I - Mission Critical Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000027-VMM-000080
Group -
Access to the ESXi host must be limited by enabling lockdown mode.
Enabling lockdown mode disables direct access to an ESXi host, requiring the host to be managed remotely from vCenter Server. This is done to ensure the roles and access controls implemented in vCe...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
The ESXi host must verify the DCUI.Access list.
Lockdown mode disables direct host access, requiring that administrators manage hosts from vCenter Server. However, if a host becomes isolated from vCenter, the administrator is locked out and can ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
The ESXi host must verify the exception users list for lockdown mode.
While a host is in lockdown mode (strict or normal), only users on the "Exception Users" list are allowed access. These users do not lose their permissions when the host enters lockdown mode. The...Rule Medium Severity -
SRG-OS-000032-VMM-000130
Group -
Remote logging for ESXi hosts must be configured.
Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more easily monitor all hosts with a single tool. It...Rule Medium Severity -
SRG-OS-000021-VMM-000050
Group -
The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
By limiting the number of failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Once the configured number of attempts is ...Rule Medium Severity -
SRG-OS-000329-VMM-001180
Group -
The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.
By enforcing a reasonable unlock timeout after multiple failed logon attempts, the risk of unauthorized access via user password guessing, otherwise known as brute forcing, is reduced. Users must w...Rule Medium Severity -
SRG-OS-000023-VMM-000060
Group -
The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
Failure to display the DOD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. Satisfies: SRG-OS-000023-VMM-000060, SRG-OS-0...Rule Medium Severity -
SRG-OS-000023-VMM-000060
Group -
The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
Failure to display the DOD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.Rule Medium Severity -
SRG-OS-000023-VMM-000060
Group -
The ESXi host SSH daemon must be configured with the DOD logon banner.
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should...Rule Medium Severity -
SRG-OS-000033-VMM-000140
Group -
The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
OpenSSH on the ESXi host ships with a FIPS 140-2 validated cryptographic module that is enabled by default. For backward compatibility reasons, this can be disabled so this setting can be audited a...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.