STIGQter STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide

Version: 1

Release: 3 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-104035r1_ruleThe ESXi host must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.
SV-104037r1_ruleThe ESXi host must verify the DCUI.Access list.
SV-104039r1_ruleThe ESXi host must verify the exception users list for lockdown mode.
SV-104041r1_ruleRemote logging for ESXi hosts must be configured.
SV-104043r1_ruleThe ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
SV-104045r1_ruleThe ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out.
SV-104047r1_ruleThe ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
SV-104049r1_ruleThe ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
SV-104051r1_ruleThe ESXi host SSH daemon must be configured with the Department of Defense (DoD) login banner.
SV-104053r1_ruleThe ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.
SV-104055r1_ruleThe ESXi host SSH daemon must be configured to use only the SSHv2 protocol.
SV-104057r1_ruleThe ESXi host SSH daemon must ignore .rhosts files.
SV-104059r1_ruleThe ESXi host SSH daemon must not allow host-based authentication.
SV-104061r1_ruleThe ESXi host SSH daemon must not permit root logins.
SV-104063r1_ruleThe ESXi host SSH daemon must not allow authentication using an empty password.
SV-104065r1_ruleThe ESXi host SSH daemon must not permit user environment settings.
SV-104067r1_ruleThe ESXi host SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-104069r1_ruleThe ESXi host SSH daemon must not permit GSSAPI authentication.
SV-104071r1_ruleThe ESXi host SSH daemon must not permit Kerberos authentication.
SV-104073r1_ruleThe ESXi host SSH daemon must perform strict mode checking of home directory configuration files.
SV-104075r1_ruleThe ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-104077r1_ruleThe ESXi host SSH daemon must be configured to not allow gateway ports.
SV-104079r1_ruleThe ESXi host SSH daemon must be configured to not allow X11 forwarding.
SV-104081r1_ruleThe ESXi host SSH daemon must not accept environment variables from the client.
SV-104083r1_ruleThe ESXi host SSH daemon must not permit tunnels.
SV-104085r1_ruleThe ESXi host SSH daemon must set a timeout count on idle sessions.
SV-104087r1_ruleThe ESXi hostSSH daemon must set a timeout interval on idle sessions.
SV-104089r1_ruleThe ESXi host SSH daemon must limit connections to a single session.
SV-104091r1_ruleThe ESXi host must remove keys from the SSH authorized_keys file.
SV-104093r1_ruleThe ESXi host must produce audit records containing information to establish what type of events occurred.
SV-104095r1_ruleThe ESXi host must enforce password complexity by requiring that at least one upper-case character be used.
SV-104097r1_ruleThe ESXi host must prohibit the reuse of passwords within five iterations.
SV-104099r1_ruleThe password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
SV-104101r1_ruleThe ESXi host must disable the Managed Object Browser (MOB).
SV-104103r1_ruleThe ESXi host must be configured to disable non-essential capabilities by disabling SSH.
SV-104105r1_ruleThe ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.
SV-104107r1_ruleThe ESXi host must use Active Directory for local user authentication.
SV-104109r2_ruleThe ESXi host must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.
SV-104111r1_ruleActive Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
SV-104113r1_ruleThe ESXi host must use multifactor authentication for local access to privileged accounts.
SV-104115r1_ruleThe ESXi host must set a timeout to automatically disable idle sessions after 10 minutes.
SV-104117r1_ruleThe ESXi host must terminate shell services after 10 minutes.
SV-104119r1_ruleThe ESXi host must logout of the console UI after 10 minutes.
SV-104121r1_ruleThe ESXi host must enable kernel core dumps.
SV-104123r1_ruleThe ESXi host must enable a persistent log location for all locally stored logs.
SV-104125r1_ruleThe ESXi host must configure NTP time synchronization.
SV-104127r1_ruleThe ESXi Image Profile and VIB Acceptance Levels must be verified.
SV-104129r1_ruleThe ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
SV-104133r1_ruleThe ESXi host must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic.
SV-104137r1_ruleThe ESXi host must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible.
SV-104139r1_ruleSNMP must be configured properly on the ESXi host.
SV-104141r1_ruleThe ESXi host must enable bidirectional CHAP authentication for iSCSI traffic.
SV-104143r1_ruleThe ESXi host must disable Inter-VM transparent page sharing.
SV-104145r1_ruleThe ESXi host must configure the firewall to restrict access to services running on the host.
SV-104147r1_ruleThe ESXi host must configure the firewall to block network traffic by default.
SV-104149r1_ruleThe ESXi host must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.
SV-104151r1_ruleThe virtual switch Forged Transmits policy must be set to reject on the ESXi host.
SV-104153r1_ruleThe virtual switch MAC Address Change policy must be set to reject on the ESXi host.
SV-104155r1_ruleThe virtual switch Promiscuous Mode policy must be set to reject on the ESXi host.
SV-104157r1_ruleThe ESXi host must prevent unintended use of the dvFilter network APIs.
SV-104159r1_ruleFor the ESXi host all port groups must be configured to a value other than that of the native VLAN.
SV-104161r1_ruleFor the ESXi host all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
SV-104163r1_ruleFor the ESXi host all port groups must not be configured to VLAN values reserved by upstream physical switches.
SV-104165r1_ruleFor physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.
SV-104167r1_ruleAll ESXi host-connected physical switch ports must be configured with spanning tree disabled.
SV-104169r1_ruleAll ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs.
SV-104303r2_ruleThe ESXi host must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.
SV-104307r1_ruleThe ESXi host must verify the integrity of the installation media before installing ESXi.
SV-104309r1_ruleThe ESXi host must have all security patches and updates installed.
SV-104311r1_ruleThe ESXi host must enable TLS 1.2 exclusively for the SFCB service.
SV-104313r1_ruleThe ESXi host must exclusively enable TLS 1.2 for the ioFilter, vSANVP and reverse proxy services.
SV-104317r1_ruleThe ESXi host must enable Secure Boot.
SV-104319r1_ruleThe ESXi host must use DoD-approved certificates.
SV-104335r2_ruleThe ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication.
SV-104337r2_ruleThe ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using the vSphere Authentication Proxy.
SV-104339r1_ruleThe ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by restricting use of Active Directory ESX Admin group membership.
SV-104341r1_ruleThe ESXi host must accept Personal Identity Verification (PIV) credentials.
SV-104359r2_ruleThe ESXi host must implement replay-resistant authentication mechanisms for network access to privileged accounts by using Active Directory for local user authentication.
SV-104361r2_ruleThe ESXi host must implement replay-resistant authentication mechanisms for network access to privileged accounts by using the vSphere Authentication Proxy.
SV-104363r1_ruleThe ESXi host must implement replay-resistant authentication mechanisms for network access to privileged accounts by restricting use of Active Directory ESX Admin group membership.
SV-104365r1_ruleThe ESXi host must electronically verify Personal Identity Verification (PIV) credentials.
SV-104373r2_ruleThe ESXi host must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using Active Directory for local user authentication.
SV-104375r2_ruleThe ESXi host must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using the vSphere Authentication Proxy.
SV-104377r1_ruleThe ESXi host must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by restricting use of Active Directory ESX Admin group membership.
SV-104379r1_ruleThe ESXi host must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.