VMware vSphere 8.0 ESXi Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The ESXi host must enforce the exclusive running of executables from approved VIBs.
The "execInstalledOnly" advanced ESXi boot option, when set to TRUE, guarantees that the VMkernel executes only those binaries that have been packaged as part of a signed VIB. While this option is ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
SRG-OS-000480-VMM-002000
Group -
The ESXi host must not enable log filtering.
The log filtering capability allows users to modify the logging policy of the syslog service that is running on an ESXi host. Users can create log filters to reduce the number of repetitive entries...Rule Medium Severity -
The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
By limiting the number of failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Once the configured number of attempts is ...Rule Medium Severity -
The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
Display of a standardized and approved use notification before granting access to the host ensures privacy and security notification verbiage used is consistent with applicable federal laws, Execut...Rule Medium Severity -
The ESXi must produce audit records containing information to establish what type of events occurred.
Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Satisfies: SRG-OS-000037-VMM-00015...Rule Medium Severity -
The ESXi host must enforce password complexity by configuring a password quality policy.
To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid...Rule Medium Severity -
The ESXi host must set a timeout to automatically end idle shell sessions after fifteen minutes.
If a user forgets to log out of their local or remote ESXi Shell session, the idle connection will remain open indefinitely and increase the likelihood of inappropriate host access via session hija...Rule Medium Severity -
The ESXi host must allocate audit record storage capacity to store at least one week's worth of audit records.
In order to ensure ESXi has sufficient storage capacity in which to write the audit logs, audit record storage capacity should be configured. If a central audit record storage facility is availab...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.