vRealize Operations Compliance Alerts for the vSphere 6.5 ESXi STIG

June 18, 2019

Reading time: 6 minutes

As a follow-up to my previous post providing alert content for the VMware vSphere 6.5 Virtual Machine STIG Version 1, Release 1, I have also put together new alert content for the VMware vSphere 6.5 ESXi STIG Version 1, Release 1. See the link at the bottom of the page to download the alert content XML.

The following STIG items cannot be verified by vRealize Operations because the checks are user process related, the configuration values are not currently collected by vRealize Operations, or the checks involve non-VMware assets (e.g. switch configurations):

ESXI-65-000001 - The ESXi host must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.

ESXI-65-000003 - The ESXi host must verify the exception users list for lockdown mode.

ESXI-65-000007 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

ESXI-65-000008 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

ESXI-65-000009 - The ESXi host SSH daemon must be configured with the Department of Defense (DoD) login banner.

ESXI-65-000010 - The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.

ESXI-65-000011 - The ESXi host SSH daemon must be configured to use only the SSHv2 protocol.

ESXI-65-000012 - The ESXi host SSH daemon must ignore .rhosts files.

ESXI-65-000013 - The ESXi host SSH daemon must not allow host-based authentication.

ESXI-65-000014 - The ESXi host SSH daemon must not permit root logins.

ESXI-65-000015 - The ESXi host SSH daemon must not allow authentication using an empty password.

ESXI-65-000016 - The ESXi host SSH daemon must not permit user environment settings.

ESXI-65-000017 - The ESXi host SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

ESXI-65-000018 - The ESXi host SSH daemon must not permit GSSAPI authentication.

ESXI-65-000019 - The ESXi host SSH daemon must not permit Kerberos authentication.

ESXI-65-000020 - The ESXi host SSH daemon must perform strict mode checking of home directory configuration files.

ESXI-65-000021 - The ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication.

ESXI-65-000022 - The ESXi host SSH daemon must be configured to not allow gateway ports.

ESXI-65-000023 - The ESXi host SSH daemon must be configured to not allow X11 forwarding.

ESXI-65-000024 - The ESXi host SSH daemon must not accept environment variables from the client.

ESXI-65-000025 - The ESXi host SSH daemon must not permit tunnels.

ESXI-65-000026 - The ESXi host SSH daemon must set a timeout count on idle sessions.

ESXI-65-000027 - The ESXi host SSH daemon must set a timeout interval on idle sessions.

ESXI-65-000028 - The ESXi host SSH daemon must limit connections to a single session.

ESXI-65-000029 - The ESXi host must remove keys from the SSH authorized_keys file.

ESXI-65-000030 - The ESXi host must produce audit records containing information to establish what type of events occurred.

ESXI-65-000033 - The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

ESXI-65-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.

ESXI-65-000040 - The ESXi host must use multifactor authentication for local access to privileged accounts.

ESXI-65-000044 - The ESXi host must enable kernel core dumps.

ESXI-65-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.

ESXI-65-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.

ESXI-65-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic.

ESXI-65-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information.

ESXI-65-000052 - The ESXi host must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible.

ESXI-65-000053 - SNMP must be configured properly on the ESXi host.

ESXI-65-000054 - The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic.

ESXI-65-000057 - The ESXi host must configure the firewall to block network traffic by default.

ESXI-65-000063 - For the ESXi host all port groups must be configured to a value other than that of the native VLAN.

ESXI-65-000064 - For the ESXi host all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.

ESXI-65-000065 - For the ESXi host all port groups must not be configured to VLAN values reserved by upstream physical switches.

ESXI-65-000066 - For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.

ESXI-65-000067 - All ESXi host-connected physical switch ports must be configured with spanning tree disabled.

ESXI-65-000068 - All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs.

ESXI-65-000070 - The ESXi host must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.

ESXI-65-000071 - The ESXi host must verify the integrity of the installation media before installing ESXi.

ESXI-65-000072 - The ESXi host must have all security patches and updates installed.

ESXI-65-000073 - The ESXi host must enable TLS 1.2 exclusively for the SFCB service.

ESXI-65-000074 - The ESXi host must exclusively enable TLS 1.2 for the ioFilter, vSANVP and reverse proxy services.

ESXI-65-000075 - The ESXi host must exclusively enable TLS 1.2 for the authd service.

ESXI-65-000076 - The ESXi host must enable Secure Boot.

ESXI-65-000078 - The ESXi host must use DoD-approved certificates.

ESXI-65-100001 - The ESXi host must enable lockdown mode to restrict remote access.

ESXI-65-100007 - The ESXi host must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.

ESXI-65-100010 - The ESXi host SSH daemon must be configured to only use FIPS 140-2 approved ciphers.

ESXI-65-100030 - The ESXi host must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

ESXI-65-100039 - The ESXi host must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by restricting use of Active Directory ESX Admin group membership.

ESXI-65-100040 - The ESXi host must accept Personal Identity Verification (PIV) credentials.

ESXI-65-200039 - The ESXi host must implement replay-resistant authentication mechanisms for network access to privileged accounts by restricting use of Active Directory ESX Admin group membership.

ESXI-65-200040 - The ESXi host must electronically verify Personal Identity Verification (PIV) credentials.

ESXI-65-300039 - The ESXi host must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by restricting use of Active Directory ESX Admin group membership.

ESXI-65-300040 - The ESXi host must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.

vRealize Operations Compliance Alert Content can be downloaded from the Downloads page.