On April 18, 2023, VMware released their “VMware vSphere 8.0 STIG Readiness Guide”. This guide, while not an official STIG, is based on years of experience assisting the DoD in generating the official DISA STIG releases for previous VMware vSphere product versions. Based on their knowledge of the DoD SRGs and previous STIGs, they are confident that the guidance provided within the VMware vSphere 8 STIG Readiness Guide would enable an environment to pass certification with minimal changes should an official DISA STIG be released by the DoD.
You should take note of the following quote from VMware vSphere 8.0 STIG Readiness Guide Overview document:
“This project represents VMware’s effort to document our compliance against the SRG requirements and nothing more. A published STIG is our eventual goal, in most cases, but this content should not be viewed to be “as good as a STIG”. A DISA published STIG includes technical validation, review of requirement fulfillment, accuracy and style, risk acceptance and is digitally signed by the RME and posted on cyber.mil. Except for products that already have published STIGs, there is no explicit or implied DISA approval of the provided content. We also make no guarantee that any STIG(s) will be published from this content in the future.”
Compliance Content Included
The following VMware vSphere 8.0 STIG Readiness Guide components are included in my VMware Aria Operations compliance content downloads:
- VMware vSphere 8.0 Virtual Machine STIG Readiness Guide - Version 1, Release 1
- VMware vSphere 8.0 ESXi STIG Readiness Guide - Version 1, Release 1
- VMware vSphere 8.0 vCenter Application STIG Readiness Guide - Version 1, Release 1
My VMware Aria Operations compliance content is broken into two types of downloads. The first is a custom compliance benchmark definition which includes all of the symptom, alert, and recommendation content, as well as a custom compliance benchmark definition. The second set of downloads is the alert/symptom/recommendation content for each of the components (virtual machine, ESX, vCenter application). The content can be downloaded from the Downloads page on this site.
Additionally, each download contains a DISA STIG Viewer checklist that cooresponds to the objects being checked in VMware Aria Operations. The checklist is partially completed to represent all of the checks that are included in the VMware Aria Operations compliance content. This gives you a starting point for your own checklists after VMware Aria Operations confirms compliance for all of the checks included in my compliance content downloads.
I have attempted to include automated compliance checks for as many of these components as possible. Unfortunately, due to limitations in the data collected by Aria Operations or requirements that manual verifications be completed for various components, only a subset of the compliance checks are included. I have noted the excluded checks within the notes for each of the VMware Aria Operations Alerts. Additionally, below is a list of those checks that are not included in my compliance content download:
VMware vSphere 8.0 Virtual Machine STIG Readiness Guide - Version 1, Release 1
- VMCH-80-000204 - Virtual machines (VMs) must enable encryption for Fault Tolerance.
VMware vSphere 8.0 ESXi STIG Readiness Guide - Version 1, Release 1
- ESXI-80-000006 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
- ESXI-80-000010 - The ESXi host client must be configured with an idle session timeout.
- ESXI-80-000014 - The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
- ESXI-80-000052 - The ESXi host Secure Shell (SSH) daemon must ignore .rhosts files.
- ESXI-80-000085 - The ESXi host must implement Secure Boot enforcement.
- ESXI-80-000094 - The ESXi host must enable Secure Boot.
- ESXI-80-000113 - The ESXi host must allocate audit record storage capacity to store at least one weeks worth of audit records.
- ESXI-80-000160 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
- ESXI-80-000187 - The ESXi host Secure Shell (SSH) daemon must be configured to only use FIPS 140-2 validated ciphers.
- ESXI-80-000191 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
- ESXI-80-000192 - The ESXi host Secure Shell (SSH) daemon must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.
- ESXI-80-000198 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating ESXi management traffic.
- ESXI-80-000199 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
- ESXI-80-000201 - The ESXi host lockdown mode exception users list must be verified.
- ESXI-80-000202 - The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication.
- ESXI-80-000203 - The ESXi host Secure Shell (SSH) daemon must not allow authentication using an empty password.
- ESXI-80-000204 - The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.
- ESXI-80-000205 - The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files.
- ESXI-80-000206 - The ESXi host Secure Shell (SSH) daemon must not allow compression.
- ESXI-80-000207 - The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports.
- ESXI-80-000208 - The ESXi host Secure Shell (SSH) daemon must be configured to not allow X11 forwarding.
- ESXI-80-000209 - The ESXi host Secure Shell (SSH) daemon must not permit tunnels.
- ESXI-80-000210 - The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions.
- ESXI-80-000211 - The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions.
- ESXI-80-000212 - The ESXi host must disable Simple Network Management Protocol (SNMP) v1 and v2c.
- ESXI-80-000214 - The ESXi host must configure the firewall to block network traffic by default.
- ESXI-80-000220 - The ESXi host must restrict the use of Virtual Guest Tagging (VGT) on standard switches.
- ESXI-80-000221 - The ESXi host must have all security patches and updates installed.
- ESXI-80-000224 - The ESXi host must verify certificates for SSL syslog endpoints.
- ESXI-80-000225 - The ESXi host must enable volatile key destruction.
- ESXI-80-000226 - The ESXi host must configure a session timeout for the vSphere API.
- ESXI-80-000227 - The ESXi host must be configured with an appropriate maximum password age.
- ESXI-80-000229 - The ESXi host must use DOD-approved certificates.
- ESXI-80-000230 - The ESXi host Secure Shell (SSH) daemon must disable port forwarding.
- ESXI-80-000232 - The ESXi host must enable audit logging.
- ESXI-80-000233 - The ESXi host must off-load audit records via syslog.
- ESXI-80-000234 - The ESXi host must enable strict x509 verification for SSL syslog endpoints.
- ESXI-80-000235 - The ESXi host must forward audit records containing information to establish what type of events occurred.
- ESXI-80-000236 - The ESXi host must not be configured to override virtual machine (VM) configurations.
- ESXI-80-000237 - The ESXi host must not be configured to override virtual machine (VM) logger settings.
- ESXI-80-000238 - The ESXi host must require TPM-based configuration encryption.
- ESXI-80-000240 - The ESXi host when using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
- ESXI-80-000241 - The ESXi host must not use the default Active Directory ESX Admin group.
- ESXI-80-000243 - The ESXi host must configure a persistent log location for all locally stored logs.
- ESXI-80-000244 - The ESXi host must enforce the exclusive running of executables from approved VIBs.
- ESXI-80-000245 - The ESXi host must use sufficient entropy for cryptographic operations.
- ESXI-80-000246 - The ESXi host must not enable log filtering.
VMware vSphere 8.0 vCenter Application STIG Readiness Guide - Version 1, Release 1
- VCSA-80-000009 - The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
- VCSA-80-000024 - The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before logon.
- VCSA-80-000034 - The vCenter Server must produce audit records containing information to establish what type of events occurred.
- VCSA-80-000057 - vCenter Server plugins must be verified.
- VCSA-80-000059 - The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
- VCSA-80-000060 - The vCenter Server must require multifactor authentication.
- VCSA-80-000069 - The vCenter Server passwords must be at least 15 characters in length.
- VCSA-80-000070 - The vCenter Server must prohibit password reuse for a minimum of five generations.
- VCSA-80-000071 - The vCenter Server passwords must contain at least one uppercase character.
- VCSA-80-000072 - The vCenter Server passwords must contain at least one lowercase character.
- VCSA-80-000073 - The vCenter Server passwords must contain at least one numeric character.
- VCSA-80-000074 - The vCenter Server passwords must contain at least one special character.
- VCSA-80-000077 - The vCenter Server must enable FIPS-validated cryptography.
- VCSA-80-000079 - The vCenter Server must enforce a 90-day maximum password lifetime restriction.
- VCSA-80-000080 - The vCenter Server must enable revocation checking for certificate-based authentication.
- VCSA-80-000089 - The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.
- VCSA-80-000095 - The vCenter Server user roles must be verified.
- VCSA-80-000110 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
- VCSA-80-000123 - The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.
- VCSA-80-000145 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
- VCSA-80-000150 - The vCenter server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.
- VCSA-80-000195 - The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
- VCSA-80-000196 - The vCenter Server must enable data at rest encryption for vSAN.
- VCSA-80-000248 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
- VCSA-80-000253 - The vCenter server must enforce SNMPv3 security features where SNMP is required.
- VCSA-80-000265 - The vCenter server must disable SNMPv1/2 receivers.
- VCSA-80-000271 - The vCenter Server must only send NetFlow traffic to authorized collectors.
- VCSA-80-000272 - The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
- VCSA-80-000273 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
- VCSA-80-000274 - The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
- VCSA-80-000275 - The vCenter Server must configure the “vpxuser” auto-password to be changed every 30 days.
- VCSA-80-000276 - The vCenter Server must configure the “vpxuser” password to meet length policy.
- VCSA-80-000277 - The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
- VCSA-80-000278 - The vCenter Server must use unique service accounts when applications connect to vCenter.
- VCSA-80-000279 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
- VCSA-80-000281 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
- VCSA-80-000282 - The vCenter Server must configure the vSAN Datastore name to a unique name.
- VCSA-80-000283 - The vCenter Server must disable Username/Password and Windows Integrated Authentication.
- VCSA-80-000284 - The vCenter Server must restrict access to the default roles with cryptographic permissions.
- VCSA-80-000285 - The vCenter Server must restrict access to cryptographic permissions.
- VCSA-80-000286 - The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
- VCSA-80-000287 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
- VCSA-80-000288 - The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.
- VCSA-80-000290 - The vCenter Server must limit membership to the “SystemConfiguration.BashShellAdministrators” Single Sign-On (SSO) group.
- VCSA-80-000291 - The vCenter Server must limit membership to the “TrustedAdmins” Single Sign-On (SSO) group.
- VCSA-80-000293 - The vCenter server must have task and event retention set to at least 30 days.
- VCSA-80-000294 - The vCenter server Native Key Provider must be backed up with a strong password.
- VCSA-80-000295 - The vCenter server must require authentication for published content libraries.
- VCSA-80-000296 - The vCenter server must enable the OVF security policy for content libraries.
- VCSA-80-000298 - The vCenter Server must separate authentication and authorization for administrators.
- VCSA-80-000299 - The vCenter Server must disable CDP/LLDP on distributed switches.
- VCSA-80-000300 - The vCenter Server must remove unauthorized port mirroring sessions on distributed switches.
- VCSA-80-000302 - The vCenter Server must reset port configuration when virtual machines are disconnected.
- VCSA-80-000303 - The vCenter Server must disable Secure Shell (SSH) access.
- VCSA-80-000304 - The vCenter Server must enable data in transit encryption for vSAN.