- DISA_STIG_VMware_vSphere_ESXi_6.7_v1r1.audit from DISA VMware vSphere 6.7 ESXi v1r1 STIG
- ESXI-67-000001 - Access to the ESXi host must be limited by enabling Lockdown Mode.
- ESXI-67-000002 - The ESXi host must verify the DCUI.Access list.
- ESXI-67-000003 - The ESXi host must verify the exception users list for Lockdown Mode.
- ESXI-67-000004 - Remote logging for ESXi hosts must be configured.
- ESXI-67-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
- ESXI-67-000006 - The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out.
- ESXI-67-000007 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the DCUI.
- ESXI-67-000008 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
- ESXI-67-000030 - The ESXi host must produce audit records containing information to establish what type of events occurred.
- ESXI-67-000031 - The ESXi host must enforce password complexity by requiring that at least one uppercase character be used.
- ESXI-67-000032 - The ESXi host must prohibit the reuse of passwords within five iterations.
- ESXI-67-000034 - The ESXi host must disable the Managed Object Browser (MOB).
- ESXI-67-000035 - The ESXi host must be configured to disable nonessential capabilities by disabling SSH.
- ESXI-67-000036 - The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.
- ESXI-67-000037 - The ESXi host must use Active Directory for local user authentication.
- ESXI-67-000038 - ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
- ESXI-67-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
- ESXI-67-000040 - The ESXi host must use multifactor authentication for local DCUI access to privileged accounts.
- ESXI-67-000041 - The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes.
- ESXI-67-000042 - The ESXi host must terminate shell services after 10 minutes.
- ESXI-67-000043 - The ESXi host must log out of the console UI after two minutes.
- ESXI-67-000045 - The ESXi host must enable a persistent log location for all locally stored logs.
- ESXI-67-000046 - The ESXi host must configure NTP time synchronization.
- ESXI-67-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
- ESXI-67-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
- ESXI-67-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
- ESXI-67-000052 - The ESXi host must protect the confidentiality and integrity of transmitted information by using different TCP/IP stacks where possible.
- ESXI-67-000053 - SNMP must be configured properly on the ESXi host.
- ESXI-67-000054 - The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic.
