.
GEN005306-ESXI5-PF Medium The SNMP service must require the use of a FIPS 140-2 approved cryptographic hash algorithm as part of its authentication and integrity methods.
GEN008260-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must have mode 0644 or less permissive.
GEN001730-ESXI5-PNF Medium All global initialization files must not have extended ACLs.
SRG-OS-000042-ESXI5-PNF Medium The operating system must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
GEN000480-ESXI5-PNF Medium The delay between login prompts following a failed login attempt must be at least 4 seconds.
SRG-OS-000137-ESXI5-PNF Medium The operating system must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
SRG-OS-99999-ESXI5-000156 Medium The contents of exposed configuration files must be verified.
SRG-OS-99999-ESXI5-000157 Medium The Image Profile and VIB Acceptance Levels must be verified.
SRG-OS-99999-ESXI5-000152 Medium Keys from SSH authorized_keys file must be removed.
SRG-OS-000250-ESXI5-PNF Medium The operating system must use cryptography to protect the integrity of remote access sessions.
GEN003360-ESXI5-PNF Medium The at daemon must not execute group-writable or world-writable programs.
SRG-OS-99999-ESXI5-000158 Medium Unauthorized kernel modules must not be loaded on the host.
SRG-OS-000123-ESXI5-PNF Medium The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account.
GEN005040-ESXI5-PNF Medium All FTP users must have a default umask of 077.
GEN003340-ESXI5-PNF Medium The at.allow file must have mode 0600 or less permissive.
GEN001300-ESXI5-PNF Medium Library files must have mode 0755 or less permissive.
GEN005260-ESXI5-PNF Medium X Window System connections that are not required must be disabled.
GEN003440-ESXI5-PNF Medium At jobs must not set the umask to a value less restrictive than 077.
SRG-OS-000264-ESXI5-PNF Medium The operating system must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
GEN000140-ESXI5-000063 Medium A file integrity baseline must be created and maintained.
GEN007740-ESXI5-000118 Medium The IPv6 protocol handler must not be installed unless needed.
GEN005120-ESXI5-PNF Medium The TFTP daemon must be configured to vendor specifications, including a dedicated TFTP user account, a non-login shell, such as /bin/false, and a home directory owned by the TFTP user.
GEN001390-ESXI5-PNF Medium The /etc/passwd file must not have an extended ACL.
GEN002710-ESXI5-PNF Medium All system audit files must not have extended ACLs.
SRG-OS-000038-ESXI5-PNF Medium The operating system must produce audit records containing sufficient information to establish when (date and time) the events occurred.
SRG-OS-000055-ESXI5-PNF Medium The operating system must use internal system clocks to generate time stamps for audit records.
GEN000585-ESXI5-000080 Medium The system must enforce the entire password during authentication.
GEN004460-ESXI5-PNF Medium The system syslog service must log informational and more severe SMTP service messages.
GEN008180-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must have mode 0644 (0755 for directories) or less permissive.
GEN006140-ESXI5-PNF Medium The /etc/smb.conf file must have mode 0644 or less permissive.
GEN001830-ESXI5-PNF Medium All skeleton files (typically in /etc/skel) must be group-owned by root, bin, sys, system, or other.
GEN005521-ESXI5-000103 Medium The SSH daemon must restrict login ability to specific users and/or groups.
SRG-OS-000228-ESXI5-PNF Medium The operating system for publicly accessible systems must display the system use information when appropriate, before granting further access.
GEN007950-ESXI5-PNF Medium The system must not respond to ICMPv6 echo requests sent to a broadcast address.
SRG-OS-000249-ESXI5-PF Medium The operating system must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
SRG-OS-000206-ESXI5-PNF Medium The operating system must reveal error messages only to authorized personnel.
SRG-OS-000054-ESXI5-PNF Medium The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
GEN006320-ESXI5-PNF Medium The /etc/news/passwd.nntp file (or equivalent) must have mode 0600 or less permissive.
GEN002340-ESXI5-PNF Medium Audio devices must be owned by root.
SRG-OS-000058-ESXI5-PNF Medium The operating system must protect audit information from unauthorized modification.
GEN005531-ESXI5-000108 Medium The SSH daemon must not permit tunnels.
SRG-OS-000115-ESXI5-PNF Medium The operating system must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices.
GEN003810-ESXI5-PNF Medium The portmap or rpcbind service must not be running unless needed.
SRG-OS-000233-ESXI5-PF Medium The operating system must notify the user of the number of successful logins/accesses that occur during the organization-defined time period.
GEN003700-ESXI5-000077 Medium Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
SRG-OS-000176-ESXI5-PNF Medium The operating system must block both inbound and outbound traffic between instant messaging clients, independently configured by end users and external service providers.
GEN005570-ESXI5-000115 Medium The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
GEN005540-ESXI5-PNF Medium The SSH daemon must be configured for IP filtering.
GEN001374-ESXI5-PNF Medium The /etc/nsswitch.conf file must not have an extended ACL.
GEN002060-ESXI5-PNF Medium All .rhosts, .shosts, .netrc, or hosts.equiv files must be accessible by only root or the owner.
SRG-OS-000036-ESXI5-PNF Medium The operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
GEN005190-ESXI5-PNF Medium The .Xauthority files must not have extended ACLs.
SRG-OS-000230-ESXI5-PF Medium The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.
GEN005506-ESXI5-000098 Medium The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers.
SRG-OS-000187-ESXI5-PNF Medium The operating system at organization-defined information system components must load and execute the operating environment from hardware-enforced, read-only media.
GEN000800-ESXI5-000053 Medium The system must prohibit the reuse of passwords within five iterations.
GEN003745-ESXI5-PNF Medium The inetd.conf and xinetd.conf files must not have extended ACLs.
SRG-OS-000114-ESXI5-PNF Medium The operating system must uniquely identify and authenticate an organization-defined list of specific and/or types of devices before establishing a connection.
GEN002280-ESXI5-PNF Medium Device files and directories must only be writable by users with a system account or as configured by the vendor.
GEN006640-ESXI5-PNF Medium The system must use and update a DoD-approved virus scan program.
SRG-OS-000171-ESXI5-PNF Medium The operating system must employ NSA-approved cryptography to protect classified information.
GEN005340-ESXI5-PNF Medium Management Information Base (MIB) files must have mode 0640 or less permissive.
SRG-OS-000094-ESXI5-PNF Medium The operating system must employ automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.
GEN008100-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by root, bin, sys, or system.
GEN001392-ESXI5-PNF Medium The /etc/group file must be group-owned by root, bin, sys, or system.
SRG-OS-000003-ESXI5-PNF Medium The operating system must automatically disable inactive accounts after an organization-defined time period.
SRG-OS-000168-ESXI5-PF Medium The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.
SRG-OS-000080-ESXI5-PNF Medium The operating system must enforce approved authorizations for logical access to the system in accordance with applicable policy.
GEN001410-ESXI5-PNF Medium The /etc/shadow file (or equivalent) must be group-owned by root, bin, sys, or system.
GEN003930-ESXI5-PNF Medium The hosts.lpd (or equivalent) file must be group-owned by root, bin, sys, or system.
ESXI5-VM-000009 Medium The system must disable HGFS file transfers.
GEN002720-ESXI5-PNF Medium The audit system must be configured to audit failed attempts to access files and programs.
GEN003940-ESXI5-PNF Medium The hosts.lpd (or equivalent) must have mode 0644 or less permissive.
GEN003835-ESXI5-PNF Medium The rlogind service must not be installed.
SRG-OS-000242-ESXI5-PNF Medium The operating system must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
GEN004900-ESXI5-PNF Medium The ftpusers file must contain account names not allowed to use FTP.
SRG-OS-000151-ESXI5-PNF Medium The operating system must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.
GEN000250-ESXI5-PNF Medium The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
GEN003601-ESXI5-PNF Medium TCP backlog queue sizes must be set appropriately.
SRG-OS-000133-ESXI5-PNF Medium The operating system must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.
GEN001820-ESXI5-PNF Medium All skeleton files and directories (typically in /etc/skel) must be owned by bin.
GEN003245-ESXI5-PNF Medium The at.allow file must not have an extended ACL.
GEN001400-ESXI5-PNF Medium The /etc/shadow (or equivalent) file must be owned by root.
ESXI5-VMNET-000013 Medium The system must ensure that the virtual switch Forged Transmits policy is set to reject.
ESXI5-VMNET-000012 Medium All port groups must not be configured to VLAN values reserved by upstream physical switches.
ESXI5-VMNET-000011 Medium All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT).
ESXI5-VMNET-000010 Medium All port groups must be configured to a value other than that of the native VLAN.
ESXI5-VMNET-000017 Medium The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.
ESXI5-VMNET-000014 Medium The system must ensure that the dvPortgroup Forged Transmits policy is set to reject.
ESXI5-VMNET-000019 Medium The system must ensure the dvPortgroup Promiscuous Mode policy is set to reject.
ESXI5-VMNET-000018 Medium The system must ensure the virtual switch Promiscuous Mode policy is set to reject.
GEN001160-ESXI5-PNF Medium All files and directories must have a valid owner.
GEN006200-ESXI5-PNF Medium The /etc/smbpasswd file must have mode 0600 or less permissive.
GEN006120-ESXI5-PNF Medium The /etc/smb.conf file must be group-owned by root, bin, or sys.
SRG-OS-000173-ESXI5-PNF Medium The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures.
GEN003040-ESXI5-PNF Medium Crontabs must be owned by root or the crontab creator.
GEN003320-ESXI5-PNF Medium Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist.
SRG-OS-000124-ESXI5-PNF Medium The operating system must employ automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
GEN000360-ESXI5-PNF Medium Group Identifiers (GIDs) reserved for system accounts must not be assigned to non-system groups.
GEN007140-ESXI5-PNF Medium The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.
SRG-OS-000028-ESXI5-PF Medium The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
GEN006235-ESXI5-PNF Medium Samba must be configured to not allow guest access to shares.
GEN001372-ESXI5-PNF Medium The /etc/nsswitch.conf file must be group-owned by root, bin, sys, or system.
GEN001368-ESXI5-PNF Medium The /etc/hosts file must have mode 0644 or less permissive.
SRG-OS-000030-ESXI5-PF Medium The operating system must provide the capability for users to directly initiate session lock mechanisms.
GEN003619-ESXI5-PNF Medium The system must not be configured for network bridging.
GEN001605-ESXI5-PNF Medium Run control scripts' library search paths must contain only absolute paths.
SRG-OS-000271-ESXI5-PF Medium The operating system must take organization-defined list of least disruptive actions to terminate suspicious events.
GEN001362-ESXI5-PNF Medium The /etc/resolv.conf file must be owned by root.
GEN000402-ESXI5-PNF Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
GEN007850-ESXI5-PNF Medium The DHCP client must not send dynamic DNS updates.
GEN000590-ESXI5-PF Medium The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
GEN003830-ESXI5-PNF Medium The rlogind service must not be running.
GEN003770-ESXI5-PNF Medium The services file must be group-owned by root, bin, sys, or system.
GEN004980-ESXI5-PNF Medium The FTP daemon must be configured for logging or verbose mode.
SRG-OS-99999-ESXI5-000161 Medium The system must zero out VMDK files prior to deletion.
SRG-OS-99999-ESXI5-000160 Medium The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.
SRG-OS-000276-ESXI5-PNF Medium The operating system must notify, as required, appropriate individuals when account is disabled.
GEN000440-ESXI5-PNF Medium Successful and unsuccessful logins and logouts must be logged.
GEN001980-ESXI5-PNF Medium The .rhosts, .shosts, hosts.equiv, shosts.equiv, /etc/passwd, /etc/shadow, and/or /etc/group files must not contain a plus (+) without defining entries for NIS+ netgroups.
SRG-OS-000116-ESXI5-PNF Medium The operating system must authenticate devices before establishing wireless network connections using bidirectional cryptographically based authentication between devices.
GEN003270-ESXI5-PNF Medium The cron.deny file must be group-owned by root, bin, sys, or cron.
GEN003760-ESXI5-PNF Medium The services file must be owned by root or bin.
GEN003480-ESXI5-PNF Medium The at.deny file must be owned by root, bin, or sys.
GEN000790-ESXI5-000085 Medium The system must prevent the use of dictionary words for passwords.
GEN002140-ESXI5-000046 Medium All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
SRG-OS-000088-ESXI5-PNF Medium The operating system must employ automated mechanisms to enforce access restrictions.
SRG-OS-000119-ESXI5-PNF Medium The operating system must dynamically manage identifiers, attributes, and associated access authorizations.
SRG-OS-000177-ESXI5-PNF Medium The operating system must associate security attributes with information exchanged between information systems.
SRG-OS-000221-ESXI5-PNF Medium The operating system must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
GEN008050-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
GEN004820-ESXI5-PNF Medium Anonymous FTP must not be active on the system unless authorized.
GEN005536-ESXI5-000110 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
GEN002825-ESXI5-PNF Medium The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
SRG-OS-000260-ESXI5-PF Medium The operating system must automatically implement organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.
SRG-OS-000232-ESXI5-PNF Medium The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
GEN002820-ESXI5-PNF Medium The audit system must be configured to audit all discretionary access control permission modifications.
GEN003090-ESXI5-PNF Medium Crontab files must not have extended ACLs.
SRG-OS-000082-ESXI5-PF Medium The operating system, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
SRG-OS-000251-ESXI5-PNF Medium The operating system must ensure remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.
SRG-OS-000076-ESXI5-PF Medium The operating system must enforce maximum password lifetime restrictions.
GEN000950-ESXI5-PF Medium The root account's list of preloaded libraries must be empty.
SRG-OS-000237-ESXI5-PF Medium The operating system must support and maintain the binding of organization-defined security attributes to information in process.
GEN004420-ESXI5-PNF Medium Files executed through a mail aliases file must have mode 0755 or less permissive.
GEN001379-ESXI5-PNF Medium The /etc/passwd file must be group-owned by root, bin, sys, or system.
GEN002360-ESXI5-PNF Medium Audio devices must be group-owned by root, sys, bin, or system.
SRG-OS-000118-ESXI5-PNF Medium The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization-defined time period of inactivity.
ESXI5-VM-000053 Medium The system must control access to VMs through the VMsafe CPU/memory "vmsafe.agentPort" API.
ESXI5-VM-000052 Medium The system must control access to VMs through VMsafe CPU/memory APIs.
SRG-OS-000142-ESXI5-PNF Medium The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service attacks.
ESXI5-VM-000054 Medium The system must control access to VMs through the VMsafe CPU/memory "vmsafe.enable" API.
GEN006230-ESXI5-PNF Medium Samba must be configured to use encrypted passwords.
GEN007900-ESXI5-PF Medium The system must use an appropriate reverse-path filter for IPv6 network traffic, if the system uses IPv6.
GEN003120-ESXI5-PNF Medium Cron and crontab directories must be owned by root or bin.
SRG-OS-000004-ESXI5-PNF Medium The operating system must support the requirement to automatically audit on account creation.
GEN005810-ESXI5-PNF Medium All NFS-exported system files and system directories must be group-owned by root, bin, sys, or system.
GEN001140-ESXI5-PNF Medium System files and directories must not have uneven access permissions.
SRG-OS-000066-ESXI5-PF Medium The operating system, for PKI-based authentication must validate certificates by constructing a certification path with status information to an accepted trust anchor.
SRG-OS-000188-ESXI5-PNF Medium The operating system at organization-defined information system components must load and execute organization-defined applications from hardware-enforced, read-only media.
GEN008000-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, certificates used to authenticate to the LDAP server must be provided from DoD PKI or a DoD-approved external PKI.
GEN005537-ESXI5-000111 Medium The SSH daemon must use privilege separation.
SRG-OS-000262-ESXI5-PF Medium The operating system uniquely must authenticate destination domains for information transfer.
SRG-OS-000109-ESXI5-PNF Medium The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
GEN001360-ESXI5-PNF Medium The NIS/NIS+/yp command files must have mode 0755 or less permissive.
SRG-OS-000051-ESXI5-PNF Medium Operating system must support the capability to centralize the review and analysis of audit records from multiple components within the system.
SRG-OS-000048-ESXI5-PNF Medium The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
SRG-OS-000255-ESXI5-PNF Medium The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
GEN001800-ESXI5-PNF Medium All skeleton files (typically those in /etc/skel) must have mode 0644 or less permissive.
GEN002520-ESXI5-PNF Medium All public directories must be owned by root or an application account.
SRG-OS-000024-ESXI5-PNF Medium The operating system must retain the notification message or banner on the screen until users take explicit actions to logon for further access.
GEN005420-ESXI5-PNF Medium The /etc/syslog.conf file must be group-owned by root, bin, sys, or system.
GEN003780-ESXI5-PNF Medium The services file must have mode 0444 or less permissive.
GEN005160-ESXI5-PNF Medium Any X Windows host must write .Xauthority files.
GEN006040-ESXI5-PNF Medium The system must not have any peer-to-peer file-sharing application installed.
GEN002200-ESXI5-PNF Medium All shell files must be owned by root or bin.
GEN008200-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate authority file and/or directory (as appropriate) must not have an extended ACL.
SRG-OS-000254-ESXI5-PNF Medium The operating system must initiate session audits at system start-up.
SRG-OS-000265-ESXI5-PNF Medium The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
GEN003430-ESXI5-PNF Medium The "at" directory must be group-owned by root, bin, sys, or cron.
GEN003020-ESXI5-PNF Medium Cron must not execute programs in, or subordinate to, world-writable directories.
GEN008300-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must be owned by root.
SRG-OS-000135-ESXI5-PNF Medium The operating system must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
GEN005460-ESXI5-000060 Medium The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
GEN005750-ESXI5-PNF Medium The NFS export configuration file must be group-owned by root, bin, sys, or system.
GEN004360-ESXI5-PNF Medium The aliases file must be owned by root.
SRG-OS-000001-ESXI5-PNF Medium The operating system must provide automated support for account management functions.
GEN000750-ESXI5-000084 Medium The system must require at least four characters be changed between the old and new passwords during a password change.
SRG-OS-000227-ESXI5-PNF Medium The operating system must provide additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device.
GEN002420-ESXI5-00878 Medium Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the "nosuid" option.
SRG-OS-000121-ESXI5-PNF Medium The operating system must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
GEN004580-ESXI5-PNF Medium The system must not use .forward files.
GEN005523-ESXI5-PNF Medium The SSH private host key files must have mode 0600 or less permissive.
GEN004500-ESXI5-PNF Medium The SMTP service log file must have mode 0644 or less permissive.
SRG-OS-000087-ESXI5-PNF Medium The operating system must enforce logical access restrictions associated with changes to the information system.
GEN001365-ESXI5-PNF Medium The /etc/resolv.conf file must not have an extended ACL.
SRG-OS-000209-ESXI5-PF Medium The operating system must validate the binding of the information producer's identity to the information.
GEN008140-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be owned by root.
SRG-OS-000107-ESXI5-PF Medium The operating system must use multifactor authentication for local access to privileged accounts.
GEN002730-ESXI5-PNF Medium The audit system must alert the SA when the audit storage volume approaches its capacity.
GEN001310-ESXI5-PNF Medium All library files must not have extended ACLs.
SRG-OS-000203-ESXI5-PNF Medium The operating system must check the validity of information inputs.
GEN002460-ESXI5-20047 Medium The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
SRG-OS-000022-ESXI5-PNF Medium The operating system, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account for an organization-defined time period or must lock the account until released by an administrator IAW organizational policy.
GEN007540-ESXI5-PNF Medium The Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled.
SRG-OS-000247-ESXI5-PNF Medium The operating system must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions.
SRG-OS-000091-ESXI5-PF Medium The operating system must enforce a two-person rule for changes to organization-defined information system components and system-level information.
GEN005580-ESXI5-PNF Medium A system used for routing must not run other network services or applications.
GEN005590-ESXI5-PNF Medium The system must not be running any routing protocol daemons, unless the system is a router.
GEN001391-ESXI5-PNF Medium The /etc/group file must be owned by root.
SRG-OS-000110-ESXI5-PF Medium The operating system must use multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.
GEN002380-ESXI5-PNF Medium The owner, group owner, mode, ACL, and location of files with the suid bit set must be documented using site-defined procedures.
SRG-OS-000274-ESXI5-PNF Medium The operating system must notify, as required, appropriate individuals when accounts are created.
GEN005020-ESXI5-PNF Medium The anonymous FTP account must be configured to use chroot or a similarly isolated environment.
GEN001393-ESXI5-PNF Medium The /etc/group file must have mode 0644 or less permissive.
GEN000280-ESXI5-PNF Medium Direct logins must not be permitted to shared, default, application, or utility accounts.
GEN002480-ESXI5-PNF Medium Public directories must be the only world-writable directories and world-writable files must be located only in public directories.
SRG-OS-000067-ESXI5-PF Medium The operating system, for PKI-based authentication must enforce authorized access to the corresponding private key.
SRG-OS-99999-ESXI5-000132 Medium Persistent logging for all ESXi hosts must be configured.
SRG-OS-99999-ESXI5-000133 Medium Remote logging for ESXi hosts must be configured.
SRG-OS-99999-ESXI5-000131 Medium NTP time synchronization must be configured.
SRG-OS-99999-ESXI5-000136 Medium The system must disable ESXi Shell unless needed for diagnostics or troubleshooting.
SRG-OS-99999-ESXI5-000137 Medium The system must disable the Managed Object Browser (MOB).
GEN001371-ESXI5-PNF Medium The /etc/nsswitch.conf file must be owned by root.
GEN005180-ESXI5-PNF Medium All .Xauthority files must have mode 0600 or less permissive.
SRG-OS-99999-ESXI5-000138 Medium The system must disable SSH.
SRG-OS-99999-ESXI5-000139 Medium The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications.
SRG-OS-000229-ESXI5-PNF Medium The operating system must employ automated mechanisms to centrally manage configuration settings.
SRG-OS-000007-ESXI5-PNF Medium The operating system must enforce one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.
GEN002230-ESXI5-PNF Medium All shell files must not have extended ACLs.
GEN003140-ESXI5-PNF Medium Cron and crontab directories must be group-owned by root, sys, bin or cron.
SRG-OS-000231-ESXI5-PNF Medium The operating system must enforce requirements for remote connections to the information system.
GEN007080-ESXI5-PNF Medium The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
GEN000620-ESXI5-000067 Medium The system must require that passwords contain at least one numeric character.
SRG-OS-000085-ESXI5-PNF Medium The operating system must track problems associated with the security attribute binding.
GEN000410-ESXI5-PNF Medium The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
GEN003605-ESXI5-PF Medium The system must not apply reversed source routing to TCP responses.
SRG-OS-000084-ESXI5-PF Medium The operating system must bind security attributes to information to facilitate information flow policy enforcement.
SRG-OS-000263-ESXI5-PF Medium The operating system must track problems associated with the information transfer.
ESXI5-VM-000045 Medium The system must prevent unauthorized removal, connection and modification of devices by setting the "isolation.device.connectable.disable" keyword to true..
SRG-OS-000269-ESXI5-PF Medium The operating system must preserve organization-defined system state information in the event of a system failure.
GEN007860-ESXI5-PF Medium The system must ignore IPv6 ICMP redirect messages.
GEN005550-ESXI5-000114 Medium The SSH daemon must be configured with the Department of Defense (DoD) logon banner.
GEN003050-ESXI5-PNF Medium Crontab files must be group-owned by root, cron, or the crontab creator's primary group.
GEN007660-ESXI5-PNF Medium The Bluetooth protocol handler must be disabled or not installed.
GEN000520-ESXI5-PNF Medium The root user must not own the logon session for an application requiring a continuous display.
SRG-OS-000223-ESXI5-PF Medium The operating system, when transferring information between different security domains, must detect unsanctioned information.
SRG-OS-000009-ESXI5-PNF Medium The operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
SRG-OS-000053-ESXI5-PNF Medium The operating system audit records must be able to be used by a report generation capability.
GEN005400-ESXI5-PNF Medium The /etc/syslog.conf file must be owned by root.
GEN001550-ESXI5-PNF Medium All files and directories contained in user's home directories must be group-owned by a group the home directory's owner is a member.
SRG-OS-000002-ESXI5-PNF Medium The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account.
GEN006480-ESXI5-PF Medium The system must have a host-based intrusion detection tool installed.
GEN001394-ESXI5-PNF Medium The /etc/group file must not have an extended ACL.
GEN006340-ESXI5-PNF Medium Files in /etc/news must be owned by root or news.
SRG-OS-000174-ESXI5-PNF Medium The operating system must protect the integrity and availability of publicly available information and applications.
GEN003470-ESXI5-PNF Medium The at.allow file must be group-owned by root, bin, sys, or cron.
GEN004930-ESXI5-PNF Medium The ftpusers file must be group-owned by root, bin, sys, or system.
SRG-OS-000175-ESXI5-PNF Medium The operating system must prohibit remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed.
SRG-OS-000041-ESXI5-PNF Medium The operating system must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
SRG-OS-000202-ESXI5-PNF Medium The operating system must detect unauthorized changes to software and information.
SRG-OS-000010-ESXI5-PF Medium The operating system must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.
SRG-OS-000052-ESXI5-PNF Medium The operating system must support an audit reduction capability.
GEN001220-ESXI5-PNF Medium All system files, programs, and directories must be owned by a system account.
GEN003190-ESXI5-PNF Medium The cron log files must not have extended ACLs.
ESXI5-VM-000011 Medium The system must disable VM-to-VM communication through VMCI.
ESXI5-VM-000013 Medium The system must disable VM Monitor Control.
GEN000251-ESXI5-PNF Medium The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
SRG-OS-000246-ESXI5-PNF Medium The operating system must only allow authorized users to associate security attributes with information.
GEN003380-ESXI5-PNF Medium The "at" daemon must not execute programs in, or subordinate to, world-writable directories.
SRG-OS-000243-ESXI5-PNF Medium The operating system must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
GEN002300-ESXI5-PNF Medium Device files used for backup must only be readable and/or writable by root or the backup user.
SRG-OS-000061-ESXI5-PNF Medium The operating system must protect against an individual falsely denying having performed a particular action.
SRG-OS-000257-ESXI5-PNF Medium The operating system must protect audit tools from unauthorized modification.
SRG-OS-000222-ESXI5-PF Medium The operating system, when transferring information between different security domains, must implement policy filters constraining data structure and content to organization-defined information security policy requirements.
GEN005505-ESXI5-000097 Medium The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
GEN008780-ESXI5-PNF Medium The system's boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
SRG-OS-000148-ESXI5-PNF Medium The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.
GEN003607-ESXI5-PF Medium The system must not accept source-routed IPv4 packets.
GEN001320-ESXI5-PNF Medium NIS/NIS+/yp files must be owned by root, sys, or bin.
SRG-OS-000216-ESXI5-PNF Medium The operating system must use cryptographic mechanisms to protect the integrity of audit information.
GEN003900-ESXI5-PNF Medium The hosts.lpd file (or equivalent) must not contain a "+" character.
SRG-OS-99999-ESXI5-000149 Medium The ESXi system must be properly patched. Vendor-recommended software patches, system security patches, and updates, must be installed and up-to-date.
GEN005375-ESXI5-PNF Medium The snmpd.conf file must not have an extended ACL.
GEN004920-ESXI5-PNF Medium The ftpusers file must be owned by root.
GEN001845-ESXI5-PNF Medium Global initialization files' library search paths must contain only absolute paths.
SRG-OS-000239-ESXI5-PNF Medium The operating system must automatically audit account modification.
GEN001660-ESXI5-PNF Medium All system start-up files must be owned by root.
SRG-OS-000035-ESXI5-PNF Medium The operating system must disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.
GEN003060-ESXI5-PNF Medium Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.
GEN007020-ESXI5-PNF Medium The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
SRG-OS-000178-ESXI5-PNF Medium The operating system must validate the integrity of security attributes exchanged between systems.
GEN001901-ESXI5-PNF Medium Local initialization files' library search paths must contain only absolute paths.
GEN005504 Medium The SSH daemon must only listen on management network addresses unless authorized for uses other than management.
GEN008620-ESXI5-000054 Medium System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
GEN005512-ESXI5-702 Medium The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
GEN008160-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the TLS certificate authority file and/or directory (as appropriate) must be group-owned by root, bin, sys, or system.
GEN007800-ESXI5-PNF Medium The system must not have Teredo enabled.
GEN005380-ESXI5-PNF Medium If the system is a Network Management System (NMS) server, it must only run the NMS and any software required by the NMS.
GEN002430-ESXI5-PF Medium Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the "nodev" option.
GEN003250-ESXI5-PNF Medium The cron.allow file must be group-owned by root, bin, sys, or cron.
GEN000945-ESXI5-PF Medium The root account's library search path must be the system default and must contain only absolute paths.
GEN000240-ESXI5-000058 Medium The system clock must be synchronized to an authoritative DoD time source.
SRG-OS-000240-ESXI5-PNF Medium The operating system must automatically audit account disabling actions.
SRG-OS-99999-ESXI5-000142 Medium The system must enable lockdown mode to restrict remote access.
GEN003420-ESXI5-PNF Medium The "at" directory must be owned by root, bin, or sys.
GEN002400-ESXI5-10047 Medium The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
SRG-OS-000005-ESXI5-PNF Medium The operating system must dynamically manage user privileges and associated access authorizations.
GEN003600-ESXI5-PF Medium The system must not forward IPv4 source-routed packets.
SRG-OS-000277-ESXI5-PNF Medium The operating system must notify, as required, appropriate individuals for account termination.
SRG-OS-000270-ESXI5-PNF Medium The operating system must employ malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.
SRG-OS-99999-ESXI5-000146 Medium The system must ensure the vpxuser password meets length policy.
GEN005522-ESXI5-PNF Medium The SSH public host key files must have mode 0644 or less permissive.
SRG-OS-000108-ESXI5-PNF Medium The operating system must use multifactor authentication for local access to non-privileged accounts.
GEN001700-ESXI5-PNF Medium System start-up files must only execute programs owned by a privileged UID or an application.
SRG-OS-000047-ESXI5-PNF Medium The operating system must take organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
GEN001430-ESXI5-PNF Medium The /etc/shadow file must not have an extended ACL.
SRG-OS-99999-ESXI5-000148-PNF Medium The system must establish a password policy for password complexity.
SRG-OS-000062-ESXI5-PNF Medium The operating system must provide audit record generation capability for the auditable events defined in at the organizational level for the organization-defined information system components.
GEN007700-ESXI5-000116 Medium The IPv6 protocol handler must not be bound to the network stack unless needed.
SRG-OS-000032-ESXI5-PNF Medium The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
GEN001610-ESXI5-PF Medium Run control scripts' lists of preloaded libraries must contain only absolute paths.
GEN001870-ESXI5-PNF Medium Local initialization files must be group-owned by the user's primary group or root.
GEN004480-ESXI5-PNF Medium The SMTP service log file must be owned by root.
GEN002980-ESXI5-PNF Medium The cron.allow file must have mode 0600 or less permissive.
GEN007780-ESXI5-PNF Medium The system must not have 6to4 enabled.
SRG-OS-000113-ESXI5-PNF Medium The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
GEN001340-ESXI5-PNF Medium NIS/NIS+/yp files must be group-owned by root, sys, bin, other, or system.
GEN003280-ESXI5-PNF Medium Access to the "at" utility must be controlled via the at.allow and/or at.deny file(s).
GEN001369-ESXI5-PNF Medium The /etc/hosts file must not have an extended ACL.
GEN006290-ESXI5-PNF Medium The /etc/news/hosts.nntp.nolimit file must not have an extended ACL.
GEN005538-ESXI5-000112 Medium The SSH daemon must not allow rhosts RSA authentication.
GEN003540-ESXI5-PNF Medium The system must implement non-executable program stacks.
GEN005307-ESXI5-PF Medium The SNMP service must require the use of a FIPS 140-2 approved encryption algorithm for protecting the privacy of SNMP messages.
SRG-OS-000063-ESXI5-PNF Medium The operating system must allow designated organizational personnel to select which auditable events are to be audited by the operating system.
GEN006160-ESXI5-PNF Medium The /etc/smbpasswd file must be owned by root.
GEN001240-ESXI5-PNF Medium System files, programs, and directories must be group-owned by a system group.
SRG-OS-000273-ESXI5-PNF Medium The operating system must enforce requirements for the connection of mobile devices to operating systems.
GEN003920-ESXI5-PNF Medium The hosts.lpd (or equivalent) file must be owned by root, bin, sys, or lp.
GEN005280-ESXI5-PNF Medium The system must not have the UUCP service active.
GEN003790-ESXI5-PNF Medium The services file must not have an extended ACL.
SRG-OS-000167-ESXI5-PF Medium The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
SRG-OS-000235-ESXI5-PF Medium The operating system must notify the user of organization-defined security-related changes to the user's account that occur during the organization-defined time period.
GEN003960-ESXI5-PNF Medium The traceroute command owner must be root.
GEN004390-ESXI5-PNF Medium The alias file must not have an extended ACL.
GEN005360-ESXI5-PNF Medium The snmpd.conf file must be owned by bin.
SRG-OS-000105-ESXI5-PF Medium The operating system must use multifactor authentication for network access to privileged accounts.
SRG-OS-000238-ESXI5-PF Medium The operating system must support and maintain the binding of organization-defined security attributes to information in transmission.
SRG-OS-000015-ESXI5-PF Medium The operating system must support organization-defined one-way flows using hardware mechanisms.
GEN006225-ESXI5-PNF Medium Samba must be configured to use an authentication mechanism other than share.
GEN001590-ESXI5-PNF Medium All run control scripts must have no extended ACLs.
SRG-OS-000049-ESXI5-PNF Medium The operating system must provide a real-time alert when organization-defined audit failure events occur.
GEN003845-ESXI5-PNF Medium The rexecd service must not be installed.
GEN005220-ESXI5-PNF Medium .Xauthority or X*.hosts (or equivalent) file(s) must be used to restrict access to the X server.
GEN003260-ESXI5-PNF Medium The cron.deny file must be owned by root, bin, or sys.
GEN001270-ESXI5-PNF Medium System log files must not have extended ACLs, except as needed to support authorized software.
GEN006565-ESXI5-PNF Medium The system package management tool must be used to verify system software periodically.
GEN005395-ESXI5-PNF Medium The /etc/syslog.conf file must not have an extended ACL.
GEN000460-ESXI5-PF Medium The system must disable accounts after three consecutive unsuccessful login attempts.
GEN003740-ESXI5-PNF Medium The inetd.conf and xinetd.conf files must have mode 0440 or less permissive.
SRG-OS-000182-ESXI5-PNF Medium The operating system must prevent the download of prohibited mobile code.
SRG-OS-000198-ESXI5-PNF Medium The operating system must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.
GEN002700-ESXI5-PNF Medium System audit logs must have mode 0640 or less permissive.
SRG-OS-000125-ESXI5-PNF Medium The operating system must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
GEN003580-ESXI5-PF Medium The system must use initial TCP sequence numbers most resistant to sequence number guessing attacks.
SRG-OS-000234-ESXI5-PF Medium The operating system must notify the user of the number of unsuccessful login/access attempts that occur during organization-defined time period.
GEN007940-ESXI5-PF Medium The system must not accept source-routed IPv6 packets.
SRG-OS-000136-ESXI5-PNF Medium The operating system must implement an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions.
SRG-OS-000189-ESXI5-PNF Medium The operating system must employ organization-defined information system components with no writeable storage that are persistent across component restart or power on/off.
SRG-OS-000253-ESXI5-PNF Medium The operating system must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.
GEN008060-ESXI5-PNF Medium If the system is using LDAP for authentication or account information the /etc/ldap.conf (or equivalent) file must have mode 0644 or less permissive.
GEN001840-ESXI5-PNF Medium All global initialization files' executable search paths must contain only absolute paths.
SRG-OS-000045-ESXI5-PNF Medium The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded.
GEN000340-ESXI5-PNF Medium UIDs reserved for system accounts must not be assigned to non-system accounts.
ESXI5-VM-000049 Medium The system must use secure protocols for virtual serial port access.
ESXI5-VM-000046 Medium The system must prevent unauthorized removal, connection and modification of devices by setting the "isolation.device.edit.disable" keyword to true..
ESXI5-VM-000047 Medium The system must not send host information to guests.
SRG-OS-000100-ESXI5-PNF Medium The operating system must conduct backups of system-level information contained in the information system per organization-defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
SRG-OS-000040-ESXI5-PNF Medium The operating system must produce audit records containing sufficient information to establish the sources of the events.
ESXI5-VM-000042 Medium The system must limit VM logging record contents.
GEN008240-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must be group-owned by root, bin, sys, or system.
ESXI5-VM-000041 Medium The system must limit VM logging records.
SRG-OS-000008-ESXI5-PNF Medium The operating system must prevent access to organization-defined security-relevant information except during secure, non-operable system states.
GEN002440-ESXI5-PNF Medium The owner, group-owner, mode, ACL, and location of files with the sgid bit set must be documented using site-defined procedures.
GEN003200-ESXI5-PNF Medium The cron.deny file must have mode 0600 or less permissive.
GEN005800-ESXI5-PNF Medium All NFS-exported system files and system directories must be owned by root.
GEN000000-ESXI5-PNF Medium The system must comply with product-specific security requirements.
SRG-OS-000081-ESXI5-PF Medium The operating system, when transferring information between different security domains, must identify information flows by data type specification and usage.
GEN008080-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be owned by root.
SRG-OS-000261-ESXI5-PF Medium The operating system uniquely must identify destination domains for information transfer.
GEN003612-ESXI5-PF Medium The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
SRG-OS-000207-ESXI5-PF Medium The operating system must support the requirement that organizations, if an information system component failure is detected must activate an organization-defined alarm and/or automatically shuts down the operating system.
SRG-OS-000097-ESXI5-PNF Medium The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.
GEN005510-ESXI5-700 Medium The SSH client must be configured to only use FIPS 140-2 approved ciphers.
GEN007840-ESXI5-000119 Medium The DHCP client must be disabled if not needed.
GEN000300-ESXI5-000035 Medium All accounts on the system must have unique user or account names.
GEN001373-ESXI5-PNF Medium The /etc/nsswitch.conf file must have mode 0644 or less permissive.
GEN007480-ESXI5-PNF Medium The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
GEN003730-ESXI5-PNF Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be group-owned by root, bin, sys, or system.
GEN002560-ESXI5-PNF Medium The system and user default umask must be 077.
GEN001740-ESXI5-PNF Medium All global initialization files must be owned by bin.
SRG-OS-000037-ESXI5-PNF Medium The operating system must produce audit records containing sufficient information to establish what type of events occurred.
SRG-OS-000272-ESXI5-PF Medium The operating system must respond to security function anomalies in accordance with organization-defined responses and alternative action(s).
SRG-OS-000143-ESXI5-PNF Medium The operating system must limit the use of resources by priority.
GEN003980-ESXI5-PNF Medium The traceroute command must be group-owned by sys, bin, root, or system.
GEN003410-ESXI5-PNF Medium The "at" directory must not have an extended ACL.
SRG-OS-000213-ESXI5-PF Medium The operating system must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
GEN006280-ESXI5-PNF Medium The /etc/news/hosts.nntp.nolimit (or equivalent) must have mode 0600 or less permissive.
GEN006100-ESXI5-PNF Medium The /etc/smb.conf file must be owned by root.
GEN001367-ESXI5-PNF Medium The /etc/hosts file must be group-owned by root, bin, sys, or system.
GEN004430-ESXI5-PNF Medium Files executed through a mail aliases file must not have extended ACLs.
GEN001580-ESXI5-PNF Medium All run control scripts must have mode 0755 or less permissive.
SRG-OS-000185-ESXI5-PF Medium The operating system must protect the confidentiality and integrity of information at rest.
GEN003581-ESXI5-PNF Medium Network interfaces must not be configured to allow user control.
SRG-OS-000201-ESXI5-PF Medium The operating system must provide automated support for the management of distributed security testing.
GEN001760-ESXI5-PNF Medium All global initialization files must be group-owned by root, sys, bin, other, system, or the system default.
SRG-OS-000180-ESXI5-PNF Medium The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code.
GEN001810-ESXI5-PNF Medium Skeleton files must not have extended ACLs.
GEN001880-ESXI5-PNF Medium All local initialization files must have mode 0740 or less permissive.
GEN000940-ESXI5-000042 Medium The root account's executable search path must be the vendor default and must contain only absolute paths.
GEN005350-ESXI5-PNF Medium Management Information Base (MIB) files must not have extended ACLs.
GEN004800-ESXI5-PNF Medium Unencrypted FTP must not be used on the system.
GEN000760-ESXI5-PNF Medium Accounts must be locked upon 35 days of inactivity.
GEN006600-ESXI5-PNF Medium The system's access control program must log each system access attempt.
SRG-OS-000083-ESXI5-PNF Medium The operating system must enforce security policies regarding information on interconnected systems.
GEN008280-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the LDAP TLS certificate file must not have an extended ACL.
GEN000540-ESXI5-PNF Medium Users must not be able to change passwords more than once every 24 hours.
GEN000320-ESXI5-000036 Medium All accounts must be assigned unique User Identification Numbers (UIDs).
GEN003604-ESXI5-PF Medium The system must not respond to ICMP timestamp requests sent to a broadcast address.
GEN001890-ESXI5-PNF Medium Local initialization files must not have extended ACLs.
SRG-OS-000099-ESXI5-PNF Medium The operating system must conduct backups of user-level information contained in the operating system per organization-defined frequency to conduct backups consistent with recovery time and recovery point objectives.
SRG-OS-000204-ESXI5-PNF Medium The operating system must identify potentially security-relevant error conditions.
GEN002020-ESXI5-PNF Medium All .rhosts, .shosts, or host.equiv files must only contain trusted host-user pairs.
GEN006560-ESXI5-PF Medium The system vulnerability assessment tool, host-based intrusion detection tool, and file integrity tool must notify the SA and the IAO of a security breach or a suspected security breach.
GEN003608-ESXI5-PNF Medium Proxy ARP must not be enabled on the system.
GEN000740-ESXI5-PNF Medium All non-interactive/automated processing account passwords must be changed at least once per year or be locked.
GEN005840-ESXI5-PNF Medium The NFS server must be configured to restrict file system access to local hosts.
GEN003300-ESXI5-PNF Medium The at.deny file must not be empty if it exists.
GEN004540-ESXI5-PNF Medium The SMTP service HELP command must not be enabled.
SRG-OS-000214-ESXI5-PF Medium The operating system must employ automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
GEN001000-ESXI5-PNF Medium Remote consoles must be disabled or protected from unauthorized access.
SRG-OS-000020-ESXI5-PNF Medium The operating system must audit any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.
SRG-OS-000029-ESXI5-PF Medium The operating system must initiate a session lock after the organization-defined time period of inactivity.
GEN001900-ESXI5-PNF Medium All local initialization files' executable search paths must contain only absolute paths.
GEN001480-ESXI5-PNF Medium All users' home directories must have mode 0750 or less permissive.
GEN004940-ESXI5-PNF Medium The ftpusers file must have mode 0640 or less permissive.
GEN004380-ESXI5-PNF Medium The aliases file must have mode 0644 or less permissive.
GEN006400-ESXI5-PNF Medium The Network Information System (NIS) protocol must not be used.
GEN001500-ESXI5-PNF Medium All interactive users' home directories must be owned by their respective users.
GEN002690-ESXI5-PNF Medium System audit logs must be group-owned by root, bin, sys, or system.
GEN004840-ESXI5-PNF Medium If the system is an anonymous FTP server, it must be isolated to the DMZ network.
SRG-OS-000046-ESXI5-PF Medium The operating system must alert designated organizational officials in the event of an audit processing failure.
GEN006000-ESXI5-PNF Medium The system must not have a public Instant Messaging (IM) client installed.
SRG-OS-000012-ESXI5-PF Medium The operating system must prevent encrypted data from bypassing content checking mechanisms.
GEN004410-ESXI5-PNF Medium Files executed through a mail aliases file must be group-owned by root, bin, or sys, and must reside within a directory group-owned by root, bin, or sys.
GEN005511-ESXI5-701 Medium The SSH client must be configured to not use CBC-based ciphers.
GEN003080-ESXI5-PNF Medium Crontab files must have mode 0600 or less permissive, and files in cron script directories must have mode 0700 or less permissive.
GEN005490-ESXI5-PF Medium The SSH daemon must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode).
SRG-OS-000224-ESXI5-PF Medium The operating system, when transferring information between different security domains, must prohibit the transfer of unsanctioned information in accordance with the security policy.
GEN008720-ESXI5-PNF Medium The system's boot loader configuration file(s) must have mode 0600 or less permissive.
GEN002000-ESXI5-PNF Medium There must be no .netrc files on the system.
GEN004880-ESXI5-PNF Medium The ftpusers file must exist.
SRG-OS-000245-ESXI5-PF Medium The operating system must maintain the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions.
GEN008040-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the system must check that the LDAP server's certificate has not been revoked.
GEN001570-ESXI5-PNF Medium All files and directories contained in user home directories must not have extended ACLs.
GEN004000-ESXI5-PNF Medium The traceroute file must have mode 0700 or less permissive.
GEN001420-ESXI5-PNF Medium The /etc/shadow (or equivalent) file must have mode 0400.
GEN001366-ESXI5-PNF Medium The /etc/hosts file must be owned by root.
GEN001600-ESXI5-PNF Medium Run control scripts' executable search paths must contain only absolute paths.
GEN005390-ESXI5-PNF Medium The /etc/syslog.conf file must have mode 0640 or less permissive.
GEN001361-ESXI5-PNF Medium NIS/NIS+/yp command files must not have extended ACLs.
GEN002740-ESXI5-PNF Medium The audit system must be configured to audit file deletions.
GEN000220-ESXI5-000064 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
GEN006060-ESXI5-PNF Medium The system must not run Samba unless needed.
SRG-OS-000139-ESXI5-PNF Medium The operating system must not share resources used to interface with systems operating at different security levels.
GEN005539-ESXI5-000113 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
GEN007200-ESXI5-PNF Medium The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.
SRG-OS-000184-ESXI5-PF Medium The operating system must fail to an organization-defined known state for organization-defined types of failures.
GEN001520-ESXI5-PNF Medium All interactive users' home directories must be group-owned by the home directory owner's primary group.
GEN001170-ESXI5-PNF Medium All files and directories must have a valid group owner.
SRG-OS-000181-ESXI5-PNF Medium The operating system must prevent the execution of prohibited mobile code.
GEN003750-ESXI5-PNF Medium The xinetd.d directory must have mode 0755 or less permissive.
SRG-OS-000059-ESXI5-PNF Medium The operating system must protect audit information from unauthorized deletion.
GEN005440-ESXI5-000078 Medium The system must not be used as a syslog server (log host) for systems external to the enclave.
GEN001120-ESXI5-000051 Medium The system must not permit root logins using remote access programs, such as SSH.
SRG-OS-000226-ESXI5-PNF Medium The operating system must uniquely authenticate source domains for information transfer.
GEN007760-ESXI5-PNF Medium Proxy Neighbor Discovery Protocol (NDP) must not be enabled on the system.
GEN003815-ESXI5-PNF Medium The portmap or rpcbind service must not be installed unless needed.
GEN006210-ESXI5-PNF Medium The /etc/smbpasswd file must not have an extended ACL.
SRG-OS-000241-ESXI5-PNF Medium The operating system must automatically audit account termination.
GEN007260-ESXI5-PNF Medium The AppleTalk protocol must be disabled or not installed.
GEN003755-ESXI5-PNF Medium The xinetd.d directory must not have an extended ACL.
ESXI5-VM-000034 Medium The system must disconnect unauthorized floppy devices.
SRG-OS-000186-ESXI5-PF Medium The operating system must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
SRG-OS-000205-ESXI5-PNF Medium The operating system must generate error messages providing information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
GEN000680-ESXI5-PF Medium The system must require passwords to contain no more than three consecutive repeating characters.
GEN008360-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must not have an extended ACL.
SRG-OS-000127-ESXI5-PNF Medium The operating system must audit non-local maintenance and diagnostic sessions.
GEN008120-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must not have an extended ACL.
GEN002960-ESXI5-PNF Medium Access to the cron utility must be controlled using the cron.allow and/or cron.deny file(s).
SRG-OS-000219-ESXI5-PNF Medium The operating system must monitor for atypical usage of operating system accounts.
SRG-OS-000033-ESXI5-PNF Medium The operating system must use cryptography to protect the confidentiality of remote access sessions.
GEN005501-ESXI5-9778 Medium The SSH client must be configured to only use the SSHv2 protocol.
GEN001850-ESXI5-PNF Medium Global initialization files' lists of preloaded libraries must contain only absolute paths.
GEN003490-ESXI5-PNF Medium The at.deny file must be group-owned by root, bin, sys, or cron.
GEN005480-ESXI5-PNF Medium The syslog daemon must not accept remote messages unless it is a syslog server documented using site-defined procedures.
SRG-OS-99999-ESXI5-000145 Medium The system must ensure the vpxuser auto-password change meets policy.
SRG-OS-99999-ESXI5-000144 Medium The system must ensure proper SNMP configuration.
SRG-OS-000006-ESXI5-PF Medium The operating system must enforce dual authorization, based on organizational policies and procedures for organization-defined privileged commands.
SRG-OS-000039-ESXI5-PNF Medium The operating system must produce audit records containing sufficient information to establish where the events occurred.
SRG-OS-000089-ESXI5-PNF Medium The operating system must employ automated mechanisms to support auditing of the enforcement actions.
SRG-OS-000128-ESXI5-PNF Medium The operating system must protect non-local maintenance sessions through the use of a strong authenticator tightly bound to the user.
GEN003000-ESXI5-PNF Medium Cron must not execute group-writable or world-writable programs.
GEN003720-ESXI5-PNF Medium The inetd.conf file, xinetd.conf file, and the xinetd.d directory must be owned by root or bin.
SRG-OS-000278-ESXI5-PNF Medium The operating system must use cryptographic mechanisms to protect the integrity of audit tools.
SRG-OS-000064-ESXI5-PNF Medium The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.
ESXI5-VM-000012 Medium The system must enable VM logging.
GEN005740-ESXI5-PNF Medium The NFS export configuration file must be owned by root.
SRG-OS-000244-ESXI5-PNF Medium The operating system must only allow authorized entities to change security attributes.
SRG-OS-000098-ESXI5-PNF Medium The operating system must employ automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the operating system.
GEN008320-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must be group-owned by root, bin, sys, or system.
SRG-OS-000014-ESXI5-PF Medium The operating system must enforce information flow control on metadata.
SRG-OS-000122-ESXI5-PF Medium The operating system must implement a configurable capability to automatically disable the operating system if any of the organization-defined lists of security violations are detected.
GEN000960-ESXI5-PNF Medium The root account must not have world-writable directories in its executable search path.
GEN008020-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provides a certificate and this certificate has a valid trust path to a trusted CA.
SRG-OS-000183-ESXI5-PNF Medium The operating system must prevent the automatic execution of mobile code in organization-defined software applications and must require organization-defined actions prior to executing the code.
GEN000020-ESXI5-PNF Medium The system must require authentication upon booting into single-user and maintenance modes.
GEN003865-ESXI5-PNF Medium Network analysis tools must not be installed.
GEN005880-ESXI5-PNF Medium The NFS server must not allow remote root access.
GEN002990-ESXI5-PNF Medium The cron.allow file must not have an extended ACL.
GEN007880-ESXI5-PF Medium The system must not send IPv6 ICMP redirects.
SRG-OS-000225-ESXI5-PNF Medium The operating system must uniquely identify source domains for information transfer.
GEN006300-ESXI5-PNF Medium The /etc/news/nnrp.access (or equivalent) must have mode 0600 or less permissive.
SRG-OS-000268-ESXI5-PNF Medium The operating system must take corrective actions, when unauthorized mobile code is identified.
SRG-OS-000117-ESXI5-PNF Medium The operating system must authenticate devices before establishing network connections using bidirectional cryptographically based authentication between devices.
GEN001680-ESXI5-PNF Medium All system start-up files must be group-owned by root, sys, bin, other, or system.
GEN008340-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the LDAP TLS key file must have mode 0600 or less permissive.
GEN002120-ESXI5-000045 Medium The /etc/shells (or equivalent) file must exist.
GEN003950-ESXI5-PNF Medium The hosts.lpd (or equivalent) file must not have an extended ACL.
GEN002210-ESXI5-PNF Medium All shell files must be group-owned by root, bin, sys, or system.
GEN003510-ESXI5-006660 Medium Kernel core dumps must be disabled unless needed.
SRG-OS-000141-ESXI5-PNF Medium The operating system must restrict the ability of users to launch Denial of Service attacks against other information systems or networks.
SRG-OS-000102-ESXI5-PNF Medium The operating system must implement transaction recovery for transaction-based systems.
GEN001060-ESXI5-PNF Medium The system must log successful and unsuccessful access to the root account.
GEN009120-ESXI5-PNF Medium The system, if capable, must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
GEN002320-ESXI5-PNF Medium Audio devices must have mode 0660 or less permissive.
GEN003180-ESXI5-PNF Medium The cron log file must have mode 0600 or less permissive.
GEN005820-ESXI5-PNF Medium The NFS anonymous UID and GID must be configured to values that have no permissions.
GEN002760-ESXI5-PNF Medium The audit system must be configured to audit all administrative, privileged, and security actions.
GEN005320-ESXI5-PNF Medium The snmpd.conf file must have mode 0600 or less permissive.
SRG-OS-000111-ESXI5-PF Medium The operating system must use multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the operating system being accessed.
GEN000880-ESXI5-PNF Medium The root account must be the only account having an UID of 0.
GEN003609-ESXI5-PF Medium The system must ignore IPv4 ICMP redirect messages.
GEN001380-ESXI5-PNF Medium The /etc/passwd file must have mode 0644 or less permissive.
SRG-OS-000149-ESXI5-PNF Medium The operating system must route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
GEN003252-ESXI5-PNF Medium The at.deny file must have mode 0600 or less permissive.
GEN000252-ESXI5-PNF Medium The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
GEN006080-ESXI5-PNF Medium The Samba Web Administration Tool (SWAT) must be restricted to the local host or require SSL.
SRG-OS-000093-ESXI5-PNF Medium The operating system must employ automated mechanisms to centrally verify configuration settings.
GEN005900-ESXI5-00891 Medium The nosuid option must be enabled on all NFS client mounts.
SRG-OS-000129-ESXI5-PNF Medium The operating system must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
GEN000930-ESXI5-PNF Medium The root account's home directory must not have an extended ACL.
SRG-OS-000060-ESXI5-PNF Medium The operating system must produce audit records on hardware-enforced, write-once media.
ESXI5-VM-000039 Medium The system must limit sharing of console connections.
ESXI5-VM-000038 Medium The system must disconnect unauthorized USB devices.
GEN001020-ESXI5-PNF Medium The root account must not be used for direct logins.
ESXI5-VM-000032 Medium The system must disable unnecessary or superfluous functions inside VMs.
ESXI5-VM-000037 Medium The system must disconnect unauthorized serial devices.
ESXI5-VM-000036 Medium The system must disconnect unauthorized parallel devices.
ESXI5-VM-000035 Medium The system must disconnect unauthorized IDE devices.
GEN008220-ESXI5-PNF Medium For systems using NSS LDAP, the TLS certificate file must be owned by root.
SRG-OS-000086-ESXI5-PF Medium The operating system must provide the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.
SRG-OS-000134-ESXI5-PNF Medium The operating system must isolate security functions from non-security functions.
GEN000253-ESXI5-PNF Medium The time synchronization configuration file (such as /etc/ntp.conf) must not have an extended ACL.
GEN007920-ESXI5-PF Medium The system must not forward IPv6 source-routed packets.
GEN004710-ESXI5-PNF Medium Mail relaying must be restricted.
SRG-OS-000065-ESXI5-PNF Medium The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
GEN000241-ESXI5-PNF Medium The system clock must be synchronized continuously, or at least daily.
SRG-OS-000258-ESXI5-PNF Medium The operating system must protect audit tools from unauthorized deletion.
GEN003100-ESXI5-PNF Medium Cron and crontab directories must have mode 0755 or less permissive.
SRG-OS-000079-ESXI5-PNF Medium The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
GEN001378-ESXI5-PNF Medium The /etc/passwd file must be owned by root.
GEN005450-ESXI5-PNF Medium The system must use a remote syslog server (log host).
GEN006180-ESXI5-PNF Medium The /etc/smbpasswd file must be group-owned by root.
GEN006460-ESXI5-PNF Medium Any NIS+ server must be operating at security level 2.
GEN005532-ESXI5-709 Medium The SSH client must not permit tunnels.
SRG-OS-000140-ESXI5-PF Medium The operating system must protect against or must limit the effects of the organization-defined or referenced types of Denial of Service attacks.
SRG-OS-000218-ESXI5-PNF Medium The operating system must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
GEN000920-ESXI5-PNF Medium The root account's home directory (other than /) must have mode 0700.
GEN003603-ESXI5-PF Medium The system must not respond to ICMPv4 echoes sent to a broadcast address.
SRG-OS-000106-ESXI5-PF Medium The operating system must use multifactor authentication for network access to non-privileged accounts.
GEN006270-ESXI5-PNF Medium The /etc/news/hosts.nntp file must not have an extended ACL.
SRG-OS-000131-ESXI5-PF Medium The operating system must employ cryptographic mechanisms to protect information in storage.
GEN005560-ESXI5-000061 Medium The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
GEN000290-ESXI5-PNF Medium The system must not have unnecessary accounts.
SRG-OS-000138-ESXI5-PNF Medium The operating system must prevent unauthorized and unintended information transfer via shared system resources.
GEN007320-ESXI5-PNF Medium The DECnet protocol must be disabled or not installed.
GEN008760-ESXI5-PNF Medium The system's boot loader configuration files must be owned by root.
GEN003210-ESXI5-PNF Medium The cron.deny file must not have an extended ACL.
GEN003110-ESXI5-PNF Medium Cron and crontab directories must not have extended ACLs.
GEN004370-ESXI5-PNF Medium The aliases file must be group-owned by root, sys, bin, or system.
GEN000600-ESXI5-000066 Medium The system must require that passwords contain at least one uppercase alphabetic character.
GEN007980-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
GEN001210-ESXI5-PNF Medium All system command files must not have extended ACLs.
SRG-OS-000256-ESXI5-PNF Medium The operating system must protect audit tools from unauthorized access.
GEN003606-ESXI5-PF Medium The system must prevent local applications from generating source-routed packets.
SRG-OS-000196-ESXI5-PF Medium The operating system must provide a near real-time alert when any of the organization-defined list of compromise or potential compromise indicators occurs.
GEN002860-ESXI5-PNF Medium Audit logs must be rotated daily.
GEN003400-ESXI5-PNF Medium The "at" directory must have mode 0755 or less permissive.
GEN005495-ESXI5-PF Medium The SSH client must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode).
GEN002640-ESXI5-PNF Medium Default system accounts must be disabled or removed.
SRG-OS-000017-ESXI5-PNF Medium The operating system must provide the capability for a privileged administrator to enable/disable organization-defined security policy filters.
GEN006360-ESXI5-PNF Medium The files in /etc/news must be group-owned by root or news.
GEN001363-ESXI5-PNF Medium The /etc/resolv.conf file must be group-owned by root, bin, sys, or system.
GEN006420-ESXI5-PNF Medium NIS maps must be protected through hard-to-guess domain names.
GEN003460-ESXI5-PNF Medium The at.allow file must be owned by root, bin, or sys.
SRG-OS-000200-ESXI5-PF Medium The operating system must provide notification of failed automated security tests.
SRG-OS-000220-ESXI5-PNF Medium The operating system must enforce an organization-defined Discretionary Access Control (DAC) policy that must allow users to specify and control sharing by named individuals or groups of individuals, or by both.
SRG-OS-000275-ESXI5-PNF Medium The operating system must notify, as required, appropriate individuals when accounts are modified.
GEN002330-ESXI5-PNF Medium Audio devices must not have extended ACLs.
SRG-OS-000199-ESXI5-PNF Medium The operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
SRG-OS-000112-ESXI5-PNF Medium The operating system must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
GEN000580-ESXI5-000065 Medium The system must require that passwords contain a minimum of 14 characters.
GEN005600-ESXI5-PNF Medium IP forwarding for IPv4 must not be enabled, unless the system is a router.
GEN003825-ESXI5-PNF Medium The rshd service must not be installed.
SRG-OS-000156-ESXI5-PF Medium The operating system must fail securely in the event of an operational failure of a boundary protection device.
GEN007970-ESXI5-PNF Medium If the system is using LDAP for authentication or account information, the system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for protecting the LDAP connection.
GEN006240-ESXI5-PNF Medium The system must not run an Internet Network News (INN) server.
GEN001180-ESXI5-PNF Medium All network services daemon files must have mode 0755 or less permissive.
SRG-OS-000074-ESXI5-PNF Medium The operating system must enforce password encryption for transmission.
GEN001902-ESXI5-PNF Medium Local initialization files' lists of preloaded libraries must contain only absolute paths.
GEN006620-ESXI5-PF Medium The system's access control program must be configured to grant or deny system access to specific hosts.
SRG-OS-000146-ESXI5-PNF Medium The operating system must prevent public access into an organization's internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
GEN004010-ESXI5-PNF Medium The traceroute file must not have an extended ACL.
SRG-OS-000236-ESXI5-PNF Medium The operating system must support and maintain the binding of organization-defined security attributes to information in storage.
GEN001364-ESXI5-PNF Medium The /etc/resolv.conf file must have mode 0644 or less permissive.
SRG-OS-000211-ESXI5-PF Medium The operating system must validate the binding of the reviewer's identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
SRG-OS-000252-ESXI5-PNF Medium The operating system must provide the capability to capture/record and log all content related to a user session.
SRG-OS-000210-ESXI5-PF Medium The operating system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
GEN005305-ESXI5-PF Medium The SNMP service must use only SNMPv3 or its successors.
GEN003660-ESXI5-PNF Medium The system must log authentication informational data.
SRG-OS-000208-ESXI5-PNF Medium The operating system must associate the identity of the information producer with the information.
SRG-OS-000018-ESXI5-PNF Medium The operating system must provide the capability for a privileged administrator to configure the organization-defined security policy filters to support different security policies.
GEN008380-ESXI5-PF Medium A root kit check tool must be run on the system at least weekly.
GEN003255-ESXI5-PNF Medium The at.deny file must not have an extended ACL.
GEN001940-ESXI5-PNF Medium User start-up files must not execute world-writable programs.
GEN003610-ESXI5-PF Medium The system must not send IPv4 ICMP redirects.
GEN000588-ESXI5-PF Medium The system must use a FIPS 140-2 validated cryptographic module (operating in FIPS mode) for generating system password hashes.
GEN000400-ESXI5-000037 Medium The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
GEN007960-ESXI5-PNF Medium The ldd command must be disabled unless it protects against the execution of untrusted files.
GEN002100-ESXI5-PNF Medium The .rhosts file must not be supported in PAM.
GEN006150-ESXI5-PNF Medium The /etc/smb.conf file must not have an extended ACL.
GEN003160-ESXI5-PNF Medium Cron logging must be implemented.
GEN006260-ESXI5-PNF Medium The /etc/news/hosts.nntp (or equivalent) must have mode 0600 or less permissive.
SRG-OS-000019-ESXI5-PNF Medium The operating system must implement separation of duties through assigned information system access authorizations.
GEN003613-ESXI5-PF Medium The system must use a reverse-path filter for IPv4 network traffic when possible.
GEN007820-ESXI5-PNF Medium The system must not have IP tunnels configured.
GEN005720-ESXI5-PNF Medium NFS servers must only accept NFS requests from privileged ports on client systems.
SRG-OS-000031-ESXI5-PF Medium The operating system session lock mechanism, when activated on a device with a display screen, must place a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
GEN000595-ESXI5-000082 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
GEN001200-ESXI5-PNF Medium All system command files must have mode 0755 or less permissive.
GEN002680-ESXI5-PNF Medium System audit logs must be owned by root.
GEN006220-ESXI5-PNF Medium The smb.conf file must use the hosts option to restrict access to Samba.
GEN000500-ESXI5-PNF Medium Graphical desktop environments provided by the system must automatically lock after 15 minutes of inactivity and the system must require users to re-authenticate to unlock the environment.
GEN006330-ESXI5-PNF Medium The /etc/news/passwd.nntp file must not have an extended ACL.
GEN001475-ESXI5-PNF Medium The /etc/group file must not contain any group password hashes.
GEN001860-ESXI5-PNF Medium All local initialization files must be owned by the user or root.
GEN000246-ESXI5-PNF Medium The system time synchronization method must use cryptographic algorithms to verify the authenticity and integrity of the time data.
GEN005365-ESXI5-PNF Medium The snmpd.conf file must be group-owned by root, bin, sys, or system.
SRG-OS-000120-ESXI5-PF Medium The operating system must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
GEN008740-ESXI5-PNF Medium The system's boot loader configuration file(s) must not have extended ACLs.
SRG-OS-000013-ESXI5-PF Medium The operating system must enforce organization-defined limitations on the embedding of data types within other data types.
GEN005610-ESXI5-PNF Medium The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.
SRG-OS-000068-ESXI5-PF Medium The operating system, for PKI-based authentication must map the authenticated identity to the user account.
GEN003240-ESXI5-PNF Medium The cron.allow file must be owned by root, bin, or sys.
GEN005240-ESXI5-PNF Medium The .Xauthority utility must only permit access to authorized hosts.
GEN002800-ESXI5-PNF Medium The audit system must be configured to audit login, logout, and session initiation.
GEN005507-ESXI5-000099 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
GEN000610-ESXI5-000083 Medium The system must require passwords contain at least one lowercase alphabetic character.
SRG-OS-99999-ESXI5-000135 Medium The system must disable DCUI to prevent local administrative control.
SRG-OS-000170-ESXI5-PF Medium The operating system must employ FIPS-validated cryptography to protect unclassified information.
GEN006310-ESXI5-PNF Medium The /etc/news/nnrp.access file must not have an extended ACL.
GEN002540-ESXI5-PNF Medium All public directories must be group-owned by root or an application group.
SRG-OS-000172-ESXI5-PF Medium The operating system must employ FIPS-validated cryptography to protect information when it must be separated from individuals who have the necessary clearances, yet lack the necessary access approvals.
GEN004510-ESXI5-PNF Medium The SMTP service log file must not have an extended ACL.
SRG-OS-000169-ESXI5-PNF Medium The operating system must implement required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
GEN003640-ESXI5-PNF Medium The root file system must employ journaling or another mechanism ensuring file system consistency.
GEN001190-ESXI5-PNF Medium All network services daemon files must not have extended ACLs.
SRG-OS-000075-ESXI5-PNF Medium The operating system must enforce minimum password lifetime restrictions.
GEN003501-ESXI5-PNF Low The system must be configured to store any process core dumps in a specific, centralized directory.
GEN003611-ESXI5-PNF Low The system must log martian packets.
GEN008440-ESXI5-PNF Low Automated file system mounting tools must not be enabled unless needed.
SRG-OS-99999-ESXI5-000155 Low Active Directory "ESX Admin" group membership must be verified.
SRG-OS-99999-ESXI5-000150 Low SAN resources must be masked and zoned appropriately.
SRG-OS-99999-ESXI5-000151 Low The system must prevent unintended use of dvfilter network APIs.
SRG-OS-99999-ESXI5-000153 Low The system must set a timeout for the ESXi Shell to automatically disable idle sessions after a predetermined period.
SRG-OS-99999-ESXI5-000159 Low The system must verify the integrity of the installation media before installing ESXi.
ESXI5-VM-000033 Low The system must disable VIX messages from the VM.
GEN000454-ESXI5-PF Low The system must display the number of unsuccessful login attempts since the last successful login for a user account upon logging in.
GEN001560-ESXI5-PNF Low All files and directories contained in user's home directories must have mode 0750 or less permissive.
GEN005529-ESXI5-708 Low The SSH client must not send environment variables to the server or must only send those pertaining to locale.
GEN000452-ESXI5-PF Low The system must display the date and time of the last successful account login upon login.
GEN008500-ESXI5-000123 Low The system must have IEEE 1394 (Firewire) disabled unless needed.
ESXI5-VM-000002 Low The system must disable tools auto install.
ESXI5-VM-000028 Low The unexposed feature keyword "isolation.tools.unityActive.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000029 Low The unexposed feature keyword "isolation.tools.unity.windowContents.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000020 Low The unexposed feature keyword "isolation.ghi.host.shellAction.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000021 Low The unexposed feature keyword "isolation.tools.dispTopoRequest.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000022 Low The unexposed feature keyword "isolation.tools.trashFolderState.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000023 Low The unexposed feature keyword "isolation.tools.ghi.trayicon.disable" must be initialized to decrease the VMs potential attack vectors.
GEN005517-ESXI5-000101 Low The SSH daemon must be configured to not allow gateway ports.
ESXI5-VM-000025 Low The unexposed feature keyword "isolation.tools.unityInterlockOperation.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000027 Low The unexposed feature keyword "isolation.tools.unity.taskbar.disable" must be initialized to decrease the VMs potential attack vectors.
GEN001460-ESXI5-PNF Low All interactive user home directories defined in the /etc/passwd file must exist.
GEN001280-ESXI5-PNF Low Manual page files must have mode 0644 or less permissive.
GEN002718-ESXI5-PNF Low System audit tool executables must not have extended ACLs.
GEN001080-ESXI5-PNF Low The root shell must be located in the / file system.
SRG-OS-99999-ESXI5-000154 Low The system must use Active Directory for local user authentication.
GEN003621-ESXI5-PF Low The system must use a separate file system for /var.
GEN000850-ESXI5-PNF Low The system must restrict the ability to switch to the root user for members of a defined group.
ESXI5-VM-000050 Low The system must use templates to deploy VMs whenever possible.
GEN001780-ESXI5-PNF Low Global initialization files must contain the mesg -n or mesg n commands.
ESXI5-VMNET-000022 Low vSphere management traffic must be on a restricted network.
ESXI5-VMNET-000023 Low Access to the management network must be strictly controlled.
ESXI5-VMNET-000020 Low The system must ensure there are no unused ports on a distributed virtual port group.
ESXI5-VMNET-000026 Low The system must disable the autoexpand option for VDS dvPortgroups.
ESXI5-VMNET-000024 Low Access to the management network must be strictly controlled.
GEN005518-ESXI5-704 Low The SSH client must be configured to not allow gateway ports.
GEN003602-ESXI5-PF Low The system must not process ICMP timestamp requests.
GEN001290-ESXI5-PNF Low All manual page files must not have extended ACLs.
ESXI5-VMNET-000021 Low vMotion traffic must be isolated.
GEN004660-ESXI5-PNF Low The SMTP service must not have the EXPN feature active.
GEN001540-ESXI5-PNF Low All files and directories contained in interactive user's home directories must be owned by the home directory's owner.
ESXI5-VM-000051 Low The system must control access to VMs through the dvfilter network APIs.
GEN004560-ESXI5-PNF Low The SMTP service's SMTP greeting must not provide version information.
GEN001960-ESXI5-PNF Low User start-up files must not contain the mesg -y or mesg y command.
GEN008480-ESXI5-000122 Low The system must have USB Mass Storage disabled unless needed.
GEN003500-ESXI5-PNF Low Process core dumps must be disabled unless needed.
ESXI5-VM-000043 Low The system must limit informational messages from the VM to the VMX file.
GEN003620-ESXI5-PF Low A separate file system must be used for user home directories (such as /home or equivalent).
GEN005519-ESXI5-000102 Low The SSH daemon must be configured to not allow X11 forwarding.
ESXI5-VM-000015 Low The unexposed feature keyword "isolation.bios.bbs.disable" must be initialized to decrease the VMs potential attack vectors..
ESXI5-VM-000014 Low The unexposed feature keyword "isolation.tools.ghi.autologon.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000017 Low The unexposed feature keyword "isolation.tools.ghi.launchmenu.change" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000016 Low The unexposed feature keyword "isolation.tools.getCreds.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000019 Low The unexposed feature keyword "isolation.tools.ghi.protocolhandler.info.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000018 Low The unexposed feature keyword "isolation.tools.memSchedFakeSampleStats.disable" must be initialized to decrease the VMs potential attack vectors.
GEN002500-ESXI5-PNF Low The sticky bit must be set on all public directories.
GEN005770-ESXI5-PNF Low The NFS exports configuration file must not have an extended ACL.
GEN000900-ESXI5-PF Low The root user's home directory must not be the root directory (/).
GEN005533-ESXI5-000109 Low The SSH daemon must limit connections to a single session.
GEN005526-ESXI5-000105 Low The SSH daemon must not permit Kerberos authentication unless needed.
SRG-OS-99999-ESXI5-000147 Low The system must ensure uniqueness of CHAP authentication secrets.
GEN005525-ESXI5-9994 Low The SSH client must not permit GSSAPI authentication unless needed.
GEN000380-ESXI5-000043 Low The GID assigned to a user must exist.
GEN003502-ESXI5-PNF Low The centralized process core dump data directory must be owned by root.
GEN003624-ESXI5-PF Low The system must use a separate file system for /tmp (or equivalent).
GEN005528-ESXI5-000106 Low The SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale.
GEN003504-ESXI5-PNF Low The centralized process core dump data directory must have mode 0700 or less permissive.
GEN002751-ESXI5-PNF Low The audit system must be configured to audit account modification.
GEN005520-ESXI5-705 Low The SSH client must be configured to not allow X11 forwarding.
GEN001440-ESXI5-PNF Low All interactive users must be assigned a home directory in the /etc/passwd file.
ESXI5-VMNET-000025 Low Spanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic.
GEN008800-ESXI5-PNF Low The system package management tool must cryptographically verify the authenticity of software packages during installation.
ESXI5-VM-000026 Low The unexposed feature keyword "isolation.tools.unity.push.update.disable" must be initialized to decrease the VMs potential attack vectors.
GEN005516-ESXI5-703 Low The SSH client must be configured to not allow TCP forwarding.
GEN004440-ESXI5-PNF Low Sendmail logging must not be set to less than nine in the sendmail.cf file.
GEN008420-ESXI5-PNF Low The system must use available memory address randomization techniques.
GEN003800-ESXI5-PNF Low Inetd or xinetd logging/tracing must be enabled.
GEN003623-ESXI5-PNF Low The system must use a separate file system for the system audit data path.
GEN002715-ESXI5-PNF Low System audit tool executables must be owned by root.
GEN002260-ESXI5-000047 Low The system must be checked for extraneous device files at least weekly.
GEN006570-ESXI5-PNF Low The file integrity tool must be configured to verify ACLs.
GEN002716-ESXI5-PNF Low System audit tool executables must be group-owned by root, bin, sys, or system.
GEN008820-ESXI5-PNF Low The system package management tool must not automatically obtain updates.
ESXI5-VM-000003 Low The system must explicitly disable copy operations.
ESXI5-VM-000006 Low The system must explicitly disable paste operations.
ESXI5-VM-000004 Low The system must explicitly disable drag and drop operations.
ESXI5-VM-000005 Low The system must explicitly disable any GUI functionality for copy/paste operations.
GEN002750-ESXI5-PNF Low The audit system must be configured to audit account creation.
GEN003522-ESXI5-PNF Low The kernel core dump data directory must have mode 0700 or less permissive.
GEN003521-ESXI5-PNF Low The kernel core dump data directory must be group-owned by root, bin, sys, or system.
GEN000510-ESXI5-PNF Low The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
GEN002753-ESXI5-PNF Low The audit system must be configured to audit account termination.
ESXI5-VM-000024 Low The unexposed feature keyword "isolation.tools.unity.disable" must be initialized to decrease the VMs potential attack vectors.
SRG-OS-99999-ESXI5-000143 Low The system must enable SSL for NFC.
SRG-OS-99999-ESXI5-000141 Low The system must enable bidirectional CHAP authentication for iSCSI traffic.
GEN003220-ESXI5-PNF Low Cron programs must not set the umask to a value less restrictive than 077.
GEN003520-ESXI5-PNF Low The kernel core dump data directory must be owned by root.
GEN004700-ESXI5-PNF Low The Sendmail service must not have the wizard backdoor active.
ESXI5-VMNET-000008 Low All physical switch ports must be configured with spanning tree disabled.
ESXI5-VMNET-000009 Low All port groups must be configured with a clear network label.
ESXI5-VMNET-000004 Low Virtual switch VLANs must be fully documented and have only the required VLANs.
ESXI5-VMNET-000005 Low All vSwitch and VLAN IDs must be fully documented.
ESXI5-VMNET-000006 Low All IP-based storage traffic must be isolated.
ESXI5-VMNET-000007 Low Only authorized administrators must have access to virtual networking components.
ESXI5-VMNET-000001 Low All dvPortgroup VLAN IDs must be fully documented.
ESXI5-VMNET-000002 Low All dvSwitch Private VLAN IDs must be fully documented.
ESXI5-VMNET-000003 Low All virtual switches must have a clear network label.
GEN002717-ESXI5-PNF Low System audit tool executables must have mode 0750 or less permissive.
GEN002719-ESXI5-PF Low The audit system must alert the SA in the event of an audit processing failure.
GEN002752-ESXI5-PNF Low The audit system must be configured to audit account disabling.
ESXI5-VM-000031 Low The unexposed feature keyword "isolation.tools.guestDnDVersionSet.disable" must be initialized to decrease the VMs potential attack vectors.
ESXI5-VM-000030 Low The unexposed feature keyword "isolation.tools.vmxDnDVersionGet.disable" must be initialized to decrease the VMs potential attack vectors.
GEN003650-ESXI5-PNF Low All local file systems must employ journaling or another mechanism ensuring file system consistency.
GEN004680-ESXI5-PNF Low The SMTP service must not have the VRFY feature active.
GEN005530-ESXI5-000107 Low The SSH daemon must not permit user environment settings.
GEN003860-ESXI5-PNF Low The system must not have the finger service active.
GEN003523-ESXI5-PNF Low The kernel core dump data directory must not have an extended ACL.
GEN005515-ESXI5-000100 Low The SSH daemon must be configured to not allow TCP connection forwarding.
GEN002870-ESXI5-PNF Low The system must be configured to send audit records to a remote audit server.
GEN008460-ESXI5-000121 Low The system must have USB disabled unless needed.
GEN001490-ESXI5-PNF Low User home directories must not have extended ACLs.
GEN000244-ESXI5-000163 Low The system must use time sources local to the enclave.
GEN003503-ESXI5-PNF Low The centralized process core dump data directory must be group-owned by root, bin, sys, or system.
GEN006575-ESXI5-PNF Low The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents.
GEN005524-ESXI5-000104 Low The SSH daemon must not permit GSSAPI authentication unless needed.
GEN005760-ESXI5-PNF Low The NFS export configuration file must have mode 0644 or less permissive.
GEN003505-ESXI5-PNF Low The centralized process core dump data directory must not have an extended ACL.
GEN006571-ESXI5-PNF Low The file integrity tool must be configured to verify extended attributes.
GEN001375-ESXI5-000086 Low For systems using DNS resolution, at least two name servers must be configured.