The United States (U.S.) Department of Defense (DoD) Defense Information Systems Agency (DISA) officially released the VMware vSphere 7.0 STIG on March 15, 2023. This STIG closely follows VMware’s vSphere 7.0 STIG Readiness Guide. As with previous STIG releases, I have created custom compliance and alerting content for use within Aria Operations. This content covers almost all findings for the Virtual Machine STIG, a large portion of the ESXi STIG, and a select number of items from the vCenter STIG.
Compliance Content Included
The following VMware vSphere 7.0 STIG components are included in my VMware Aria Operations compliance content downloads:
- VMware vSphere 7.0 Virtual Machine STIG - Version 1, Release 1
- VMware vSphere 7.0 ESXi STIG - Version 1, Release 1
- VMware vSphere 7.0 vCenter STIG - Version 1, Release 1
My VMware Aria Operations compliance content is broken into two types of downloads. The first is a custom compliance benchmark definition which includes all of the symptom, alert, and recommendation content, as well as a custom compliance benchmark definition. The second set of downloads is the alert/symptom/recommendation content for each component (virtual machine, ESX, vCenter application). The content can be downloaded from the Downloads page on this site.
I have attempted to include automated compliance checks for as many of these components as possible. Unfortunately, only a subset of the compliance checks are included due to limitations in the data collected by Aria Operations or requirements that manual verifications be completed for various components. I have noted the excluded checks within the notes for each of the VMware Aria Operations alerts. Additionally, below is a list of those checks that are not included in my compliance content download:
VMware vSphere 7.0 Virtual Machine STIG - Version 1, Release 1
- VMCH-70-000020 - System administrators must use templates to deploy virtual machines (VMs) whenever possible.
- VMCH-70-000021 - Use of the virtual machine (VM) console must be minimized.
- VMCH-70-000029 - Encryption must be enabled for Fault Tolerance on the virtual machine (VM).
VMware vSphere 7.0 ESXi STIG - Version 1, Release 1
- ESXI-70-000003 - The ESXi host must verify the exception users list for lockdown mode.
- ESXI-70-000007 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
- ESXI-70-000008 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
- ESXI-70-000009 - The ESXi host SSH daemon must be configured with the DOD logon banner.
- ESXI-70-000010 - The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
- ESXI-70-000012 - The ESXi host Secure Shell (SSH) daemon must ignore “.rhosts” files.
- ESXI-70-000013 - The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication.
- ESXI-70-000015 - The ESXi host Secure Shell (SSH) daemon must not allow authentication using an empty password.
- ESXI-70-000016 - The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.
- ESXI-70-000020 - The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files.
- ESXI-70-000021 - The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication.
- ESXI-70-000022 - The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports.
- ESXI-70-000023 - The ESXi host Secure Shell (SSH) daemon must be configured to not allow X11 forwarding.
- ESXI-70-000025 - The ESXi host Secure Shell (SSH) daemon must not permit tunnels.
- ESXI-70-000026 - The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions.
- ESXI-70-000027 - The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions.
- ESXI-70-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
- ESXI-70-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
- ESXI-70-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
- ESXI-70-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
- ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default.
- ESXI-70-000063 - All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN).
- ESXI-70-000064 - All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required.
- ESXI-70-000065 - All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches.
- ESXI-70-000070 - The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.
- ESXI-70-000072 - The ESXi host must have all security patches and updates installed.
- ESXI-70-000076 - The ESXi host must enable Secure Boot.
- ESXI-70-000078 - The ESXi host must use DOD-approved certificates.
- ESXI-70-000082 - The ESXi host Secure Shell (SSH) daemon must disable port forwarding.
- ESXI-70-000084 - The ESXi host must enable audit logging.
- ESXI-70-000085 - The ESXi host must enable strict x509 verification for SSL syslog endpoints.
- ESXI-70-000086 - The ESXi host must verify certificates for SSL syslog endpoints.
- ESXI-70-000087 - The ESXi host must enable volatile key destruction.
- ESXI-70-000088 - The ESXi host must configure a session timeout for the vSphere API.
- ESXI-70-000089 - The ESXi Host Client must be configured with a session timeout.
- ESXI-70-000090 - The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
- ESXI-70-000091 - The ESXi host must be configured with an appropriate maximum password age.
- ESXI-70-000092 - The ESXi host must not be configured to override virtual machine (VM) configurations.
- ESXI-70-000093 - The ESXi host must not be configured to override virtual machine (VM) logger settings.
- ESXI-70-000094 - The ESXi host must require TPM-based configuration encryption.
- ESXI-70-000095 - The ESXi host must implement Secure Boot enforcement.
- ESXI-70-000274 - The ESXi host SSH daemon must be configured to only use FIPS 140-2 validated ciphers.
VMware vSphere 7.0 vCenter STIG - Version 1, Release 1
- VCSA-70-000009 - The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
- VCSA-70-000024 - The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before login.
- VCSA-70-000034 - The vCenter Server must produce audit records containing information to establish what type of events occurred.
- VCSA-70-000057 - vCenter Server plugins must be verified.
- VCSA-70-000059 - The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
- VCSA-70-000060 - The vCenter Server must require multifactor authentication.
- VCSA-70-000069 - The vCenter Server passwords must be at least 15 characters in length.
- VCSA-70-000070 - The vCenter Server must prohibit password reuse for a minimum of five generations.
- VCSA-70-000071 - The vCenter Server passwords must contain at least one uppercase character.
- VCSA-70-000072 - The vCenter Server passwords must contain at least one lowercase character.
- VCSA-70-000073 - The vCenter Server passwords must contain at least one numeric character.
- VCSA-70-000074 - The vCenter Server passwords must contain at least one special character.
- VCSA-70-000077 - The vCenter Server must enable FIPS-validated cryptography.
- VCSA-70-000079 - The vCenter Server must enforce a 60-day maximum password lifetime restriction.
- VCSA-70-000080 - The vCenter Server must enable revocation checking for certificate-based authentication.
- VCSA-70-000089 - The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.
- VCSA-70-000095 - The vCenter Server users must have the correct roles assigned.
- VCSA-70-000110 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
- VCSA-70-000123 - The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.
- VCSA-70-000145 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
- VCSA-70-000195 - The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
- VCSA-70-000248 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
- VCSA-70-000253 - The vCenter server must enforce SNMPv3 security features where SNMP is required.
- VCSA-70-000265 - The vCenter server must disable SNMPv1/2 receivers.
- VCSA-70-000271 - The vCenter Server must only send NetFlow traffic to authorized collectors.
- VCSA-70-000272 - The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
- VCSA-70-000273 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
- VCSA-70-000274 - The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
- VCSA-70-000275 - The vCenter Server must configure the “vpxuser” auto-password to be changed every 30 days.
- VCSA-70-000276 - The vCenter Server must configure the “vpxuser” password to meet length policy.
- VCSA-70-000277 - The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
- VCSA-70-000278 - The vCenter Server must use unique service accounts when applications connect to vCenter.
- VCSA-70-000279 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
- VCSA-70-000280 - The vCenter server must be configured to send events to a central log server.
- VCSA-70-000281 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
- VCSA-70-000282 - The vCenter Server must configure the vSAN Datastore name to a unique name.
- VCSA-70-000283 - The vCenter Server must disable Username/Password and Windows Integrated Authentication.
- VCSA-70-000284 - The vCenter Server must restrict access to the cryptographic role.
- VCSA-70-000285 - The vCenter Server must restrict access to cryptographic permissions.
- VCSA-70-000286 - The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
- VCSA-70-000287 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
- VCSA-70-000288 - The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.
- VCSA-70-000289 - The vCenter Server must use a limited privilege account when adding a Lightweight Directory Access Protocol (LDAP) identity source.
- VCSA-70-000290 - The vCenter Server must limit membership to the “SystemConfiguration.BashShellAdministrators” Single Sign-On (SSO) group.
- VCSA-70-000291 - The vCenter Server must limit membership to the “TrustedAdmins” Single Sign-On (SSO) group.
- VCSA-70-000293 - vCenter task and event retention must be set to at least 30 days.
- VCSA-70-000294 - vCenter Native Key Providers must be backed up with a strong password.