VMware vSphere 7.0 ESXi Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The ESXi host must use DOD-approved certificates.
The default self-signed host certificate issued by the VMware Certificate Authority (VMCA) must be replaced with a DOD-approved certificate when the host will be accessed directly, such as during a...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
The ESXi host must not suppress warnings that the local or remote shell sessions are enabled.
Warnings that local or remote shell sessions are enabled alert administrators to activity they may not be aware of and need to investigate.Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities.
The L1 Terminal Fault (L1TF) CPU vulnerabilities published in 2018 have patches and mitigations available in vSphere. However, there are performance impacts to these mitigations that require carefu...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
The ESXi host Secure Shell (SSH) daemon must disable port forwarding.
While enabling Transmission Control Protocol (TCP) tunnels is a valuable function of sshd, this feature is not appropriate for use on the ESXi hypervisor.Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
SRG-OS-000480-VMM-002000
Group -
The ESXi host must enable audit logging.
ESXi offers both local and remote audit recordkeeping to meet the requirements of the NIAP Virtualization Protection Profile and Server Virtualization Extended Package. Local records are stored on ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
The ESXi host must enable strict x509 verification for SSL syslog endpoints.
When sending syslog data to a remote host via SSL, the ESXi host is presented with the endpoint's SSL server certificate. In addition to trust verification, configured elsewhere, this "x509-strict"...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
The ESXi host must verify certificates for SSL syslog endpoints.
When sending syslog data to a remote host, ESXi can be configured to use any combination of TCP, UDP and SSL transports. When using SSL, the server certificate must be validated to ensure that the ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
SRG-OS-000480-VMM-002000
Group -
The ESXi host must configure a session timeout for the vSphere API.
The vSphere API (VIM) allows for remote, programmatic administration of the ESXi host. Authenticated API sessions are no different from a risk perspective than authenticated UI sessions and they ne...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
The ESXi Host Client must be configured with a session timeout.
The ESXi Host Client is the UI served up by the host itself, outside of vCenter. It is accessed by browsing to "https://<ESX FQDN>/ui". ESXi is not usually administered via this interface for long ...Rule Medium Severity -
SRG-OS-000033-VMM-000140
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.