The United States (U.S.) Department of Defense (DoD) Defense Information Systems Agency (DISA) officially released the first update to the VMware vSphere 7.0 STIG on July 26, 2023. I have updated my custom compliance and alerting content for use within Aria Operations. This content covers almost all findings for the Virtual Machine STIG, a large portion of the ESXi STIG, and a select number of items from the vCenter STIG.
Compliance Content Included
The following VMware vSphere 7.0 STIG components are included in my VMware Aria Operations compliance content downloads:
- VMware vSphere 7.0 Virtual Machine STIG - Version 1, Release 2
- VMware vSphere 7.0 ESXi STIG - Version 1, Release 2
- VMware vSphere 7.0 vCenter STIG - Version 1, Release 2
My VMware Aria Operations compliance content is broken into two types of downloads. The first is a custom compliance benchmark definition which includes all of the symptom, alert, and recommendation content, as well as a custom compliance benchmark definition. The second set of downloads is the alert/symptom/recommendation content for each component (virtual machine, ESX, vCenter application). The content can be downloaded from the Downloads page on this site.
I have attempted to include automated compliance checks for as many of these components as possible. Unfortunately, only a subset of the compliance checks are included due to limitations in the data collected by Aria Operations or requirements that manual verifications be completed for various components. I have noted the excluded checks within the notes for each of the VMware Aria Operations alerts. Additionally, below is a list of those checks that are not included in my compliance content download:
VMware vSphere 7.0 Virtual Machine STIG - Version 1, Release 2
- VMCH-70-000020 - System administrators must use templates to deploy virtual machines (VMs) whenever possible.
- VMCH-70-000021 - Use of the virtual machine (VM) console must be minimized.
- VMCH-70-000029 - Encryption must be enabled for Fault Tolerance on the virtual machine (VM).
VMware vSphere 7.0 ESXi STIG - Version 1, Release 2
- ESXI-70-000003 - The ESXi host must verify the exception users list for lockdown mode.
- ESXI-70-000007 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI).
- ESXI-70-000008 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH).
- ESXI-70-000009 - The ESXi host SSH daemon must be configured with the DOD logon banner.
- ESXI-70-000010 - The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
- ESXI-70-000012 - The ESXi host Secure Shell (SSH) daemon must ignore “.rhosts” files.
- ESXI-70-000013 - The ESXi host Secure Shell (SSH) daemon must not allow host-based authentication.
- ESXI-70-000015 - The ESXi host Secure Shell (SSH) daemon must not allow authentication using an empty password.
- ESXI-70-000016 - The ESXi host Secure Shell (SSH) daemon must not permit user environment settings.
- ESXI-70-000020 - The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files.
- ESXI-70-000021 - The ESXi host Secure Shell (SSH) daemon must not allow compression or must only allow compression after successful authentication.
- ESXI-70-000022 - The ESXi host Secure Shell (SSH) daemon must be configured to not allow gateway ports.
- ESXI-70-000023 - The ESXi host Secure Shell (SSH) daemon must be configured to not allow X11 forwarding.
- ESXI-70-000025 - The ESXi host Secure Shell (SSH) daemon must not permit tunnels.
- ESXI-70-000026 - The ESXi host Secure Shell (SSH) daemon must set a timeout count on idle sessions.
- ESXI-70-000027 - The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions.
- ESXI-70-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
- ESXI-70-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.
- ESXI-70-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.
- ESXI-70-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.
- ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default.
- ESXI-70-000063 - All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN).
- ESXI-70-000064 - All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required.
- ESXI-70-000065 - All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches.
- ESXI-70-000070 - The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.
- ESXI-70-000072 - The ESXi host must have all security patches and updates installed.
- ESXI-70-000076 - The ESXi host must enable Secure Boot.
- ESXI-70-000078 - The ESXi host must use DOD-approved certificates.
- ESXI-70-000082 - The ESXi host Secure Shell (SSH) daemon must disable port forwarding.
- ESXI-70-000084 - The ESXi host must enable audit logging.
- ESXI-70-000085 - The ESXi host must enable strict x509 verification for SSL syslog endpoints.
- ESXI-70-000086 - The ESXi host must verify certificates for SSL syslog endpoints.
- ESXI-70-000087 - The ESXi host must enable volatile key destruction.
- ESXI-70-000088 - The ESXi host must configure a session timeout for the vSphere API.
- ESXI-70-000089 - The ESXi Host Client must be configured with a session timeout.
- ESXI-70-000090 - The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
- ESXI-70-000091 - The ESXi host must be configured with an appropriate maximum password age.
- ESXI-70-000092 - The ESXi host must not be configured to override virtual machine (VM) configurations.
- ESXI-70-000093 - The ESXi host must not be configured to override virtual machine (VM) logger settings.
- ESXI-70-000094 - The ESXi host must require TPM-based configuration encryption.
- ESXI-70-000095 - The ESXi host must implement Secure Boot enforcement.
- ESXI-70-000274 - The ESXi host SSH daemon must be configured to only use FIPS 140-2 validated ciphers.
VMware vSphere 7.0 vCenter STIG - Version 1, Release 2
- VCSA-70-000009 - The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
- VCSA-70-000024 - The vCenter Server must display the Standard Mandatory DOD Notice and Consent Banner before login.
- VCSA-70-000034 - The vCenter Server must produce audit records containing information to establish what type of events occurred.
- VCSA-70-000057 - vCenter Server plugins must be verified.
- VCSA-70-000059 - The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
- VCSA-70-000060 - The vCenter Server must require multifactor authentication.
- VCSA-70-000069 - The vCenter Server passwords must be at least 15 characters in length.
- VCSA-70-000070 - The vCenter Server must prohibit password reuse for a minimum of five generations.
- VCSA-70-000071 - The vCenter Server passwords must contain at least one uppercase character.
- VCSA-70-000072 - The vCenter Server passwords must contain at least one lowercase character.
- VCSA-70-000073 - The vCenter Server passwords must contain at least one numeric character.
- VCSA-70-000074 - The vCenter Server passwords must contain at least one special character.
- VCSA-70-000077 - The vCenter Server must enable FIPS-validated cryptography.
- VCSA-70-000079 - The vCenter Server must enforce a 60-day maximum password lifetime restriction.
- VCSA-70-000080 - The vCenter Server must enable revocation checking for certificate-based authentication.
- VCSA-70-000089 - The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.
- VCSA-70-000095 - The vCenter Server users must have the correct roles assigned.
- VCSA-70-000110 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC).
- VCSA-70-000123 - The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.
- VCSA-70-000145 - The vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.
- VCSA-70-000195 - The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.
- VCSA-70-000248 - The vCenter Server must disable the Customer Experience Improvement Program (CEIP).
- VCSA-70-000253 - The vCenter server must enforce SNMPv3 security features where SNMP is required.
- VCSA-70-000265 - The vCenter server must disable SNMPv1/2 receivers.
- VCSA-70-000271 - The vCenter Server must only send NetFlow traffic to authorized collectors.
- VCSA-70-000272 - The vCenter Server must configure all port groups to a value other than that of the native virtual local area network (VLAN).
- VCSA-70-000273 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.
- VCSA-70-000274 - The vCenter Server must not configure all port groups to virtual local area network (VLAN) values reserved by upstream physical switches.
- VCSA-70-000275 - The vCenter Server must configure the “vpxuser” auto-password to be changed every 30 days.
- VCSA-70-000276 - The vCenter Server must configure the “vpxuser” password to meet length policy.
- VCSA-70-000277 - The vCenter Server must be isolated from the public internet but must still allow for patch notification and delivery.
- VCSA-70-000278 - The vCenter Server must use unique service accounts when applications connect to vCenter.
- VCSA-70-000279 - The vCenter Server must protect the confidentiality and integrity of transmitted information by isolating Internet Protocol (IP)-based storage traffic.
- VCSA-70-000280 - The vCenter server must be configured to send events to a central log server.
- VCSA-70-000281 - The vCenter Server must disable or restrict the connectivity between vSAN Health Check and public Hardware Compatibility List (HCL) by use of an external proxy server.
- VCSA-70-000282 - The vCenter Server must configure the vSAN Datastore name to a unique name.
- VCSA-70-000283 - The vCenter Server must disable Username/Password and Windows Integrated Authentication.
- VCSA-70-000284 - The vCenter Server must restrict access to the default roles with cryptographic permissions.
- VCSA-70-000285 - The vCenter Server must restrict access to cryptographic permissions.
- VCSA-70-000286 - The vCenter Server must have Mutual Challenge Handshake Authentication Protocol (CHAP) configured for vSAN Internet Small Computer System Interface (iSCSI) targets.
- VCSA-70-000287 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s).
- VCSA-70-000288 - The vCenter Server must use secure Lightweight Directory Access Protocol (LDAPS) when adding an LDAP identity source.
- VCSA-70-000289 - The vCenter Server must use a limited privilege account when adding a Lightweight Directory Access Protocol (LDAP) identity source.
- VCSA-70-000290 - The vCenter Server must limit membership to the “SystemConfiguration.BashShellAdministrators” Single Sign-On (SSO) group.
- VCSA-70-000291 - The vCenter Server must limit membership to the “TrustedAdmins” Single Sign-On (SSO) group.
- VCSA-70-000293 - vCenter task and event retention must be set to at least 30 days.
- VCSA-70-000294 - vCenter Native Key Providers must be backed up with a strong password.