UCF STIG Viewer Logo

VMware vSphere ESXi 6.0 Security Technical Implementation Guide


Overview

Date Finding Count (108)
2019-01-04 CAT I (High): 8 CAT II (Med): 68 CAT III (Low): 32
STIG Description
The VMware vSphere ESXi Version 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-63263 High The Image Profile and VIB Acceptance Levels must be verified.
V-63311 High The system must verify the integrity of the installation media before installing ESXi.
V-63313 High The system must have all security patches and updates installed.
V-63289 High The virtual switch MAC Address Change policy must be set to reject.
V-63901 High The VMM must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all VMM components by verifying Image Profile and VIP Acceptance Levels.
V-63191 High The SSH daemon must be configured to use only the SSHv2 protocol.
V-63199 High The SSH daemon must not allow authentication using an empty password.
V-63823 High The VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs by verifying Image Profile and VIP Acceptance Levels.
V-63147 Medium The VMM must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.
V-63259 Medium The system must enable a persistent log location for all locally stored logs.
V-63255 Medium The system must logout of the console UI after a predetermined period.
V-63251 Medium The system must set a timeout to automatically disable idle sessions after a predetermined period.
V-63253 Medium The system must terminate shell services after a predetermined period.
V-63867 Medium The VMM must enforce password complexity by requiring that at least one numeric character be used.
V-63485 Medium The VMM must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-63269 Medium The system must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic.
V-63177 Medium Remote logging for ESXi hosts must be configured.
V-63179 Medium The system must enforce the limit of three consecutive invalid logon attempts by a user.
V-63265 Medium The system must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
V-63267 Medium The system must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
V-63465 Medium The system must enable lockdown mode to restrict remote access.
V-63299 Medium All port groups must not be configured to VLAN values reserved by upstream physical switches.
V-63779 Medium The VMM must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
V-63477 Medium The VMM must support the capability to centrally review and analyze audit records from multiple components within the system by configuring remote logging.
V-63291 Medium The virtual switch Promiscuous Mode policy must be set to reject.
V-63773 Medium The VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown by setting an idle timeout.
V-63777 Medium The VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown.
V-63775 Medium The VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown by setting an idle timeout on shell services.
V-63309 Medium The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.
V-63301 Medium The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.
V-73129 Medium The system must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
V-63305 Medium Virtual switch VLANs must be fully documented and have only the required VLANs.
V-63915 Medium The VMM must off-load audit records onto a different system or media than the system being audited by configuring remote logging.
V-63283 Medium The system must configure the firewall to block network traffic by default.
V-63919 Medium The VMM must enforce a minimum 15-character password length.
V-63287 Medium The virtual switch Forged Transmits policy must be set to reject.
V-63275 Medium SNMP must be configured properly.
V-63757 Medium The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using the vSphere Authentication Proxy.
V-63281 Medium The system must configure the firewall to restrict access to services running on the host.
V-63903 Medium The VMM must protect audit information from unauthorized deletion by configuring remote logging.
V-63905 Medium The VMM must require the change of at least 8 of the total number of characters when passwords are changed.
V-63909 Medium The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using the vSphere Authentication Proxy.
V-63293 Medium The system must prevent unintended use of the dvFilter network APIs.
V-63295 Medium All port groups must be configured to a value other than that of the native VLAN.
V-63297 Medium All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
V-63193 Medium The SSH daemon must ignore .rhosts files.
V-63195 Medium The SSH daemon must not allow host-based authentication.
V-63203 Medium The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-63201 Medium The SSH daemon must not permit user environment settings.
V-63209 Medium The SSH daemon must perform strict mode checking of home directory configuration files.
V-63501 Medium The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.
V-63181 Medium The system must enforce the unlock timeout of 15 minutes after a user account is locked out.
V-63183 Medium The system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-63185 Medium The SSH daemon must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-63187 Medium The SSH daemon must be configured with the Department of Defense (DoD) login banner.
V-63189 Medium The VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions.
V-63833 Medium The VMM must protect audit information from unauthorized modification by configuring remote logging.
V-63211 Medium The SSH daemon must not allow compression or must only allow compression after successful authentication.
V-63215 Medium The SSH daemon must be configured to not allow X11 forwarding.
V-63217 Medium The SSH daemon must not accept environment variables from the client.
V-63219 Medium The SSH daemon must not permit tunnels.
V-63531 Medium The VMM must enforce password complexity by requiring that at least one lower-case character be used.
V-63923 Medium The VMM must enforce password complexity by requiring that at least one special character be used.
V-63921 Medium The VMM must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly by configuring remote logging.
V-63261 Medium The system must configure NTP time synchronization.
V-63885 Medium The VMM must provide the capability to immediately disconnect or disable remote access to the information system by disabling SSH.
V-63225 Medium The SSH daemon must limit connections to a single session.
V-63227 Medium The system must remove keys from the SSH authorized_keys file.
V-63245 Medium The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.
V-63241 Medium The system must disable ESXi Shell unless needed for diagnostics or troubleshooting.
V-63233 Medium The system must prohibit the reuse of passwords within five iterations.
V-63231 Medium The VMM must enforce password complexity by requiring that at least one upper-case character be used.
V-63237 Medium The system must disable the Managed Object Browser (MOB).
V-63239 Medium The VMM must be configured to disable non-essential capabilities by disabling SSH.
V-63895 Medium The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using the vSphere Authentication Proxy.
V-63235 Medium The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
V-63257 Low The system must enable kernel core dumps.
V-63229 Low The system must produce audit records containing information to establish what type of events occurred.
V-63173 Low The system must verify the DCUI.Access list.
V-63175 Low The system must verify the exception users list for lockdown mode.
V-63771 Low The VMM must accept Personal Identity Verification (PIV) credentials.
V-63303 Low All physical switch ports must be configured with spanning tree disabled.
V-63913 Low The VMM must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
V-63769 Low The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by restricting use of Active Directory ESX Admin group membership.
V-63285 Low The system must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
V-63911 Low The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by restricting use of Active Directory ESX Admin group membership.
V-63277 Low The system must enable bidirectional CHAP authentication for iSCSI traffic.
V-63273 Low The system must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible.
V-63271 Low The system must protect the confidentiality and integrity of transmitted information.
V-63605 Low The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication.
V-63279 Low The system must disable Inter-VM transparent page sharing.
V-63907 Low The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using Active Directory for local user authentication.
V-63197 Low The SSH daemon must not permit root logins.
V-63207 Low The SSH daemon must not permit Kerberos authentication.
V-63205 Low The SSH daemon must not permit GSSAPI authentication.
V-63509 Low The VMM must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-63213 Low The SSH daemon must be configured to not allow gateway ports.
V-73135 Low The system must configure the VSAN Datastore name to a unique name.
V-63221 Low The SSH daemon must set a timeout count on idle sessions.
V-63223 Low The SSH daemon must set a timeout interval on idle sessions.
V-73131 Low The system must enable the VSAN Health Check.
V-63249 Low The system must use multifactor authentication for local access to privileged accounts.
V-63247 Low Active Directory ESX Admin group membership must not be used.
V-73133 Low The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted by use of an external proxy server.
V-63243 Low The system must use Active Directory for local user authentication.
V-63899 Low The VMM must electronically verify Personal Identity Verification (PIV) credentials.
V-63897 Low The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by restricting use of Active Directory ESX Admin group membership.
V-63893 Low The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using Active Directory for local user authentication.