UCF STIG Viewer Logo

VMware vSphere 6.5 ESXi Security Technical Implementation Guide


Overview

Date Finding Count (72)
2021-06-23 CAT I (High): 6 CAT II (Med): 47 CAT III (Low): 19
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-207648 High The ESXi Image Profile and VIB Acceptance Levels must be verified.
V-207669 High The ESXi host must verify the integrity of the installation media before installing ESXi.
V-207659 High The virtual switch MAC Address Change policy must be set to reject on the ESXi host.
V-207670 High The ESXi host must have all security patches and updates installed.
V-207612 High The ESXi host SSH daemon must be configured to use only the SSHv2 protocol.
V-207616 High The ESXi host SSH daemon must not allow authentication using an empty password.
V-207649 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
V-207662 Medium For the ESXi host all port groups must be configured to a value other than that of the native VLAN.
V-207642 Medium The ESXi host must set a timeout to automatically disable idle sessions after 10 minutes.
V-207643 Medium The ESXi host must terminate shell services after 10 minutes.
V-207646 Medium The ESXi host must enable a persistent log location for all locally stored logs.
V-207647 Medium The ESXi host must configure NTP time synchronization.
V-207644 Medium The ESXi host must logout of the console UI after 10 minutes.
V-207667 Medium All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs.
V-207660 Medium The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host.
V-207661 Medium The ESXi host must prevent unintended use of the dvFilter network APIs.
V-207608 Medium The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-207609 Medium The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-207606 Medium The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
V-207621 Medium The ESXi host SSH daemon must perform strict mode checking of home directory configuration files.
V-207602 Medium The ESXi host must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.
V-207626 Medium The ESXi host SSH daemon must not permit tunnels.
V-207607 Medium The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out.
V-207605 Medium Remote logging for ESXi hosts must be configured.
V-207624 Medium The ESXi host SSH daemon must be configured to not allow X11 forwarding.
V-207625 Medium The ESXi host SSH daemon must not accept environment variables from the client.
V-207618 Medium The ESXi host SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-207629 Medium The ESXi host SSH daemon must limit connections to a single session.
V-207673 Medium The ESXi host must enable Secure Boot.
V-207658 Medium The virtual switch Forged Transmits policy must be set to reject on the ESXi host.
V-207655 Medium The ESXi host must configure the firewall to restrict access to services running on the host.
V-207656 Medium The ESXi host must configure the firewall to block network traffic by default.
V-207650 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic.
V-207652 Medium SNMP must be configured properly on the ESXi host.
V-207611 Medium The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.
V-207610 Medium The ESXi host SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-207674 Medium The ESXi host must use DoD-approved certificates.
V-207668 Medium The ESXi host must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.
V-207617 Medium The ESXi host SSH daemon must not permit user environment settings.
V-207632 Medium The ESXi host must enforce password complexity by requiring that at least one upper-case character be used.
V-207630 Medium The ESXi host must remove keys from the SSH authorized_keys file.
V-207637 Medium The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.
V-207636 Medium The ESXi host must be configured to disable non-essential capabilities by disabling SSH.
V-207635 Medium The ESXi host must disable the Managed Object Browser (MOB).
V-207634 Medium The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-207664 Medium For the ESXi host all port groups must not be configured to VLAN values reserved by upstream physical switches.
V-207663 Medium For the ESXi host all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
V-207665 Medium For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.
V-207613 Medium The ESXi host SSH daemon must ignore .rhosts files.
V-207633 Medium The ESXi host must prohibit the reuse of passwords within five iterations.
V-207639 Medium The ESXi host must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.
V-207622 Medium The ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication.
V-207614 Medium The ESXi host SSH daemon must not allow host-based authentication.
V-207640 Low Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
V-207641 Low The ESXi host must use multifactor authentication for local access to privileged accounts.
V-207645 Low The ESXi host must enable kernel core dumps.
V-207628 Low The ESXi hostSSH daemon must set a timeout interval on idle sessions.
V-207620 Low The ESXi host SSH daemon must not permit Kerberos authentication.
V-207666 Low All ESXi host-connected physical switch ports must be configured with spanning tree disabled.
V-207604 Low The ESXi host must verify the exception users list for lockdown mode.
V-207623 Low The ESXi host SSH daemon must be configured to not allow gateway ports.
V-207603 Low The ESXi host must verify the DCUI.Access list.
V-207627 Low The ESXi host SSH daemon must set a timeout count on idle sessions.
V-207638 Low The ESXi host must use Active Directory for local user authentication.
V-207654 Low The ESXi host must disable Inter-VM transparent page sharing.
V-207657 Low The ESXi host must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
V-207651 Low The ESXi host must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible.
V-207653 Low The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic.
V-207675 Low The ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication.
V-207615 Low The ESXi host SSH daemon must not permit root logins.
V-207619 Low The ESXi host SSH daemon must not permit GSSAPI authentication.
V-207631 Low The ESXi host must produce audit records containing information to establish what type of events occurred.