| Checked | Name | Title |
|---|
| ☐ | SV-239258r674703_rule | Access to the ESXi host must be limited by enabling Lockdown Mode. |
| ☐ | SV-239259r674706_rule | The ESXi host must verify the DCUI.Access list. |
| ☐ | SV-239260r674709_rule | The ESXi host must verify the exception users list for Lockdown Mode. |
| ☐ | SV-239261r674712_rule | Remote logging for ESXi hosts must be configured. |
| ☐ | SV-239262r674715_rule | The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user. |
| ☐ | SV-239263r674718_rule | The ESXi host must enforce the unlock timeout of 15 minutes after a user account is locked out. |
| ☐ | SV-239264r674721_rule | The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the DCUI. |
| ☐ | SV-239265r674724_rule | The ESXi host must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH. |
| ☐ | SV-239266r674727_rule | The ESXi host SSH daemon must be configured with the DoD logon banner. |
| ☐ | SV-239267r674730_rule | The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions. |
| ☐ | SV-239268r674733_rule | The ESXi host SSH daemon must ignore .rhosts files. |
| ☐ | SV-239269r674736_rule | The ESXi host SSH daemon must not allow host-based authentication. |
| ☐ | SV-239270r674739_rule | The ESXi host SSH daemon must not permit root logins. |
| ☐ | SV-239271r674742_rule | The ESXi host SSH daemon must not allow authentication using an empty password. |
| ☐ | SV-239272r674745_rule | The ESXi host SSH daemon must not permit user environment settings. |
| ☐ | SV-239273r674748_rule | The ESXi host SSH daemon must not permit GSSAPI authentication. |
| ☐ | SV-239274r674751_rule | The ESXi host SSH daemon must not permit Kerberos authentication. |
| ☐ | SV-239275r674754_rule | The ESXi host SSH daemon must perform strict mode checking of home directory configuration files. |
| ☐ | SV-239276r674757_rule | The ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication. |
| ☐ | SV-239277r674760_rule | The ESXi host SSH daemon must be configured to not allow gateway ports. |
| ☐ | SV-239278r674763_rule | The ESXi host SSH daemon must be configured to not allow X11 forwarding. |
| ☐ | SV-239279r674766_rule | The ESXi host SSH daemon must not accept environment variables from the client. |
| ☐ | SV-239280r674769_rule | The ESXi host SSH daemon must not permit tunnels. |
| ☐ | SV-239281r674772_rule | The ESXi host SSH daemon must set a timeout count on idle sessions. |
| ☐ | SV-239282r674775_rule | The ESXi host SSH daemon must set a timeout interval on idle sessions. |
| ☐ | SV-239283r674778_rule | The ESXi host SSH daemon must limit connections to a single session. |
| ☐ | SV-239284r674781_rule | The ESXi host must remove keys from the SSH authorized_keys file. |
| ☐ | SV-239285r674784_rule | The ESXi host must produce audit records containing information to establish what type of events occurred. |
| ☐ | SV-239286r674787_rule | The ESXi host must enforce password complexity by requiring that at least one uppercase character be used. |
| ☐ | SV-239287r674790_rule | The ESXi host must prohibit the reuse of passwords within five iterations. |
| ☐ | SV-239288r674793_rule | The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. |
| ☐ | SV-239289r674796_rule | The ESXi host must disable the Managed Object Browser (MOB). |
| ☐ | SV-239290r674799_rule | The ESXi host must be configured to disable nonessential capabilities by disabling SSH. |
| ☐ | SV-239291r674802_rule | The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting. |
| ☐ | SV-239292r674805_rule | The ESXi host must use Active Directory for local user authentication. |
| ☐ | SV-239293r674808_rule | ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory. |
| ☐ | SV-239294r674811_rule | Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory. |
| ☐ | SV-239295r674814_rule | The ESXi host must use multifactor authentication for local DCUI access to privileged accounts. |
| ☐ | SV-239296r674817_rule | The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes. |
| ☐ | SV-239297r674820_rule | The ESXi host must terminate shell services after 10 minutes. |
| ☐ | SV-239298r674823_rule | The ESXi host must log out of the console UI after two minutes. |
| ☐ | SV-239299r674826_rule | The ESXi host must enable kernel core dumps. |
| ☐ | SV-239300r674829_rule | The ESXi host must enable a persistent log location for all locally stored logs. |
| ☐ | SV-239301r674832_rule | The ESXi host must configure NTP time synchronization. |
| ☐ | SV-239302r674835_rule | The ESXi Image Profile and vSphere Installation Bundle (VIB) Acceptance Levels must be verified. |
| ☐ | SV-239303r674838_rule | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic. |
| ☐ | SV-239304r674841_rule | The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic. |
| ☐ | SV-239305r674844_rule | The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. |
| ☐ | SV-239306r674847_rule | The ESXi host must protect the confidentiality and integrity of transmitted information by using different TCP/IP stacks where possible. |
| ☐ | SV-239307r674850_rule | SNMP must be configured properly on the ESXi host. |
| ☐ | SV-239308r674853_rule | The ESXi host must enable bidirectional CHAP authentication for iSCSI traffic. |
| ☐ | SV-239309r674856_rule | The ESXi host must disable Inter-VM transparent page sharing. |
| ☐ | SV-239310r674859_rule | The ESXi host must configure the firewall to restrict access to services running on the host. |
| ☐ | SV-239311r674862_rule | The ESXi host must configure the firewall to block network traffic by default. |
| ☐ | SV-239312r674865_rule | The ESXi host must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled. |
| ☐ | SV-239313r674868_rule | The virtual switch Forged Transmits policy must be set to reject on the ESXi host. |
| ☐ | SV-239314r674871_rule | The virtual switch MAC Address Change policy must be set to reject on the ESXi host. |
| ☐ | SV-239315r674874_rule | The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host. |
| ☐ | SV-239316r674877_rule | The ESXi host must prevent unintended use of the dvFilter network APIs. |
| ☐ | SV-239317r674880_rule | For the ESXi host, all port groups must be configured to a value other than that of the native VLAN. |
| ☐ | SV-239318r674883_rule | For the ESXi host, all port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required. |
| ☐ | SV-239319r674886_rule | For the ESXi host, all port groups must not be configured to VLAN values reserved by upstream physical switches. |
| ☐ | SV-239320r674889_rule | For physical switch ports connected to the ESXi host, the non-negotiate option must be configured for trunk links between external physical switches and virtual switches in Virtual Switch Tagging (VST) mode. |
| ☐ | SV-239321r674892_rule | All ESXi host-connected physical switch ports must be configured with spanning tree disabled. |
| ☐ | SV-239322r674895_rule | All ESXi host-connected virtual switch VLANs must be fully documented and have only the required VLANs. |
| ☐ | SV-239323r674898_rule | The ESXi host must not provide root/administrator-level access to CIM-based hardware monitoring tools or other third-party applications. |
| ☐ | SV-239324r674901_rule | The SA must verify the integrity of the installation media before installing ESXi. |
| ☐ | SV-239325r674904_rule | The ESXi host must have all security patches and updates installed. |
| ☐ | SV-239326r674907_rule | The ESXi host must exclusively enable TLS 1.2 for all endpoints. |
| ☐ | SV-239327r674910_rule | The ESXi host must enable Secure Boot. |
| ☐ | SV-239328r674913_rule | The ESXi host must use DoD-approved certificates. |
| ☐ | SV-239329r674916_rule | The ESXi host must not suppress warnings that the local or remote shell sessions are enabled. |
| ☐ | SV-239330r674919_rule | The ESXi host must centrally review and analyze audit records from multiple components within the system by configuring remote logging. |
| ☐ | SV-239331r674922_rule | The ESXi host SSH daemon must be configured to only use FIPS 140-2 approved ciphers. |
STIGQter: STIG Summary: