Aria Operations Compliance Content for the vSphere 7.0 STIG Readiness Guide is Available

Reading time: 10 minutes

Update: DISA released the official VMware vSphere 7.0 STIG on March 15, 2023. Information related to my updated compliance content can be found here.

While the United States (U.S.) Department of Defense (DoD) Defense Information Systems Agency (DISA) hasn’t officially released a STIG for VMware vSphere 7.0, VMware has released what they refer to as their “VMware vSphere 7.0 STIG Readiness Guide”. This guide, while not an official STIG, is based on years of experience assisting the DoD in generating the official DISA STIG releases for previous VMware vSphere product versions. Based on their knowledge of the DoD SRGs and previous STIGs, they are confident that the guidance provided within the VMware vSphere 7.0 STIG Readiness Guide would enable an environment to pass certification with minimal changes should an official DISA STIG be released by the DoD.

You should take note of the following quote from VMware vSphere 7.0 STIG Readiness Guide Overview document:

“This project represents VMware’s effort to document our compliance against the SRG requirements and nothing more. A published STIG is our eventual goal, in most cases, but this content should not be viewed to be “as good as a STIG”. A DISA published STIG includes technical validation, review of requirement fulfillment, accuracy and style, risk acceptance and is digitally signed by the RME and posted on cyber.mil. Except for products that already have published STIGs, there is no explicit or implied DISA approval of the provided content. We also make no guarantee that any STIG(s) will be published from this content in the future.”

Compliance Content Included

The following VMware vSphere 7.0 STIG Readiness Guide components are included in my VMware Aria Operations compliance content downloads:

  • VMware vSphere 7.0 Virtual Machine STIG Readiness Guide - Version 1, Release 4
  • VMware vSphere 7.0 ESXi STIG Readiness Guide - Version 1, Release 4
  • VMware vSphere 7.0 vCenter Application STIG Readiness Guide - Version 1, Release 4

My VMware Aria Operations compliance content is broken into two types of downloads. The first is a custom compliance benchmark definition which includes all of the symptom, alert, and recommendation content, as well as a custom compliance benchmark definition. The second set of downloads is the alert/symptom/recommendation content for each of the components (virtual machine, ESX, vCenter application). The content can be downloaded from the Downloads page on this site.

I have attempted to include automated compliance checks for as many of these components as possible. Unfortunately, due to limitations in the data collected by Aria Operations or requirements that manual verifications be completed for various components, only a subset of the compliance checks are included. I have noted the excluded checks within the notes for each of the VMware Aria Operations Alerts. Additionally, below is a list of those checks that are not included in my compliance content download:

VMware vSphere 7.0 Virtual Machine STIG Readiness Guide - Version 1, Release 4

  • VMCH-70-000020 - System administrators must use templates to deploy virtual machines whenever possible.
  • VMCH-70-000021 - Use of the virtual machine console must be minimized.
  • VMCH-70-000029 - Encryption must be enabled for Fault Tolerance on the virtual machine.

VMware vSphere 7.0 ESXi STIG Readiness Guide - Version 1, Release 4

  • ESXI-70-000003 - The ESXi host must verify the exception users list for Lockdown Mode.
  • ESXI-70-000007 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the DCUI.
  • ESXI-70-000008 - The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH.
  • ESXI-70-000009 - The ESXi host SSH daemon must be configured with the DoD logon banner.
  • ESXI-70-000010 - The ESXi host SSH daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
  • ESXI-70-000012 - The ESXi host SSH daemon must ignore .rhosts files.
  • ESXI-70-000013 - The ESXi host SSH daemon must not allow host-based authentication.
  • ESXI-70-000015 - The ESXi host SSH daemon must not allow authentication using an empty password.
  • ESXI-70-000016 - The ESXi host SSH daemon must not permit user environment settings.
  • ESXI-70-000020 - The ESXi host SSH daemon must perform strict mode checking of home directory configuration files.
  • ESXI-70-000021 - The ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication.
  • ESXI-70-000022 - The ESXi host SSH daemon must be configured to not allow gateway ports.
  • ESXI-70-000023 - The ESXi host SSH daemon must be configured to not allow X11 forwarding.
  • ESXI-70-000025 - The ESXi host SSH daemon must not permit tunnels.
  • ESXI-70-000026 - The ESXi host SSH daemon must set a timeout count on idle sessions.
  • ESXI-70-000027 - The ESXi host SSH daemon must set a timeout interval on idle sessions.
  • ESXI-70-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
  • ESXI-70-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
  • ESXI-70-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
  • ESXI-70-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic
  • ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default.
  • ESXI-70-000063 - All port groups on standard switches must be configured to a value other than that of the native VLAN.
  • ESXI-70-000064 - All port groups on standard switches must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.
  • ESXI-70-000065 - All port groups on standard switches must not be configured to VLAN values reserved by upstream physical switches.
  • ESXI-70-000070 - The ESXi host must not provide root/administrator-level access to CIM-based hardware monitoring tools or other third-party applications.
  • ESXI-70-000072 - The ESXi host must have all security patches and updates installed.
  • ESXI-70-000076 - The ESXi host must enable Secure Boot.
  • ESXI-70-000078 - The ESXi host must use DoD-approved certificates.
  • ESXI-70-000082 - The ESXi host SSH daemon must disable port forwarding.
  • ESXI-70-000083 - The ESXi host OpenSLP service must be disabled.
  • ESXI-70-000084 - The ESXi host must enable audit logging.
  • ESXI-70-000085 - The ESXi host must enable strict x509 verification for SSL syslog endpoints.
  • ESXI-70-000086 - The ESXi host must verify certificates for SSL syslog endpoints.
  • ESXI-70-000087 - The ESXi host must enable volatile key destruction.
  • ESXI-70-000088 - The ESXi host must configure a session timeout for the vSphere API.
  • ESXI-70-000089 - The ESXi Host Client must be configured with a session timeout.
  • ESXI-70-000090 - The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
  • ESXI-70-000091 - The ESXi host must be configured with an appropriate maximum password age.
  • ESXI-70-000092 - The ESXi host must not be configured to override virtual machine configurations.
  • ESXI-70-000093 - The ESXi host must not be configured to override virtual machine logger settings.
  • ESXI-70-000094 - The ESXi host must require TPM-based configuration encryption.
  • ESXI-70-000095 - The ESXi host must implement Secure Boot enforcement.
  • ESXI-70-000274 - The ESXi host SSH daemon must be configured to only use FIPS 140-2 validated ciphers.

VMware vSphere 7.0 vCenter Application STIG Readiness Guide - Version 1, Release 4

  • VCSA-70-000009 - The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
  • VCSA-70-000024 - The vCenter Server must display the Standard Mandatory DoD Notice and Consent Banner before logon.
  • VCSA-70-000034 - The vCenter Server must produce audit records containing information to establish what type of events occurred.
  • VCSA-70-000057 - vCenter Server plugins must be verified.
  • VCSA-70-000059 - The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
  • VCSA-70-000060 - The vCenter Server must require multifactor authentication.
  • VCSA-70-000069 - The vCenter Server passwords must be at least 15 characters in length.
  • VCSA-70-000070 - The vCenter Server must prohibit password reuse for a minimum of five generations.
  • VCSA-70-000071 - The vCenter Server passwords must contain at least one uppercase character.
  • VCSA-70-000072 - The vCenter Server passwords must contain at least one lowercase character.
  • VCSA-70-000073 - The vCenter Server passwords must contain at least one numeric character.
  • VCSA-70-000074 - The vCenter Server passwords must contain at least one special character.
  • VCSA-70-000077 - The vCenter Server must enable FIPS validated cryptography.
  • VCSA-70-000079 - The vCenter Server must enforce a 60-day maximum password lifetime restriction.
  • VCSA-70-000080 - The vCenter Server must enable revocation checking for certificate based authentication.
  • VCSA-70-000089 - The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.
  • VCSA-70-000095 - The vCenter Server users must have the correct roles assigned.
  • VCSA-70-000110 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
  • VCSA-70-000123 - The vCenter Server must provide an immediate real-time alert to the SA and ISSO, at a minimum, on every SSO account action.
  • VCSA-70-000145 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
  • VCSA-70-000195 - The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority.
  • VCSA-70-000248 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
  • VCSA-70-000253 - The vCenter server must enforce SNMPv3 security features where SNMP is required.
  • VCSA-70-000265 - The vCenter server must disable SNMPv1/2 receivers.
  • VCSA-70-000271 - The vCenter Server must only send NetFlow traffic to authorized collectors.
  • VCSA-70-000272 - The vCenter Server must configure all port groups to a value other than that of the native VLAN.
  • VCSA-70-000273 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
  • VCSA-70-000274 - The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches.
  • VCSA-70-000275 - The vCenter Server must configure the vpxuser auto-password to be changed every 30 days.
  • VCSA-70-000276 - The vCenter Server must configure the vpxuser password meets length policy.
  • VCSA-70-000277 - The vCenter Server must be isolated from the public Internet but must still allow for patch notification and delivery.
  • VCSA-70-000278 - The vCenter Server must use unique service accounts when applications connect to vCenter.
  • VCSA-70-000279 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
  • VCSA-70-000280 - The vCenter server must be configured to send events to a central log server.
  • VCSA-70-000281 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List by use of an external proxy server.
  • VCSA-70-000282 - The vCenter Server must configure the vSAN Datastore name to a unique name.
  • VCSA-70-000283 - The vCenter Server must disable Username/Password and Windows Integrated Authentication.
  • VCSA-70-000284 - The vCenter Server must restrict access to the cryptographic role.
  • VCSA-70-000285 - The vCenter Server must restrict access to cryptographic permissions.
  • VCSA-70-000286 - The vCenter Server must have Mutual CHAP configured for vSAN iSCSI targets.
  • VCSA-70-000287 - The vCenter Server must have new Key Encryption Keys (KEKs) re-issued at regular intervals for vSAN encrypted datastore(s).
  • VCSA-70-000288 - The vCenter Server must use LDAPS when adding an LDAP identity source.
  • VCSA-70-000289 - The vCenter Server must use a limited privilege account when adding an LDAP identity source.
  • VCSA-70-000290 - The vCenter Server must limit membership to the SystemConfiguration.BashShellAdministrators SSO group.
  • VCSA-70-000291 - The vCenter Server must limit membership to the TrustedAdmins SSO group.
  • VCSA-70-000293 - vCenter task and event retention must be set to at least 30 days.
  • VCSA-70-000294 - vCenter Native Key Providers must be backed up with a strong password

See Also


Search

Get Notified of Future Posts

Follow Me

LinkedIn Icon
Twitter/X Icon
Threads Icon
RSS Icon

Recent Posts