| Checked | Name | Title |
|---|
| ☐ | SV-207602r378532_rule | The ESXi host must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode. |
| ☐ | SV-207603r388482_rule | The ESXi host must verify the DCUI.Access list. |
| ☐ | SV-207604r388482_rule | The ESXi host must verify the exception users list for lockdown mode. |
| ☐ | SV-207605r378607_rule | Remote logging for ESXi hosts must be configured. |
| ☐ | SV-207606r378517_rule | The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user. |
| ☐ | SV-207607r379606_rule | The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out. |
| ☐ | SV-207608r378520_rule | The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. |
| ☐ | SV-207609r378520_rule | The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. |
| ☐ | SV-207610r378520_rule | The ESXi host SSH daemon must be configured with the Department of Defense (DoD) login banner. |
| ☐ | SV-207611r378610_rule | The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions. |
| ☐ | SV-207612r378610_rule | The ESXi host SSH daemon must be configured to use only the SSHv2 protocol. |
| ☐ | SV-207613r378856_rule | The ESXi host SSH daemon must ignore .rhosts files. |
| ☐ | SV-207614r388482_rule | The ESXi host SSH daemon must not allow host-based authentication. |
| ☐ | SV-207615r388482_rule | The ESXi host SSH daemon must not permit root logins. |
| ☐ | SV-207616r388482_rule | The ESXi host SSH daemon must not allow authentication using an empty password. |
| ☐ | SV-207617r388482_rule | The ESXi host SSH daemon must not permit user environment settings. |
| ☐ | SV-207618r388482_rule | The ESXi host SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. |
| ☐ | SV-207619r388482_rule | The ESXi host SSH daemon must not permit GSSAPI authentication. |
| ☐ | SV-207620r388482_rule | The ESXi host SSH daemon must not permit Kerberos authentication. |
| ☐ | SV-207621r388482_rule | The ESXi host SSH daemon must perform strict mode checking of home directory configuration files. |
| ☐ | SV-207622r388482_rule | The ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication. |
| ☐ | SV-207623r388482_rule | The ESXi host SSH daemon must be configured to not allow gateway ports. |
| ☐ | SV-207624r388482_rule | The ESXi host SSH daemon must be configured to not allow X11 forwarding. |
| ☐ | SV-207625r388482_rule | The ESXi host SSH daemon must not accept environment variables from the client. |
| ☐ | SV-207626r388482_rule | The ESXi host SSH daemon must not permit tunnels. |
| ☐ | SV-207627r388482_rule | The ESXi host SSH daemon must set a timeout count on idle sessions. |
| ☐ | SV-207628r388482_rule | The ESXi hostSSH daemon must set a timeout interval on idle sessions. |
| ☐ | SV-207629r388482_rule | The ESXi host SSH daemon must limit connections to a single session. |
| ☐ | SV-207630r388482_rule | The ESXi host must remove keys from the SSH authorized_keys file. |
| ☐ | SV-207631r378616_rule | The ESXi host must produce audit records containing information to establish what type of events occurred. |
| ☐ | SV-207632r378739_rule | The ESXi host must enforce password complexity by requiring that at least one upper-case character be used. |
| ☐ | SV-207633r378763_rule | The ESXi host must prohibit the reuse of passwords within five iterations. |
| ☐ | SV-207634r388482_rule | The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. |
| ☐ | SV-207635r378841_rule | The ESXi host must disable the Managed Object Browser (MOB). |
| ☐ | SV-207636r378841_rule | The ESXi host must be configured to disable non-essential capabilities by disabling SSH. |
| ☐ | SV-207637r378841_rule | The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting. |
| ☐ | SV-207638r378847_rule | The ESXi host must use Active Directory for local user authentication. |
| ☐ | SV-207639r378847_rule | The ESXi host must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory. |
| ☐ | SV-207640r378847_rule | Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory. |
| ☐ | SV-207641r378856_rule | The ESXi host must use multifactor authentication for local access to privileged accounts. |
| ☐ | SV-207642r378994_rule | The ESXi host must set a timeout to automatically disable idle sessions after 10 minutes. |
| ☐ | SV-207643r378994_rule | The ESXi host must terminate shell services after 10 minutes. |
| ☐ | SV-207644r378994_rule | The ESXi host must logout of the console UI after 10 minutes. |
| ☐ | SV-207645r379318_rule | The ESXi host must enable kernel core dumps. |
| ☐ | SV-207646r379690_rule | The ESXi host must enable a persistent log location for all locally stored logs. |
| ☐ | SV-207647r379732_rule | The ESXi host must configure NTP time synchronization. |
| ☐ | SV-207648r379825_rule | The ESXi Image Profile and VIB Acceptance Levels must be verified. |
| ☐ | SV-207649r380176_rule | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic. |
| ☐ | SV-207650r380176_rule | The ESXi host must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic. |
| ☐ | SV-207651r380176_rule | The ESXi host must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible. |
| ☐ | SV-207652r388482_rule | SNMP must be configured properly on the ESXi host. |
| ☐ | SV-207653r388482_rule | The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic. |
| ☐ | SV-207654r388482_rule | The ESXi host must disable Inter-VM transparent page sharing. |
| ☐ | SV-207655r388482_rule | The ESXi host must configure the firewall to restrict access to services running on the host. |
| ☐ | SV-207656r388482_rule | The ESXi host must configure the firewall to block network traffic by default. |
| ☐ | SV-207657r388482_rule | The ESXi host must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled. |
| ☐ | SV-207658r388482_rule | The virtual switch Forged Transmits policy must be set to reject on the ESXi host. |
| ☐ | SV-207659r388482_rule | The virtual switch MAC Address Change policy must be set to reject on the ESXi host. |
| ☐ | SV-207660r388482_rule | The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host. |
| ☐ | SV-207661r388482_rule | The ESXi host must prevent unintended use of the dvFilter network APIs. |
| ☐ | SV-207662r388482_rule | For the ESXi host all port groups must be configured to a value other than that of the native VLAN. |
| ☐ | SV-207663r388482_rule | For the ESXi host all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required. |
| ☐ | SV-207664r388482_rule | For the ESXi host all port groups must not be configured to VLAN values reserved by upstream physical switches. |
| ☐ | SV-207665r388482_rule | For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode. |
| ☐ | SV-207666r388482_rule | All ESXi host-connected physical switch ports must be configured with spanning tree disabled. |
| ☐ | SV-207667r388482_rule | All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs. |
| ☐ | SV-207668r388482_rule | The ESXi host must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications. |
| ☐ | SV-207669r388482_rule | The ESXi host must verify the integrity of the installation media before installing ESXi. |
| ☐ | SV-207670r388482_rule | The ESXi host must have all security patches and updates installed. |
| ☐ | SV-207673r388482_rule | The ESXi host must enable Secure Boot. |
| ☐ | SV-207674r617349_rule | The ESXi host must use DoD-approved certificates. |
| ☐ | SV-207675r378862_rule | The ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication. |
STIGQter: STIG Summary: