STIGQter STIGQter: STIG Summary: VMware ESXi Server 5.0 Security Technical Implementation Guide

Version: 1

Release: 10 Benchmark Date: 27 Jan 2017

CheckedNameTitle
SV-51062r1_ruleThe system must prevent the use of dictionary words for passwords.
SV-51063r1_ruleSNMP communities, users, and passphrases must be changed from the default.
SV-51064r1_ruleThe SSH daemon must be configured to not allow TCP connection forwarding.
SV-51065r3_ruleThe SSH client must be configured to not allow TCP forwarding.
SV-51066r2_ruleThe SSH daemon must be configured to not allow gateway ports.
SV-51067r2_ruleThe SSH client must be configured to not allow gateway ports.
SV-51068r1_ruleThere must be no .rhosts or hosts.equiv files on the system.
SV-51069r2_ruleThe SSH daemon must limit connections to a single session.
SV-51070r1_ruleThe system must use time sources local to the enclave.
SV-51071r1_ruleThe system must require that passwords contain at least one uppercase alphabetic character.
SV-51072r1_ruleThe system must require passwords contain at least one lowercase alphabetic character.
SV-51074r1_ruleThe system must require that passwords contain at least one numeric character.
SV-51075r1_ruleThe system must require at least four characters be changed between the old and new passwords during a password change.
SV-51076r1_ruleThe password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
SV-51077r2_ruleThe system must prohibit the reuse of passwords within five iterations.
SV-51078r1_ruleThe system must require that passwords contain a minimum of 14 characters.
SV-51079r1_ruleThe system must enforce the entire password during authentication.
SV-51080r1_ruleSystem BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others.
SV-51081r1_ruleThe SSH daemon must be configured to not allow X11 forwarding.
SV-51082r2_ruleThe SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale.
SV-51083r2_ruleThe SSH daemon must not permit user environment settings.
SV-51084r2_ruleThe SSH daemon must not permit tunnels.
SV-51085r3_ruleThe SSH client must not send environment variables to the server or must only send those pertaining to locale.
SV-51086r3_ruleThe SSH client must not permit tunnels.
SV-51087r2_ruleThe SSH client must be configured to not allow X11 forwarding.
SV-51089r1_ruleThe root accounts executable search path must be the vendor default and must contain only absolute paths.
SV-51090r1_ruleThe GID assigned to a user must exist.
SV-51091r1_ruleThe /etc/shells (or equivalent) file must exist.
SV-51092r1_ruleAll shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
SV-51093r1_ruleThe system must not use removable media as the boot loader.
SV-51094r1_ruleThe system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures.
SV-51095r1_ruleThe system must not be used as a syslog server (log host) for systems external to the enclave.
SV-51101r2_ruleThe SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-51102r1_ruleThe system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router.
SV-51103r1_ruleThe DHCP client must be disabled if not used.
SV-51104r1_ruleThe system must have USB disabled unless needed.
SV-51105r1_ruleThe system must have USB Mass Storage disabled unless needed.
SV-51107r1_ruleThe system must have IEEE 1394 (Firewire) disabled unless needed.
SV-51108r1_ruleNTP time synchronization must be configured.
SV-51109r2_rulePersistent logging for all ESXi hosts must be configured.
SV-51110r1_ruleThe system must disable DCUI to prevent local administrative control.
SV-51111r1_ruleThe system must disable ESXi Shell unless needed for diagnostics or troubleshooting.
SV-51112r1_ruleThe system must disable the Managed Object Browser (MOB).
SV-51113r2_ruleThe system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications.
SV-51114r1_ruleThe system must enable bidirectional CHAP authentication for iSCSI traffic.
SV-51115r2_ruleThe system must enable SSL for NFC.
SV-51116r1_ruleThe system must ensure the vpxuser auto-password change meets policy.
SV-51117r1_ruleThe system must ensure the vpxuser auto-password change meets policy.
SV-51118r1_ruleThe system must ensure the vpxuser password meets length policy.
SV-51119r1_ruleThe system must ensure uniqueness of CHAP authentication secrets.
SV-51120r1_ruleSAN resources must be masked and zoned appropriately.
SV-51204r1_ruleThe system must prevent unintended use of dvfilter network APIs.
SV-51205r1_ruleKeys from SSH authorized_keys file must be removed.
SV-51206r1_ruleThe system must use Active Directory for local user authentication for accounts other than root and the vpxuser.
SV-51207r1_ruleActive Directory ESX Admin group membership must be verified unused.
SV-51208r2_ruleThe contents of exposed configuration files must be verified.
SV-51209r2_ruleUnauthorized kernel modules must not be loaded on the host.
SV-51210r2_ruleThe system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.
SV-51211r2_ruleThe system must zero out VMDK files prior to deletion.
SV-51213r2_ruleKernel core dumps must be disabled unless needed.
SV-51214r2_ruleAll dvPortgroup VLAN IDs must be fully documented.
SV-51215r1_ruleAll dvSwitch Private VLAN IDs must be fully documented.
SV-51216r1_ruleAll virtual switches must have a clear network label.
SV-51217r1_ruleVirtual switch VLANs must be fully documented and have only the required VLANs.
SV-51218r1_ruleAll vSwitch and VLAN IDs must be fully documented.
SV-51219r1_ruleAll IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor.
SV-51220r1_ruleAll IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch.
SV-51221r1_ruleAll IP-based storage traffic must be isolated using a vSwitch containing management-only port groups.
SV-51222r1_ruleOnly authorized administrators must have access to virtual networking components.
SV-51223r1_ruleAll physical switch ports must be configured with spanning tree disabled.
SV-51224r1_ruleAll port groups must be configured with a clear network label.
SV-51225r1_ruleAll port groups must be configured to a value other than that of the native VLAN.
SV-51226r1_ruleAll port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT).
SV-51227r1_ruleAll port groups must not be configured to VLAN values reserved by upstream physical switches.
SV-51228r1_ruleThe system must ensure that the virtual switch Forged Transmits policy is set to reject.
SV-51229r2_ruleThe system must ensure that the dvPortgroup Forged Transmits policy is set to reject.
SV-51230r2_ruleThe system must ensure the dvPortGroup MAC Address Change policy is set to reject.
SV-51231r1_ruleThe system must ensure the virtual switch MAC Address Change policy is set to reject.
SV-51232r1_ruleThe non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.
SV-51233r1_ruleThe system must ensure the virtual switch Promiscuous Mode policy is set to reject.
SV-51234r2_ruleThe system must ensure the dvPortgroup Promiscuous Mode policy is set to reject.
SV-51235r3_ruleThe system must ensure there are no unused ports on a distributed virtual port group.
SV-51236r1_rulevMotion traffic must be isolated.
SV-51237r1_ruleSpanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic.
SV-51238r3_ruleThe system must disable the autoexpand option for VDS dvPortgroups.
SV-51239r1_ruleRemovable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option.
SV-51240r1_ruleThe root accounts library search path must be the system default and must contain only absolute paths.
SV-51241r2_ruleThe root accounts list of preloaded libraries must be empty.
SV-51242r1_ruleThe system must be configured to only boot from the system boot device.
SV-51243r2_ruleThe system must enable lockdown mode to restrict remote access.
SV-51244r2_ruleInetd and xinetd must be disabled or removed if no network services utilizing them are enabled.
SV-51245r1_ruleThe system must verify the integrity of the installation media before installing ESXi.
SV-51246r1_ruleAll accounts on the system must have unique user or account names.
SV-51247r1_ruleAll accounts must be assigned unique User Identification Numbers (UIDs).
SV-51248r1_ruleThe system must disable SSH.
SV-51249r2_ruleThe system must not permit root logins using remote access programs, such as SSH.
SV-51250r2_ruleThe system must set a timeout for the ESXi Shell to automatically disable itself after a predetermined period.
SV-51251r1_rulevSphere management traffic must be on a restricted network.
SV-51252r2_ruleThe SSH daemon must be configured with the Department of Defense (DoD) logon banner.
SV-51253r1_ruleThe system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router.
SV-51254r1_ruleThe operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices.
SV-51255r1_ruleThe operating system must monitor and control communications at the external boundary of the information system and at key internal boundaries within the system.
SV-51256r1_ruleThe operating system, at managed interfaces, must deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
SV-51257r1_ruleThe operating system must enforce requirements for remote connections to the information system.
SV-51258r1_ruleAccess to the management network must be strictly controlled through a network gateway.
SV-51259r1_ruleAccess to the management network must be strictly controlled through a network jump box.
SV-51260r2_ruleThe SSH client must be configured to not use CBC-based ciphers.
SV-51261r3_ruleThe SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-51262r2_ruleThe SSH client must be configured to only use FIPS 140-2 approved ciphers.
SV-51263r2_ruleThe operating system must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
SV-51265r1_ruleThe Image Profile and VIB Acceptance Levels must be verified.
SV-51266r1_ruleRemote logging for ESXi hosts must be configured.
SV-51267r1_ruleThe operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited.
SV-51268r1_ruleThe operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions.
SV-51269r1_ruleThe operating system must use cryptography to protect the confidentiality of remote access sessions.
SV-51270r1_ruleThe SSH daemon must be configured to only use the SSHv2 protocol.
SV-51271r2_ruleThe operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
SV-51272r2_ruleThe SSH client must be configured to only use the SSHv2 protocol.
SV-51273r2_ruleThe SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-51274r1_ruleThe system must require that passwords contain at least one special character.
SV-51275r1_ruleThe system must ensure proper SNMP configuration.
SV-51276r1_ruleThe system must prevent the use of dictionary words for passwords.
SV-51278r2_ruleThe SSH daemon must perform strict mode checking of home directory configuration files.
SV-51280r1_ruleRemovable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option.
SV-51281r1_ruleThe nosuid option must be enabled on all NFS client mounts.
SV-51282r3_ruleThe system must be checked for extraneous device files at least weekly.
SV-51283r2_ruleThe system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files.
SV-51284r2_ruleThe system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files.
SV-51285r1_ruleFor systems using DNS resolution, at least two name servers must be configured.
SV-51286r1_ruleIf the system boots from removable media, it must be stored in a safe or similarly secured container.
SV-51287r1_ruleThe operating system must be a supported release.
SV-51288r1_ruleThe system clock must be synchronized to an authoritative DoD time source.
SV-87779r1_ruleWireless network adapters must be disabled.