STIGQter STIGQter: STIG Summary: VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide

Version: 1

Release: 7 Benchmark Date: 28 Jul 2017

CheckedNameTitle
SV-51300r2_ruleThe system must control virtual machine access to host resources.
SV-51301r1_ruleThe system must disable tools auto install.
SV-51302r1_ruleThe system must explicitly disable copy operations.
SV-51303r2_ruleThe system must explicitly disable drag and drop operations.
SV-51304r1_ruleThe system must explicitly disable any GUI functionality for copy/paste operations.
SV-51305r1_ruleThe system must explicitly disable paste operations.
SV-51306r1_ruleThe system must disable virtual disk shrinking.
SV-51307r1_ruleThe system must disable virtual disk erasure.
SV-51308r1_ruleThe system must disable HGFS file transfers.
SV-51309r3_ruleThe system must not use independent, non-persistent disks.
SV-51310r1_ruleThe system must disable VM-to-VM communication through VMCI.
SV-51311r2_ruleThe system must disable VM logging, unless required.
SV-51312r1_ruleThe system must disable VM Monitor Control during normal operation.
SV-51314r1_ruleThe unexposed feature keyword isolation.tools.ghi.autologon.disable must be initialized to decrease the VMs potential attack vectors.
SV-51315r1_ruleThe unexposed feature keyword isolation.bios.bbs.disable must be initialized to decrease the VMs potential attack vectors.
SV-51316r1_ruleThe unexposed feature keyword isolation.tools.getCreds.disable must be initialized to decrease the VMs potential attack vectors.
SV-51317r1_ruleThe unexposed feature keyword isolation.tools.ghi.launchmenu.change must be initialized to decrease the VMs potential attack vectors.
SV-51319r1_ruleThe unexposed feature keyword isolation.tools.memSchedFakeSampleStats.disable must be initialized to decrease the VMs potential attack vectors.
SV-51320r1_ruleThe unexposed feature keyword isolation.tools.ghi.protocolhandler.info.disable must be initialized to decrease the VMs potential attack vectors.
SV-51321r1_ruleThe unexposed feature keyword isolation.ghi.host.shellAction.disable must be initialized to decrease the VMs potential attack vectors.
SV-51335r1_ruleThe unexposed feature keyword isolation.tools.dispTopoRequest.disable must be initialized to decrease the VMs potential attack vectors.
SV-51336r1_ruleThe unexposed feature keyword isolation.tools.trashFolderState.disable must be initialized to decrease the VMs potential attack vectors.
SV-51337r1_ruleThe unexposed feature keyword isolation.tools.ghi.trayicon.disable must be initialized to decrease the VMs potential attack vectors.
SV-51338r1_ruleThe unexposed feature keyword isolation.tools.unity.disable must be initialized to decrease the VMs potential attack vectors.
SV-51339r1_ruleThe unexposed feature keyword isolation.tools.unityInterlockOperation.disable must be initialized to decrease the VMs potential attack vectors.
SV-51340r1_ruleThe unexposed feature keyword isolation.tools.unity.push.update.disable must be initialized to decrease the VMs potential attack vectors.
SV-51341r1_ruleThe unexposed feature keyword isolation.tools.unity.taskbar.disable must be initialized to decrease the VMs potential attack vectors.
SV-51342r1_ruleThe unexposed feature keyword isolation.tools.unityActive.disable must be initialized to decrease the VMs potential attack vectors.
SV-51343r1_ruleThe unexposed feature keyword isolation.tools.unity.windowContents.disable must be initialized to decrease the VMs potential attack vectors.
SV-51344r1_ruleThe unexposed feature keyword isolation.tools.vmxDnDVersionGet.disable must be initialized to decrease the VMs potential attack vectors.
SV-51345r1_ruleThe unexposed feature keyword isolation.tools.guestDnDVersionSet.disable must be initialized to decrease the VMs potential attack vectors.
SV-51346r1_ruleThe system must disable VIX messages from the VM.
SV-51347r3_ruleThe system must disconnect unauthorized floppy devices.
SV-51348r3_ruleThe system must disconnect unauthorized IDE devices.
SV-51349r2_ruleThe system must disconnect unauthorized parallel devices.
SV-51350r2_ruleThe system must disconnect unauthorized serial devices.
SV-51351r2_ruleThe system must disconnect unauthorized USB devices.
SV-51352r1_ruleThe system must limit sharing of console connections.
SV-51353r1_ruleThe system must limit VM logging records.
SV-51354r1_ruleThe system must limit VM logging record contents.
SV-51355r1_ruleThe system must limit informational messages from the VM to the VMX file.
SV-51356r1_ruleThe system must minimize use of the VM console.
SV-51357r1_ruleThe system must prevent unauthorized removal, connection and modification of devices by setting the isolation.device.connectable.disable keyword to true.
SV-51358r1_ruleThe system must prevent unauthorized removal, connection and modification of devices.
SV-51359r1_ruleThe system must not send host information to guests.
SV-51361r1_ruleThe system must use secure protocols for virtual serial port access.
SV-51362r1_ruleThe system must use templates to deploy VMs whenever possible.
SV-51363r1_ruleThe system must control access to VMs through the dvfilter network APIs.
SV-51364r1_ruleThe system must control access to VMs through VMsafe CPU/memory APIs.
SV-51365r1_ruleThe system must control access to VMs through the VMsafe CPU/memory vmsafe.agentPort API.
SV-51366r2_ruleThe system must control access to VMs through the VMsafe CPU/memory vmsafe.enable API.