UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 8.0 ESXi Security Technical Implementation Guide


Overview

Date Finding Count (73)
2023-10-11 CAT I (High): 5 CAT II (Med): 63 CAT III (Low): 5
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-258749 High The ESXi host must maintain the confidentiality and integrity of information during transmission by exclusively enabling Transport Layer Security (TLS) 1.2.
V-258746 High The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified.
V-258732 High The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
V-258776 High The ESXi host must have all security patches and updates installed.
V-258772 High The ESXi host must configure virtual switch security policies to reject Media Access Control (MAC) address changes.
V-258769 Medium The ESXi host must configure the firewall to block network traffic by default.
V-258753 Medium The ESXi host Secure Shell (SSH) daemon must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.
V-258789 Medium The ESXi host must enable strict x509 verification for SSL syslog endpoints.
V-258788 Medium The ESXi host must off-load audit records via syslog.
V-258787 Medium The ESXi host must enable audit logging.
V-258786 Medium The ESXi host OpenSLP service must be disabled.
V-258785 Medium The ESXi host Secure Shell (SSH) daemon must disable port forwarding.
V-258784 Medium The ESXi host must use DOD-approved certificates.
V-258783 Medium The ESXi Common Information Model (CIM) service must be disabled.
V-258782 Medium The ESXi host must be configured with an appropriate maximum password age.
V-258781 Medium The ESXi host must configure a session timeout for the vSphere API.
V-258780 Medium The ESXi host must enable volatile key destruction.
V-258800 Medium The ESXi host must not enable log filtering.
V-258754 Medium The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).
V-258729 Medium The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
V-258728 Medium The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
V-258757 Medium The ESXi host must set a timeout to automatically end idle DCUI sessions after 10 minutes.
V-258761 Medium The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication.
V-258760 Medium The ESXi host lockdown mode exception users list must be verified.
V-258748 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
V-258764 Medium The ESXi host Secure Shell (SSH) daemon must not permit tunnels.
V-258767 Medium The ESXi host must disable Simple Network Management Protocol (SNMP) v1 and v2c.
V-258743 Medium The ESXi host must allocate audit record storage capacity to store at least one week's worth of audit records.
V-258742 Medium The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.
V-258741 Medium The ESXi host must enable Secure Boot.
V-258740 Medium The ESXi host must implement Secure Boot enforcement.
V-258747 Medium The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic.
V-258745 Medium The ESXi host must synchronize internal information system clocks to an authoritative time source.
V-258744 Medium The ESXi host must off-load logs via syslog.
V-258734 Medium The ESXi host must enforce password complexity by configuring a password quality policy.
V-258798 Medium The ESXi host must enforce the exclusive running of executables from approved VIBs.
V-258799 Medium The ESXi host must use sufficient entropy for cryptographic operations.
V-258755 Medium The ESXi host must be configured to disable nonessential capabilities by disabling the ESXi shell.
V-258794 Medium The ESXi host must configure the firewall to restrict access to services running on the host.
V-258795 Medium The ESXi host when using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
V-258796 Medium The ESXi host must not use the default Active Directory ESX Admin group.
V-258797 Medium The ESXi host must configure a persistent log location for all locally stored logs.
V-258790 Medium The ESXi host must forward audit records containing information to establish what type of events occurred.
V-258792 Medium The ESXi host must not be configured to override virtual machine (VM) logger settings.
V-258793 Medium The ESXi host must require TPM-based configuration encryption.
V-258738 Medium The ESXi host Secure Shell (SSH) daemon must ignore .rhosts files.
V-258762 Medium The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.
V-258733 Medium The ESXi must produce audit records containing information to establish what type of events occurred.
V-258730 Medium The ESXi host must enable lockdown mode.
V-258731 Medium The ESXi host client must be configured with an idle session timeout.
V-258736 Medium The ESXi host must be configured to disable nonessential capabilities by disabling the Managed Object Browser (MOB).
V-258791 Medium The ESXi host must not be configured to override virtual machine (VM) configurations.
V-258735 Medium The ESXi host must prohibit password reuse for a minimum of five generations.
V-258758 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by isolating ESXi management traffic.
V-258759 Medium The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-258756 Medium The ESXi host must automatically stop shell services after 10 minutes.
V-258778 Medium The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.
V-258779 Medium The ESXi host must verify certificates for SSL syslog endpoints.
V-258751 Medium The ESXi host DCUI.Access list must be verified.
V-258752 Medium The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
V-258775 Medium The ESXi host must restrict the use of Virtual Guest Tagging (VGT) on standard switches.
V-258773 Medium The ESXi host must configure virtual switch security policies to reject promiscuous mode requests.
V-258770 Medium The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
V-258771 Medium The ESXi host must configure virtual switch security policies to reject forged transmits.
V-258750 Medium The ESXi host Secure Shell (SSH) daemon must be configured to only use FIPS 140-2 validated ciphers.
V-258739 Medium The ESXi host must set a timeout to automatically end idle shell sessions after fifteen minutes.
V-258777 Medium The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.
V-258774 Medium The ESXi host must restrict use of the dvFilter network application programming interface (API).
V-258768 Low The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing.
V-258765 Low The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions.
V-258766 Low The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions.
V-258763 Low The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports.
V-258737 Low The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.