| V-258728 | | The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user. | By limiting the number of failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is redu... |
| V-258729 | | The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI). | Display of a standardized and approved use notification before granting access to the host ensures privacy and security notification verbiage used is ... |
| V-258730 | | The ESXi host must enable lockdown mode. | Enabling Lockdown Mode disables direct access to an ESXi host, requiring the host to be managed remotely from vCenter Server. This is done to ensure t... |
| V-258731 | | The ESXi host client must be configured with an idle session timeout. | The ESXi host client is the UI served up by the host itself, outside of vCenter. It is accessed at https://<ESX FQDN>/ui. ESXi is not usually administ... |
| V-258733 | | The ESXi must produce audit records containing information to establish what type of events occurred. | Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage ... |
| V-258734 | | The ESXi host must enforce password complexity by configuring a password quality policy. | To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated.
The use of complex passwords reduces the ab... |
| V-258735 | | The ESXi host must prohibit password reuse for a minimum of five generations. | If a user or root used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it w... |
| V-258736 | | The ESXi host must be configured to disable nonessential capabilities by disabling the Managed Object Browser (MOB). | The MOB provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed. This interface is... |
| V-258738 | | The ESXi host Secure Shell (SSH) daemon must ignore .rhosts files. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can emulate the behavior of the obso... |
| V-258739 | | The ESXi host must set a timeout to automatically end idle shell sessions after fifteen minutes. | If a user forgets to log out of their local or remote ESXi Shell session, the idle connection will remain open indefinitely and increase the likelihoo... |
| V-258740 | | The ESXi host must implement Secure Boot enforcement. | Secure Boot is part of the UEFI firmware standard. With UEFI Secure Boot enabled, a host refuses to load any UEFI driver or app unless the operating s... |
| V-258741 | | The ESXi host must enable Secure Boot. | Secure Boot is part of the Unified Extensible Firmware Interface (UEFI) firmware standard. With UEFI Secure Boot enabled, a host refuses to load any U... |
| V-258742 | | The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out. | By enforcing a reasonable unlock timeout after multiple failed logon attempts, the risk of unauthorized access via user password guessing, otherwise k... |
| V-258743 | | The ESXi host must allocate audit record storage capacity to store at least one week's worth of audit records. | In order to ensure ESXi has sufficient storage capacity in which to write the audit logs, audit record storage capacity should be configured.
If a c... |
| V-258744 | | The ESXi host must off-load logs via syslog. | Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more ... |
| V-258745 | | The ESXi host must synchronize internal information system clocks to an authoritative time source. | To ensure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system functions, including tim... |
| V-258747 | | The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic. | When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. When not authenticating both the iSCSI target and host,... |
| V-258748 | | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic. | While encrypted vMotion is available, vMotion traffic should still be sequestered from other traffic to further protect it from attack. This network m... |
| V-258750 | | The ESXi host Secure Shell (SSH) daemon must be configured to only use FIPS 140-2 validated ciphers. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. ESXi must implement cryptographic modul... |
| V-258751 | | The ESXi host DCUI.Access list must be verified. | Lockdown mode disables direct host access, requiring that administrators manage hosts from vCenter Server. However, if a host becomes isolated from vC... |
| V-258752 | | The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH). | Display of a standardized and approved use notification before granting access to the host ensures privacy and security notification verbiage used is ... |
| V-258753 | | The ESXi host Secure Shell (SSH) daemon must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the host ensures privacy and security notification verbiage used is ... |
| V-258754 | | The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH). | The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to comman... |
| V-258755 | | The ESXi host must be configured to disable nonessential capabilities by disabling the ESXi shell. | The ESXi Shell is an interactive command line environment available locally from the Direct Console User Interface (DCUI) or remotely via SSH. Activit... |
| V-258756 | | The ESXi host must automatically stop shell services after 10 minutes. | When the ESXi Shell or Secure Shell (SSH) services are enabled on a host, they will run indefinitely. To avoid having these services left running, set... |
| V-258757 | | The ESXi host must set a timeout to automatically end idle DCUI sessions after 10 minutes. | When the Direct Console User Interface (DCUI) is enabled and logged in, it should be automatically logged out if left logged on to avoid access by una... |
| V-258758 | | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating ESXi management traffic. | The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface pro... |
| V-258759 | | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. | Virtual machines (VMs) might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes vSAN, iSCSI, and NFS... |
| V-258760 | | The ESXi host lockdown mode exception users list must be verified. | While a host is in lockdown mode (strict or normal), only users on the "Exception Users" list are allowed access. These users do not lose their permis... |
| V-258761 | | The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH's cryptographic host-based authentic... |
| V-258762 | | The ESXi host Secure Shell (SSH) daemon must not permit user environment settings. | SSH environment options potentially allow users to bypass access restriction in some configurations. Users must not be able to present environment opt... |
| V-258764 | | The ESXi host Secure Shell (SSH) daemon must not permit tunnels. | OpenSSH has the ability to create network tunnels (layer 2 and layer 3) over an SSH connection. This function can provide similar convenience to a vir... |
| V-258767 | | The ESXi host must disable Simple Network Management Protocol (SNMP) v1 and v2c. | If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly confi... |
| V-258769 | | The ESXi host must configure the firewall to block network traffic by default. | In addition to service-specific firewall rules, ESXi has a default firewall rule policy to allow or deny incoming and outgoing traffic. Reduce the ris... |
| V-258770 | | The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled. | BPDU Guard and Portfast are commonly enabled on the physical switch to which the ESXi host is directly connected to reduce the Spanning Tree Protocol ... |
| V-258771 | | The ESXi host must configure virtual switch security policies to reject forged transmits. | If the virtual machine (VM) operating system changes the Media Access Control (MAC) address, the operating system can send frames with an impersonated... |
| V-258773 | | The ESXi host must configure virtual switch security policies to reject promiscuous mode requests. | When promiscuous mode is enabled for a virtual switch, all virtual machines (VMs) connected to the Portgroup have the potential to read all packets ac... |
| V-258774 | | The ESXi host must restrict use of the dvFilter network application programming interface (API). | If the organization is not using products that use the dvFilter network API, the host should not be configured to send network information to a virtua... |
| V-258775 | | The ESXi host must restrict the use of Virtual Guest Tagging (VGT) on standard switches. | When a port group is set to VLAN 4095, the vSwitch passes all network frames to the attached virtual machines (VMs) without modifying the VLAN tags. I... |
| V-258777 | | The ESXi host must not suppress warnings that the local or remote shell sessions are enabled. | Warnings that local or remote shell sessions are enabled alert administrators to activity they may not be aware of and need to investigate.... |
| V-258778 | | The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities. | The L1 Terminal Fault (L1TF) CPU vulnerabilities published in 2018 have patches and mitigations available in vSphere. However, there are performance i... |
| V-258779 | | The ESXi host must verify certificates for SSL syslog endpoints. | When sending syslog data to a remote host, ESXi can be configured to use any combination of TCP, UDP, and SSL transports. When using SSL, the server c... |
| V-258780 | | The ESXi host must enable volatile key destruction. | By default, pages allocated for virtual machines (VMs), userspace applications, and kernel threads are zeroed out at allocation time. ESXi will always... |
| V-258781 | | The ESXi host must configure a session timeout for the vSphere API. | The vSphere API (VIM) allows for remote, programmatic administration of the ESXi host. Authenticated API sessions are no different from a risk perspec... |
| V-258782 | | The ESXi host must be configured with an appropriate maximum password age. | The older an ESXi local account password is, the larger the opportunity window is for attackers to guess, crack or reuse a previously cracked password... |
| V-258783 | | The ESXi Common Information Model (CIM) service must be disabled. | The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard application programming int... |
| V-258784 | | The ESXi host must use DOD-approved certificates. | The default self-signed host certificate issued by the VMware Certificate Authority (VMCA) must be replaced with a DOD-approved certificate when the h... |
| V-258785 | | The ESXi host Secure Shell (SSH) daemon must disable port forwarding. | While enabling Transmission Control Protocol (TCP) tunnels is a valuable function of sshd, this feature is not appropriate for use on the ESXi hypervi... |
| V-258786 | | The ESXi host OpenSLP service must be disabled. | OpenSLP implements the Service Location Protocol to help CIM clients discover CIM servers over TCP 427. This service is not widely needed and has had ... |
| V-258787 | | The ESXi host must enable audit logging. | ESXi offers both local and remote audit recordkeeping to meet the requirements of the NIAP Virtualization Protection Profile and Server Virtualization... |
| V-258788 | | The ESXi host must off-load audit records via syslog. | ESXi offers both local and remote audit recordkeeping to meet the requirements of the NIAP Virtualization Protection Profile and Server Virtualization... |
| V-258789 | | The ESXi host must enable strict x509 verification for SSL syslog endpoints. | When sending syslog data to a remote host via SSL, the ESXi host is presented with the endpoint's SSL server certificate. In addition to trust verific... |
| V-258790 | | The ESXi host must forward audit records containing information to establish what type of events occurred. | Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage ... |
| V-258791 | | The ESXi host must not be configured to override virtual machine (VM) configurations. | Each VM on an ESXi host runs in its own "vmx" process. Upon creation, a vmx process will look in two locations for configuration items, the ESXi host ... |
| V-258792 | | The ESXi host must not be configured to override virtual machine (VM) logger settings. | Each VM on an ESXi host runs in its own "vmx" process. Upon creation, a vmx process will look in two locations for configuration items, the ESXi host ... |
| V-258793 | | The ESXi host must require TPM-based configuration encryption. | An ESXi host's configuration consists of configuration files for each service that runs on the host. The configuration files typically reside in the /... |
| V-258794 | | The ESXi host must configure the firewall to restrict access to services running on the host. | Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring t... |
| V-258795 | | The ESXi host when using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory. | If a host is configured to join an Active Directory domain using Host Profiles and/or Auto Deploy, the Active Directory credentials are saved in the p... |
| V-258796 | | The ESXi host must not use the default Active Directory ESX Admin group. | When adding ESXi hosts to Active Directory, all user/group accounts assigned to the Active Directory group "ESX Admins" will have full administrative ... |
| V-258797 | | The ESXi host must configure a persistent log location for all locally stored logs. | ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". W... |
| V-258798 | | The ESXi host must enforce the exclusive running of executables from approved VIBs. | The "execInstalledOnly" advanced ESXi boot option, when set to TRUE, guarantees that the VMkernel executes only those binaries that have been packaged... |
| V-258799 | | The ESXi host must use sufficient entropy for cryptographic operations. | Starting in vSphere 8.0, the ESXi Entropy implementation supports the FIPS 140-3 and EAL4 certifications. Kernel boot options control which entropy so... |
| V-258800 | | The ESXi host must not enable log filtering. | The log filtering capability allows users to modify the logging policy of the syslog service that is running on an ESXi host. Users can create log fil... |
| V-258737 | | The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory. | Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain multiple local user accounts. Using Active Directory for us... |
| V-258763 | | The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports. | SSH Transmission Control Protocol (TCP) connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This functi... |
| V-258765 | | The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions. | Setting a timeout ensures that a user login will be terminated as soon as the "ClientAliveCountMax" is reached.... |
| V-258766 | | The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions. | Automatically logging out idle users guards against compromises via hijacked administrative sessions.... |
| V-258768 | | The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing. | Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try to det... |
| V-258732 | | The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
OpenSSH... |
| V-258746 | | The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified. | Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile su... |
| V-258749 | | The ESXi host must maintain the confidentiality and integrity of information during transmission by exclusively enabling Transport Layer Security (TLS) 1.2. | TLS 1.0 and 1.1 are deprecated protocols with well-published shortcomings and vulnerabilities. TLS 1.2 should be enabled on all interfaces and SSLv3, ... |
| V-258772 | | The ESXi host must configure virtual switch security policies to reject Media Access Control (MAC) address changes. | If the virtual machine (VM) operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This all... |
| V-258776 | | The ESXi host must have all security patches and updates installed. | Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities.... |
