DISA Releases STIGs for VMware vSphere 6.5

Reading time: 7 minutes

Update: On Oct 25, 2019, DISA released the first update to the VMware vSphere 6.5 STIGs

As of today, the Defense Information Systems Agency has made available the first STIGs for VMware vSphere 6.5. These STIGs can be downloaded from DoD Cyber Exchange here: DISA Virtualization STIG Downloads. The VMware vSphere 6.5 STIG ZIP file contains the following:

  • VMware vSphere 6.5 Version 1 Release 1 - Overview PDF
  • VMware vSphere 6.5 Version 1 Release 1 - Release Memo PDF
  • VMware vSphere 6.5 ESXi Security Technical Implementation Guide - Version 1, Release 1
  • VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide - Version 1, Release 1
  • VMware vSphere 6.5 Virtual Machine Security Technical Implementation Guide - Version 1, Release 1
  • vCenter 6.5 Smart Card Authentication Configuration Guide v1.2 PDF

vRealize Operations Compliance Alert content for the VMware vSphere 6.5 Virtual Machine and ESXi STIGs can be found on the following posts:

Changes Between vSphere 6.5 and 6.0 STIGs

After a quick comparison of the vSphere 6.5 versus the vSphere 6.0 STIGs, I’ve found the following changes:

VMware ESXi STIG Changes

New Rules for ESXi

STIG ID: ESXI-65-000073
Severity: CAT II
Rule Title: The ESXi host must enable TLS 1.2 exclusively for the SFCB service.

STIG ID: ESXI-65-000074
Severity: CAT II
Rule Title: The ESXi host must exclusively enable TLS 1.2 for the ioFilter, vSANVP and reverse proxy services.

STIG ID: ESXI-65-000075
Severity: CAT II
Rule Title: The ESXi host must exclusively enable TLS 1.2 for the authd service.

STIG ID: ESXI-65-000075
Severity: CAT II
Rule Title: The ESXi host must exclusively enable TLS 1.2 for the authd service.

STIG ID: ESXI-65-000076
Severity: CAT II
Rule Title: The ESXi host must enable Secure Boot.

STIG ID: ESXI-65-000078
Severity: CAT II
Rule Title: The ESXi host must use DoD-approved certificates.

Rules Removed for ESXi (compared to 6.0 STIG)

STIG ID: ESXI-06-000073
Severity: CAT II
Rule Title: The system must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.

STIG ID: ESXI-06-000074
Severity: CAT III
Rule Title: The system must enable the VSAN Health Check.

STIG ID: ESXI-06-000075
Severity: CAT III
Rule Title: The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted by use of an external proxy server.

STIG ID: ESXI-06-000076
Severity: CAT III
Rule Title: The system must configure the VSAN Datastore name to a unique name.

Updated Rules for ESXi

Old STIG ID: ESXI-06-000010 & ESXI-06-100010
Rule Title: The VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions.
New STIG ID: ESXI-65-000010 & ESXI-65-100010
Rule Title: The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.
Change: The list of acceptable sshd ciphers has been updated from “aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc” to " Ciphers aes128-ctr,aes192-ctr,aes256-ctr"

VMware vCenter for Windows

New Rules for vCenter for Windows

STIG ID: VCWN-65-000057
Severity: CAT II
Rule Title: The vCenter Server for Windows must enable TLS 1.2 exclusively.

STIG ID: VCWN-65-000058
Severity: CAT II
Rule Title: The vCenter Server for Windows reverse proxy must use DoD approved certificates.

STIG ID: VCWN-65-000059
Severity: CAT II
Rule Title: The vCenter Server for Windows must enable certificate based authentication.

STIG ID: VCWN-65-000060
Severity: CAT II
Rule Title: The vCenter Server for Windows must enable revocation checking for certificate based authentication.

STIG ID: VCWN-65-000061
Severity: CAT III
Rule Title: The vCenter Server for Windows must disable Password and Windows integrated authentication.

STIG ID: VCWN-65-000062
Severity: CAT III
Rule Title: The vCenter Server for Windows must enable Login banner for vSphere web client.

STIG ID: VCWN-65-000063
Severity: CAT II
Rule Title: The vCenter Server for Windows must restrict access to cryptographic role.

STIG ID: VCWN-65-000064
Severity: CAT II
Rule Title: The vCenter Server for Windows must restrict access to cryptographic permissions.

STIG ID: VCWN-65-000065
Severity: CAT III
Rule Title: The vCenter Server for Windows must have Mutual CHAP configured for vSAN iSCSI targets.

STIG ID: VCWN-65-000066
Severity: CAT III
Rule Title: The vCenter Server for Windows must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s).

STIG ID: VCWN-65-000067
Severity: CAT III
Rule Title: The vCenter Server for Windows must disable the Customer Experience Improvement Program (CEIP).

STIG ID: VCWN-65-000068
Severity: CAT II
Rule Title: The vCenter Server for Windows must use LDAPS when adding an SSO identity source.

STIG ID: VCWN-65-000069
Severity: CAT II
Rule Title: The vCenter Server for Windows must use a limited privilege account when adding an LDAP identity source.

STIG ID: VCWN-65-006000
Severity: CAT II
Rule Title: The vCenter Server for Windows must disable SNMPv1.

Updated Rules for vCenter for Windows

Old STIG ID: VCWN-06-000052
Old Rule Title: The system must enable the VSAN Health Check.
New STIG ID: VCWN-65-000053
New Rule Title: The vCenter Server for Windows must enable the vSAN Health Check.
Change: The severity changed from CAT III in the vCenter 6.0 STIG to CAT II in the vCenter 6.5 STIG

Old STIG ID: VCWN-06-000053
Old Rule Title: The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted by use of an external proxy server.
New STIG ID: VCWN-65-000054
New Rule Title: The vCenter Server for Windows must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
Change: The severity changed from CAT III in the vCenter 6.0 STIG to CAT II in the vCenter 6.5 STIG

Old STIG ID: VCWN-06-000054
Old Rule Title: The system must configure the VSAN Datastore name to a unique name.
New STIG ID: VCWN-65-000055
New Rule Title: The vCenter Server for Windows must configure the vSAN Datastore name to a unique name.
Change: The severity changed from CAT III in the vCenter 6.0 STIG to CAT II in the vCenter 6.5 STIG

VMware Virtual Machines

New Rules for Virtual Machines

STIG ID: VMCH-65-000044
Severity: CAT II
Rule Title: The virtual machine guest operating system must be locked when the last console connection is closed.

STIG ID: VMCH-65-000045
Severity: CAT III
Rule Title: 3D features on the virtual machine must be disabled when not required.

STIG ID: VMCH-65-000046
Severity: CAT II
Rule Title: Encryption must be enabled for vMotion on the virtual machine.

STIG ID: VMCH-65-000047
Severity: CAT II
Rule Title: The virtual machine guest operating system must be locked when the last console connection is closed.

STIG ID: VMCH-65-000048
Severity: CAT III
Rule Title: 3D features on the virtual machine must be disabled when not required.

STIG ID: VMCH-65-000049
Severity: CAT II
Rule Title: Encryption must be enabled for vMotion on the virtual machine.

Removed Rules for Virtual Machines (compared to 6.0 STIG)

STIG ID: VMCH-06-000010
Severity: CAT III
Rule Title: The unexposed feature keyword isolation.bios.bbs.disable must be set.

STIG ID: VMCH-06-000011
Severity: CAT III
Rule Title: The unexposed feature keyword isolation.tools.getCreds.disable must be set.

STIG ID: VMCH-06-000016
Severity: CAT III
Rule Title: The unexposed feature keyword isolation.tools.dispTopoRequest.disable must be set.

STIG ID: VMCH-06-000017
Severity: CAT III
Rule Title: The unexposed feature keyword isolation.tools.trashFolderState.disable must be set.

STIG ID: VMCH-06-000027
Severity: CAT III
Rule Title: The system must disable VIX messages from the VM.

STIG ID: VMCH-06-000035
Severity: CAT III
Rule Title: The system must disable tools auto install.

STIG ID: VMCH-06-000038
Severity: CAT II
Rule Title: The system must prevent unauthorized removal, connection and modification of devices.

Updated Rules for Virtual Machines

Old STIG ID: VMCH-06-000005
Old Rule Title: The system must disable virtual disk shrinking.
New STIG ID: VMCH-65-000005
New Rule Title: Virtual disk shrinking must be disabled on the virtual machine.
Change: The severity changed from CAT I in the Virtual Machine 6.0 STIG to CAT II in the Virtual Machine 6.5 STIG

Old STIG ID: VMCH-06-000006
Old Rule Title: The system must disable virtual disk erasure.
New STIG ID: VMCH-65-000006
New Rule Title: Virtual disk erasure must be disabled on the virtual machine.
Change: The severity changed from CAT I in the Virtual Machine 6.0 STIG to CAT II in the Virtual Machine 6.5 STIG

Old STIG ID: VMCH-06-000007
Old Rule Title: The system must not use independent, non-persistent disks.
New STIG ID: VMCH-65-000007
New Rule Title: Independent, non-persistent disks must be not be used on the virtual machine.
Change: The severity changed from CAT I in the Virtual Machine 6.0 STIG to CAT II in the Virtual Machine 6.5 STIG

See Also


Search

Get Notified of Future Posts

Follow Me

LinkedIn Icon
Twitter/X Icon
Threads Icon
RSS Icon

Recent Posts