kriterion 0.0.1

data/standards/stig_vmware_vcenter_server.json

@@ -0,0 +1,179 @@
+{
+  "name": "stig_vmware_vcenter_server",
+  "date": "2013-01-15",
+  "description": "The VMware vCenter Server Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems.  Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
+  "title": "VMware vCenter Server Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "VCENTER-000003",
+      "title": "The Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.",
+      "description": "The VMware Update Manager and vCenter Server are VM installable on an ESXi host. The Update Manager must not be configured to manage the updates on either of those VMs.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000004",
+      "title": "The system must block access to ports not being used by vCenter.",
+      "description": "Militate against general attacks on the Windows system by blocking unneeded ports. A local firewall on the Windows system of vCenter, or a network firewall, can be used to block access to ports not specifically being used by vCenter. \n",
+      "severity": "high"
+    },
+    {
+      "id": "VCENTER-000005",
+      "title": "Privilege re-assignment must be checked after the vCenter Server restarts.",
+      "description": "During a restart of vCenter Server, if the user or user group that is assigned Administrator role on the root folder could not be verified as a valid user/group during the restart, the user/group's permission as Administrator will be removed. In its place, vCenter Server grants the Administrator role to the local Windows administrators group, to act as a new vCenter Server administrator. Since it is not recommended to grant vCenter Server Administrator rights to Windows Administrators, resulting in a situation that should be rectified by re-establishing a legitimate administrator account.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000006",
+      "title": "The system must disable the datastore browser.",
+      "description": "The datastore browser enables viewing of all the datastores associated with the vSphere deployment, including all folders and files, such as VM files. This functionality is controlled by the site-specific, user permissions on vCenter Server.",
+      "severity": "low"
+    },
+    {
+      "id": "VCENTER-000007",
+      "title": "The system must disable the managed object browser.",
+      "description": "The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.",
+      "severity": "low"
+    },
+    {
+      "id": "VCENTER-000008",
+      "title": "The vCenter Server must be installed using a service account instead of a built-in Windows account.",
+      "description": "The Microsoft Windows built-in system account or a user account can be used to run vCenter Server. With a user account, the Windows authentication for SQL Server can be enabled; it also provides more security. The user account must be an administrator on the local machine. In the installation wizard, specify the account name as DomainName\\Username. If using SQL Server for the vCenter database, the SQL Server database must be configured to allow the domain account access to SQL Server.",
+      "severity": "low"
+    },
+    {
+      "id": "VCENTER-000009",
+      "title": "The connectivity between Update Manager and public patch repositories must be limited.",
+      "description": "In a typical deployment, Update Manager connects to public patch repositories on the Internet to download patches. This connection should be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat.",
+      "severity": "low"
+    },
+    {
+      "id": "VCENTER-000012",
+      "title": "The vCenter Server administrative users must have the correct roles assigned.",
+      "description": "Administrative users must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000013",
+      "title": "Access to SSL certificates must be monitored.",
+      "description": "The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, the vCenter Server system administrator might need to access it for support purposes.  The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000014",
+      "title": "The system's Update Manager must not use default self-signed certificates.",
+      "description": "Self-signed certificates are automatically generated by Update Manager during the installation process, are not signed by a commercial CA, and do not provide strong security. The use of default certificates leaves the SSL connection open to MiTM attacks. Changing the default certificates to trusted CA-signed certificates mitigates the potential for MiTM attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000015",
+      "title": "Expired certificates must be removed from the vCenter Server.",
+      "description": "If expired certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000016",
+      "title": "Log files must be cleaned up after failed installations of the vCenter Server.",
+      "description": "If the vCenter installation fails, a log file (with a name of the form \"hs_err_pidXXXX\") is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this password and access the vCenter Database.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000017",
+      "title": "Revoked certificates must be removed from the vCenter Server.",
+      "description": "If revoked certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000018",
+      "title": "The vSphere Administrator role must be secured and assigned to specific users.",
+      "description": "By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows administrator account and instead be given to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000019",
+      "title": "Access to SSL certificates must be restricted.",
+      "description": "The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. By default, only the service user account and the vCenter Server administrators can access the directory containing the SSL certificates. The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, when collecting data for support purposes, the vCenter Server system administrator might need to access it. The permissions should be checked on a regular basis to ensure they have not been changed to add unauthorized users.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000020",
+      "title": "The system must restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine.",
+      "description": "By default, vCenter Server \"Administrator\" role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege should not be granted to any users who are not authorized, to reduce risk of Guest confidentiality, availability, or integrity loss. To prevent such loss, a non-guest access role must be created without these privileges. This role is for users who need administrator privileges excluding those allowing file and program interaction within the guests.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000021",
+      "title": "The use of Linux-based clients must be restricted.",
+      "description": "Although SSL-based encryption is used to protect communication between client components and vCenter Server or ESXi, the Linux versions of these components do not perform certificate validation. Even if the self-signed certificates are replaced on vCenter and ESXi with legitimate certificates signed by the local root certificate authority or a third party, communications with Linux clients are still vulnerable to MiTM attacks.",
+      "severity": "low"
+    },
+    {
+      "id": "VCENTER-000022",
+      "title": "Network access to the vCenter Server system must be restricted.",
+      "description": "Restrict access to only those essential components required to communicate with vCenter. Blocking access by unnecessary systems reduces the potential for general attacks on the operating system and minimizes risk.",
+      "severity": "low"
+    },
+    {
+      "id": "VCENTER-000023",
+      "title": "A least-privileges assignment must be used for the vCenter Server database user.",
+      "description": "Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000024",
+      "title": "A least-privileges assignment must be used for the Update Manager database user.",
+      "description": "Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000027",
+      "title": "The system must set a timeout for all thick-client logins without activity.",
+      "description": "An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session termination minimizes risk and reduces the potential for unauthorized access to vCenter.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000028",
+      "title": "The supported operating system, database, and hardware for the vCenter Server must all be maintained.",
+      "description": "The VMware vCenter Server is a Windows-based OS application and must reside on a supported version of Windows.",
+      "severity": "high"
+    },
+    {
+      "id": "VCENTER-000029",
+      "title": "vSphere Client plugins must be verified.",
+      "description": "The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000030",
+      "title": "The system must always verify SSL certificates.",
+      "description": "Without certificate verification, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system. When connecting to vCenter Server using vSphere Client, the client must check if the certificate being presented can be verified by a trusted third party. If it cannot be, the user is presented with a warning and the option to ignore this check. This warning should not be ignored; if an administrator is presented with this warning, they should inquire further before proceeding.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000031",
+      "title": "The vSphere Administrator role must be secured by assignment to specific user(s).",
+      "description": "By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts.",
+      "severity": "high"
+    },
+    {
+      "id": "VCENTER-000032",
+      "title": "Default self-signed certificates must not be used by the vCenter Server.",
+      "description": "Self-signed certificates, automatically generated by vCenter Server during the installation process, are not signed by a commercial CA, and might not provide strong security. Default self-signed certificates must be replaced with those from a trusted certification authority.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000033",
+      "title": "The connectivity between Update Manager and public patch repositories must be limited.",
+      "description": "In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. This connection must be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat.",
+      "severity": "medium"
+    },
+    {
+      "id": "VCENTER-000034",
+      "title": "The connectivity between Update Manager and public patch repositories must be limited.",
+      "description": "In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. This connection must be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_vmware_vcenter_server_version_5.json

@@ -0,0 +1,149 @@
+{
+  "name": "stig_vmware_vcenter_server_version_5",
+  "date": "2016-02-10",
+  "description": "The VMware vCenter Server Version 5 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "VMware vCenter Server Version 5 Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-39544",
+      "title": "The VMware Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.",
+      "description": "The VMware Update Manager (vUM) and vCenter Server (vCS) are VM installable on an ESXi hypervisor host. For all ESXi hypervisors and VMs, including those of the vCS and the vUM, software and system security patches must be installed and up-to-date. For the use case where the vUM hypervisor/VM or the vCS hypervisor/VM reboots while undergoing remediation, this will halt that process. Note that for the use case where the vCS hypervisor/VM reboots, the result is a worst case scenario of a temporary, unplanned vCS outage.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39545",
+      "title": "Privilege re-assignment must be checked after the vCenter Server restarts.",
+      "description": "During a restart of vCenter Server, if the user or user group that is assigned Administrator role on the root folder could not be verified as a valid user/group during the restart, the user/group's permission as Administrator will be removed. In its place, vCenter Server defaults the Administrator role to the local Windows administrators group, to act as a new vCenter Server Administrator. This default administrative assignment must be rectified by re-establishing a legitimate vCenter Server account with an Administrator role.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39546",
+      "title": "The Web datastore browser must be disabled, unless required for normal day-to-day operations.",
+      "description": "The Web datastore browser enables viewing of all the datastores associated with the vSphere deployment, including all folders and files, such as VM files. This functionality is controlled by the organization-specific, user permissions on vCenter Server.",
+      "severity": "low"
+    },
+    {
+      "id": "V-39547",
+      "title": "The managed object browser must be disabled, at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.",
+      "description": "The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.",
+      "severity": "low"
+    },
+    {
+      "id": "V-39548",
+      "title": "The vCenter Server must be installed using a service account instead of a built-in Windows account.",
+      "description": "The Microsoft Windows built-in system account or a user account can be used to run vCenter Server. With a user account, the Windows authentication for SQL Server can be enabled; it also provides more security. The user account must be an administrator on the local machine. In the installation wizard, specify the account name as DomainName\\Username. If using SQL Server for the vCenter database, the SQL Server database must be configured to allow the domain account access to SQL Server. The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contribute to security problems. A local user, administrative level account with limited permissions and rights must be set up for the vCenter Server system. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-39549",
+      "title": "The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.",
+      "description": "The Update Manager Download Service (UMDS) is an optional module of the Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that would not otherwise be available to the Update Manager server. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet. The Update Manager requires access to patch information to function properly. UMDS must be installed on a separate system that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-39550",
+      "title": "The vCenter Server administrative users must have the correct roles assigned.",
+      "description": "Administrative users must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39551",
+      "title": "Access to SSL certificates must be monitored.",
+      "description": "The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, the vCenter Server system administrator might need to access it for support purposes.  The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39553",
+      "title": "Expired certificates must be removed from the vCenter Server.",
+      "description": "If expired certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39554",
+      "title": "Log files must be cleaned up after failed installations of the vCenter Server.",
+      "description": "If the vCenter installation fails, a log file (with a name of the form \"hs_err_pidXXXX\") is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this password and access the vCenter Database.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39555",
+      "title": "Revoked certificates must be removed from the vCenter Server.",
+      "description": "If revoked certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39556",
+      "title": "The vCenter Administrator role must be secured and assigned to specific users other than a Windows Administrator.",
+      "description": "By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows administrator account and instead be given to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39557",
+      "title": "Access to SSL certificates must be restricted.",
+      "description": "The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. By default, only the service user account and the vCenter Server administrators can access the directory containing the SSL certificates. The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, when collecting data for support purposes, the vCenter Server system administrator might need to access it. The permissions should be checked on a regular basis to ensure they have not been changed to add unauthorized users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39558",
+      "title": "The system must restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine.",
+      "description": "By default, vCenter Server \"Administrator\" role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege should not be granted to any users who are not authorized, to reduce risk of Guest confidentiality, availability, or integrity loss. To prevent such loss, a non-guest access role must be created without these privileges. This role is for users who need administrator privileges excluding those allowing file and program interaction within the guests.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39559",
+      "title": "The use of Linux-based clients must be restricted.",
+      "description": "Although SSL-based encryption is used to protect communication between client components and vCenter Server or ESXi, the Linux versions of these components do not perform certificate validation. Even if the self-signed certificates are replaced on vCenter and ESXi with legitimate certificates signed by the local root certificate authority or a third party, communications with Linux clients are still vulnerable to MiTM attacks. ",
+      "severity": "low"
+    },
+    {
+      "id": "V-39560",
+      "title": "Network access to the vCenter Server system must be restricted.",
+      "description": "Restrict access to only those essential components required to communicate with vCenter. Blocking access by unnecessary systems reduces the potential for general attacks on the operating system and minimizes risk.",
+      "severity": "low"
+    },
+    {
+      "id": "V-39561",
+      "title": "A least-privileges assignment must be used for the vCenter Server database user.",
+      "description": "Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39562",
+      "title": "A least-privileges assignment must be used for the Update Manager database user.",
+      "description": "Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39563",
+      "title": "The system must set a timeout for all thick-client logins without activity.",
+      "description": "An inactivity timeout must be set for the vSphere Client (Thick Client). This client-side setting can be changed by users, so this must be set by default and re-audited. Automatic session termination minimizes risk and reduces the potential for unauthorized access to vCenter.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39564",
+      "title": "vSphere Client plugins must be verified.",
+      "description": "The vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Web-based functionality. vSphere Client plugins or extensions run at the same privilege level as the user. Malicious extensions might masquerade as useful add-ons while compromising the system by stealing credentials or incorrectly configuring the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39566",
+      "title": "The vCenter Administrator role must be secured by assignment to specific users authorized as vCenter Administrators.",
+      "description": "By default, vCenter Server grants full administrative rights to the local administrator's account, which can be accessed by domain administrators. Separation of duties dictates that full vCenter Administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Administrative rights should be removed from the local Windows administrator account and be assigned to a special-purpose local vCenter Administrator account. This account should be used to create individual user accounts.",
+      "severity": "high"
+    },
+    {
+      "id": "V-39568",
+      "title": "The Update Manager Download Server must be isolated from direct connection to Internet public patch repositories by a proxy server.",
+      "description": "In a typical deployment, the Update Manager Download Server connects to public patch repositories on the Internet to download patches. This connection must be restricted as much as possible to prevent access from the outside to the Update Manager Download Server. Any direct channel to the Internet represents a threat.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-39569",
+      "title": "The Update Manager must not directly connect to public patch repositories on the Internet.",
+      "description": "In a typical deployment, the Update Manager connects to public patch repositories on the Internet to download patches. Any channel to the Internet represents a threat. For security reasons and deployment restrictions, the Update Manager must be installed in a secured network that is disconnected from the Internet.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_vmware_vsphere_esxi_6.0.json

@@ -0,0 +1,659 @@
+{
+  "name": "stig_vmware_vsphere_esxi_6.0",
+  "date": "2017-07-11",
+  "description": "The VMware vSphere ESXi Version 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "VMware vSphere ESXi 6.0 Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-63147",
+      "title": "The VMM must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.",
+      "description": "Enabling lockdown mode disables direct access to an ESXi host requiring the host be managed remotely from vCenter Server. This is done to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63173",
+      "title": "The system must verify the DCUI.Access list.",
+      "description": "Lockdown mode disables direct host access requiring that admins manage hosts from vCenter Server.  However, if a host becomes isolated from vCenter Server, the admin is locked out and can no longer manage the host. If you are using normal lockdown mode, you can avoid becoming locked out of an ESXi host that is running in lockdown mode, by setting DCUI.Access to a list of highly trusted users who can override lockdown mode and access the DCUI. The DCUI is not running in strict lockdown mode.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63175",
+      "title": "The system must verify the exception users list for lockdown mode.",
+      "description": "In vSphere 6.0 and later, you can add users to the Exception Users list from the vSphere Web Client. These users do not lose their permissions when the host enters lockdown mode. Usually you may want to add service accounts such as a backup agent to the Exception Users list. Verify that the list of users who are exempted from losing permissions is legitimate and as needed per your environment. Users who do not require special permissions should not be exempted from lockdown mode.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63177",
+      "title": "Remote logging for ESXi hosts must be configured.",
+      "description": "Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63179",
+      "title": "The system must enforce the limit of three consecutive invalid logon attempts by a user.",
+      "description": "By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63181",
+      "title": "The system must enforce the unlock timeout of 15 minutes after a user account is locked out.",
+      "description": "By limiting the number of failed login attempts, the risk of unauthorized access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63183",
+      "title": "The system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.",
+      "description": "Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63185",
+      "title": "The SSH daemon must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.",
+      "description": "Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63187",
+      "title": "The SSH daemon must be configured with the Department of Defense (DoD) login banner.",
+      "description": "The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63189",
+      "title": "The VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions.",
+      "description": "Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.\n\nNote: This does not imply FIPS 140-2 certification.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63191",
+      "title": "The SSH daemon must be configured to use only the SSHv2 protocol.",
+      "description": "SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63193",
+      "title": "The SSH daemon must ignore .rhosts files.",
+      "description": "SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63195",
+      "title": "The SSH daemon must not allow host-based authentication.",
+      "description": "SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63197",
+      "title": "The SSH daemon must not permit root logins.",
+      "description": "Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63199",
+      "title": "The SSH daemon must not allow authentication using an empty password.",
+      "description": "Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63201",
+      "title": "The SSH daemon must not permit user environment settings.",
+      "description": "SSH environment options potentially allow users to bypass access restriction in some configurations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63203",
+      "title": "The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.",
+      "description": "DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.\n\nNote: This does not imply FIPS 140-2 certification.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63205",
+      "title": "The SSH daemon must not permit GSSAPI authentication.",
+      "description": "GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63207",
+      "title": "The SSH daemon must not permit Kerberos authentication.",
+      "description": "Kerberos authentication for SSH is often implemented using GSSAPI.  If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation.  Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation.  To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63209",
+      "title": "The SSH daemon must perform strict mode checking of home directory configuration files.",
+      "description": "If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63211",
+      "title": "The SSH daemon must not allow compression or must only allow compression after successful authentication.",
+      "description": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63213",
+      "title": "The SSH daemon must be configured to not allow gateway ports.",
+      "description": "SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. Gateway ports allow remote forwarded ports to bind to non-loopback addresses on the server.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63215",
+      "title": "The SSH daemon must be configured to not allow X11 forwarding.",
+      "description": "X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack surface of an SSH connection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63217",
+      "title": "The SSH daemon must not accept environment variables from the client.",
+      "description": "Environment variables can be used to change the behavior of remote sessions and should be limited. Locate environment variables that specify the language, character set, and other features modifying the operation of software to match the user's preferences.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63219",
+      "title": "The SSH daemon must not permit tunnels.",
+      "description": "OpenSSH has the ability to create network tunnels (layer-2 and layer-3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63221",
+      "title": "The SSH daemon must set a timeout count on idle sessions.",
+      "description": "This ensures a user login will be terminated as soon as the \"ClientAliveCountMax\" is reached.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63223",
+      "title": "The SSH daemon must set a timeout interval on idle sessions.",
+      "description": "Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63225",
+      "title": "The SSH daemon must limit connections to a single session.",
+      "description": "The SSH protocol has the ability to provide multiple sessions over a single connection without reauthentication. A compromised client could use this feature to establish additional sessions to a system without consent or knowledge of the user.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63227",
+      "title": "The system must remove keys from the SSH authorized_keys file.",
+      "description": "ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication.  To enable password free access copy the remote users public key into the \"/etc/ssh/keys-root/authorized_keys\" file on the ESXi host.  The presence of the remote user's public key in the \"authorized_keys\" file identifies the user as trusted, meaning the user is granted access to the host without providing a password.  If using Lockdown Mode and SSH is disabled then login with authorized keys will have the same restrictions as username/password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63229",
+      "title": "The system must produce audit records containing information to establish what type of events occurred.",
+      "description": "Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63231",
+      "title": "The VMM must enforce password complexity by requiring that at least one upper-case character be used.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63233",
+      "title": "The system must prohibit the reuse of passwords within five iterations.",
+      "description": "If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63235",
+      "title": "The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.",
+      "description": "Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63237",
+      "title": "The system must disable the Managed Object Browser (MOB).",
+      "description": "The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it could also be used as a method obtain information about a host being targeted for unauthorized access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63239",
+      "title": "The VMM must be configured to disable non-essential capabilities by disabling SSH.",
+      "description": "The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the ESXi shell is well suited for checking and modifying configuration details, not always generally accessible, using the vSphere Client. The ESXi shell is accessible remotely using SSH by users with the Administrator role. Under normal operating conditions, SSH access to the host must be disabled as is the default.  As with the ESXi shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the host must therefore be limited to the vSphere Client at all other times.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63241",
+      "title": "The system must disable ESXi Shell unless needed for diagnostics or troubleshooting.",
+      "description": "The ESXi Shell is an interactive command line environment available locally from the DCUI or remotely via SSH. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The ESXi shell should only be turned on when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere client.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63243",
+      "title": "The system must use Active Directory for local user authentication.",
+      "description": "Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access.  Note: If the AD group \"ESX Admins\" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63245",
+      "title": "The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory.",
+      "description": "If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63247",
+      "title": "Active Directory ESX Admin group membership must not be used.",
+      "description": "When adding ESXi hosts to Active Directory, if the group \"ESX Admins\" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the \"ESX Admins\" group.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63249",
+      "title": "The system must use multifactor authentication for local access to privileged accounts.",
+      "description": "To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63251",
+      "title": "The system must set a timeout to automatically disable idle sessions after a predetermined period.",
+      "description": "If a user forgets to log out of their SSH session, the idle connection will remains open indefinitely, increasing the potential for someone to gain privileged access to the host.  The ESXiShellInteractiveTimeOut allows you to automatically terminate idle shell sessions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63253",
+      "title": "The system must terminate shell services after a predetermined period.",
+      "description": "When the ESXi Shell or SSH services are enabled on a host they will run indefinitely.  To avoid having these services left running set the ESXiShellTimeOut.  The ESXiShellTimeOut defines a window of time after which the ESXi Shell and SSH services will automatically be terminated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63255",
+      "title": "The system must logout of the console UI after a predetermined period.",
+      "description": "When the Direct console user interface (DCUI) is enabled and logged in it should be automatically logged out if left logged in to avoid unauthorized privilege gains.  The DcuiTimeOut defines a window of time after which the DCUI will be logged out.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63257",
+      "title": "The system must enable kernel core dumps.",
+      "description": "In the event of a system failure, the system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63259",
+      "title": "The system must enable a persistent log location for all locally stored logs.",
+      "description": "ESXi can be configured to store log files on an in-memory file system.  This occurs when the host's \"/scratch\" directory is linked to \"/tmp/scratch\". When this is done only a single day's worth of logs are stored at any time. In addition log files will be reinitialized upon each reboot.  This presents a security risk as user activity logged on the host is only stored temporarily and will not persistent across reboots.  This can also complicate auditing and make it harder to monitor events and diagnose issues.  ESXi host logging should always be configured to a persistent datastore.\n\nNote: Scratch space is configured automatically during installation or first boot of an ESXi host, and does not usually need to be manually configured. ESXi Installable creates a 4 GB Fat16 partition on the target device during installation if there is sufficient space, and if the device is considered Local.  If ESXi is installed on an SD card or USB device a persistent log location may not be configured upon install as normal.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63261",
+      "title": "The system must configure NTP time synchronization.",
+      "description": "To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63263",
+      "title": "The Image Profile and VIB Acceptance Levels must be verified.",
+      "description": "Verify the ESXi Image Profile to only allow signed VIBs.  An unsigned VIB represents untested code installed on an ESXi host.  The ESXi Image profile supports four acceptance levels: \n\n(1) VMwareCertified - VIBs created, tested and signed by VMware\n(2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, \n(3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner \n(4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner.  \n\nCommunity Supported VIBs are not supported and do not have a digital signature.  To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63265",
+      "title": "The system must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic.",
+      "description": "The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a MiTM attack in which the contents are modified during migration. \nvMotion traffic must be sequestered from production traffic on an isolated network. This network must be non-routable to other systems preventing outside access to the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63267",
+      "title": "The system must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic.",
+      "description": "The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63269",
+      "title": "The system must protect the confidentiality and integrity of transmitted information by protecting IP based management traffic.",
+      "description": "Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and Virtual Machines will limit unauthorized users from viewing the traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63271",
+      "title": "The system must protect the confidentiality and integrity of transmitted information.",
+      "description": "There are now six types of management VMkernels that can be created for different types of traffic.  In order to protect these types of management traffic admins must logically separate these onto different networks and dedicate VMkernel ports to each.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63273",
+      "title": "The system must protect the confidentiality and integrity of transmitted information by utilizing different TCP/IP stacks where possible.",
+      "description": "There are three different TCP/IP stacks by default available on ESXi now which are Default, Provisioning, and vMotion.  To better protect and isolate sensitive network traffic within ESXi admins must configure each of these stacks.  Additional custom TCP/IP stacks can be created if desired.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63275",
+      "title": "SNMP must be configured properly.",
+      "description": "If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63277",
+      "title": "The system must enable bidirectional CHAP authentication for iSCSI traffic.",
+      "description": "When enabled, vSphere performs bidirectional authentication of both the iSCSI target and host. There is a potential for a MiTM attack, when not authenticating both the iSCSI target and host, in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication mitigates this risk.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63279",
+      "title": "The system must disable Inter-VM transparent page sharing.",
+      "description": "Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled between the two virtual machines. This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment.\n\nEven though VMware believes information being disclosed in real world conditions is unrealistic, out of an abundance of caution upcoming ESXi Update releases will no longer enable TPS between Virtual Machines by default (TPS will still be utilized within individual VMs).",
+      "severity": "low"
+    },
+    {
+      "id": "V-63281",
+      "title": "The system must configure the firewall to restrict access to services running on the host.",
+      "description": "Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63283",
+      "title": "The system must configure the firewall to block network traffic by default.",
+      "description": "In addition to service specific firewall rules ESXi has a default firewall rule policy to allow or deny incoming and outgoing traffic.  Reduce the risk of attack by making sure this is set to deny incoming and outgoing traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63285",
+      "title": "The system must enable BPDU filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled.",
+      "description": "BPDU Guard and Portfast are commonly enabled on the physical switch to which the ESXi host is directly connected to reduce the STP convergence delay. If a BPDU packet is sent from a virtual machine on the ESXi host to the physical switch so configured, a cascading lockout of all the uplink interfaces from the ESXi host can occur. To prevent this type of lockout, BPDU Filter can be enabled on the ESXi host to drop any BPDU packets being sent to the physical switch. The caveat is that certain SSL VPN which uses Windows bridging capability can legitimately generate BPDU packets. The administrator should verify that there are no legitimate BPDU packets generated by virtual machines on the ESXi host prior to enabling BPDU Filter.  If BPDU Filter is enabled in this situation, enabling Reject Forged Transmits on the virtual switch port group adds protection against Spanning Tree loops.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63287",
+      "title": "The virtual switch Forged Transmits policy must be set to reject.",
+      "description": "If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. \n\nThis means the virtual switch does not compare the source and effective MAC addresses. \n \nTo protect against MAC address impersonation, all virtual switches should have forged transmissions set to Reject. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63289",
+      "title": "The virtual switch MAC Address Change policy must be set to reject.",
+      "description": "If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. Reject MAC Changes can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63291",
+      "title": "The virtual switch Promiscuous Mode policy must be set to reject.",
+      "description": "When promiscuous mode is enabled for a virtual switch all virtual machines connected to the Portgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that Portgroup. Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting. Promiscuous mode can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63293",
+      "title": "The system must prevent unintended use of the dvFilter network APIs.",
+      "description": "If you are not using products that make use of the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled an attacker might attempt to connect a VM to it thereby potentially providing access to the network of other VMs on the host. If you are using a product that makes use of this API then verify that the host has been configured correctly. If you are not using such a product make sure the setting is blank.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63295",
+      "title": "All port groups must be configured to a value other than that of the native VLAN.",
+      "description": "ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a \"1\"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a \"1\" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63297",
+      "title": "All port groups must not be configured to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.",
+      "description": "When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself. If VGT is enabled inappropriately, it might cause denial-of-service or allow a guest VM to interact with traffic on an unauthorized VLAN.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63299",
+      "title": "All port groups must not be configured to VLAN values reserved by upstream physical switches.",
+      "description": "Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001–1024 and 4094, while Nexus switches typically reserve 3968–4047 and 4094. Check with the documentation for your specific switch. Using a reserved VLAN might result in a denial of service on the network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63301",
+      "title": "The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode.",
+      "description": "In order to communicate with virtual switches in VST mode, external switch ports must be configured as trunk ports. VST mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. The auto or desirable physical switch settings do not work with the ESXi Server because the physical switch communicates with the ESXi Server using DTP. The non-negotiate and on options unconditionally enable VLAN trunking on the physical switch and create a VLAN trunk link between the ESXi Server and the physical switch. The difference between non-negotiate and on options is that on mode still sends out DTP frames, whereas the non-negotiate option does not.  The non-negotiate option should be used for all VLAN trunks, to minimize unnecessary network traffic for virtual switches in VST mode.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63303",
+      "title": "All physical switch ports must be configured with spanning tree disabled.",
+      "description": "Since VMware virtual switches do not support STP, the ESXi host-connected physical switch ports must have portfast configured if spanning tree is enabled to avoid loops within the physical switch network. If these are not set, potential performance and connectivity issues might arise.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63305",
+      "title": "Virtual switch VLANs must be fully documented and have only the required VLANs.",
+      "description": "When defining a physical switch port for trunk mode, only specified VLANs must be configured on the VLAN trunk link. The risk with not fully documenting all VLANs on the vSwitch is that it is possible that a physical trunk port might be configured without needed VLANs, or with unneeded VLANs, potentially enabling an administrator to either accidentally or maliciously connect a VM to an unauthorized VLAN.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63309",
+      "title": "The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.",
+      "description": "The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server.  Place this user in the Exception Users list.  When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63311",
+      "title": "The system must verify the integrity of the installation media before installing ESXi.",
+      "description": "Always check the SHA1 hash after downloading an ISO, offline bundle, or patch to ensure integrity and authenticity of the downloaded files.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63313",
+      "title": "The system must have all security patches and updates installed.",
+      "description": "Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63465",
+      "title": "The system must enable lockdown mode to restrict remote access.",
+      "description": "Enabling lockdown mode disables direct access to an ESXi host requiring the host be managed remotely from vCenter Server. This is done to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63477",
+      "title": "The VMM must support the capability to centrally review and analyze audit records from multiple components within the system by configuring remote logging.",
+      "description": "Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63485",
+      "title": "The VMM must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.",
+      "description": "Failure to display the DoD logon banner prior to a log in attempt will negate legal proceedings resulting from unauthorized access to system resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63501",
+      "title": "The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.",
+      "description": "Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.\n\nNote: That this does not imply FIPS 140-2 certification.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63509",
+      "title": "The VMM must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.",
+      "description": "Without establishing what types of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63531",
+      "title": "The VMM must enforce password complexity by requiring that at least one lower-case character be used.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63605",
+      "title": "The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using Active Directory for local user authentication.",
+      "description": "Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access.  Note: If the AD group \"ESX Admins\" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63757",
+      "title": "The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by using the vSphere Authentication Proxy.",
+      "description": "If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63769",
+      "title": "The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator by restricting use of Active Directory ESX Admin group membership.",
+      "description": "When adding ESXi hosts to Active Directory, if the group \"ESX Admins\" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the \"ESX Admins\" group.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63771",
+      "title": "The VMM must accept Personal Identity Verification (PIV) credentials.",
+      "description": "To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63773",
+      "title": "The VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown by setting an idle timeout.",
+      "description": "If a user forgets to log out of their SSH session, the idle connection will remains open indefinitely, increasing the potential for someone to gain privileged access to the host.  The ESXiShellInteractiveTimeOut allows you to automatically terminate idle shell sessions.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63775",
+      "title": "The VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown by setting an idle timeout on shell services.",
+      "description": "When the ESXi Shell or SSH services are enabled on a host they will run indefinitely.  To avoid having these services left running set the ESXiShellTimeOut.  The ESXiShellTimeOut defines a window of time after which the ESXi Shell and SSH services will automatically be terminated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63777",
+      "title": "The VMM must automatically terminate a user session after inactivity timeouts have expired or at shutdown.",
+      "description": "When the Direct console user interface (DCUI) is enabled and logged in it should be automatically logged out if left logged in to avoid unauthorized privilege gains.  The DcuiTimeOut defines a window of time after which the DCUI will be logged out.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63779",
+      "title": "The VMM must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.",
+      "description": "To assure the accuracy of the system clock, it must be synchronized with an authoritative time source within DoD. Many system functions, including time-based login and activity restrictions, automated reports, system logs, and audit records depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63823",
+      "title": "The VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs by verifying Image Profile and VIP Acceptance Levels.",
+      "description": "Verify the ESXi Image Profile to only allow signed VIBs.  An unsigned VIB represents untested code installed on an ESXi host.  The ESXi Image profile supports four acceptance levels: \n\n(1) VMwareCertified - VIBs created, tested and signed by VMware\n(2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, \n(3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner \n(4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner.  \n\nCommunity Supported VIBs are not supported and do not have a digital signature.  To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63833",
+      "title": "The VMM must protect audit information from unauthorized modification by configuring remote logging.",
+      "description": "Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63867",
+      "title": "The VMM must enforce password complexity by requiring that at least one numeric character be used.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63885",
+      "title": "The VMM must provide the capability to immediately disconnect or disable remote access to the information system by disabling SSH.",
+      "description": "The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the ESXi shell is well suited for checking and modifying configuration details, not always generally accessible, using the vSphere Client. The ESXi shell is accessible remotely using SSH by users with the Administrator role. Under normal operating conditions, SSH access to the host must be disabled as is the default.  As with the ESXi shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the host must therefore be limited to the vSphere Client at all other times.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63893",
+      "title": "The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using Active Directory for local user authentication.",
+      "description": "Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access.  Note: If the AD group \"ESX Admins\" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63895",
+      "title": "The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using the vSphere Authentication Proxy.",
+      "description": "If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63897",
+      "title": "The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by restricting use of Active Directory ESX Admin group membership.",
+      "description": "When adding ESXi hosts to Active Directory, if the group \"ESX Admins\" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the \"ESX Admins\" group.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63899",
+      "title": "The VMM must electronically verify Personal Identity Verification (PIV) credentials.",
+      "description": "To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63901",
+      "title": "The VMM must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all VMM components by verifying Image Profile and VIP Acceptance Levels.",
+      "description": "Verify the ESXi Image Profile to only allow signed VIBs.  An unsigned VIB represents untested code installed on an ESXi host.  The ESXi Image profile supports four acceptance levels: \n\n(1) VMwareCertified - VIBs created, tested and signed by VMware\n(2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, \n(3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner \n(4) CommunitySupported - VIBs that have not been tested by VMware or a VMware partner.  \n\nCommunity Supported VIBs are not supported and do not have a digital signature.  To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts.",
+      "severity": "high"
+    },
+    {
+      "id": "V-63903",
+      "title": "The VMM must protect audit information from unauthorized deletion by configuring remote logging.",
+      "description": "Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63905",
+      "title": "The VMM must require the change of at least 8 of the total number of characters when passwords are changed.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63907",
+      "title": "The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using Active Directory for local user authentication.",
+      "description": "Join ESXi hosts to an Active Directory (AD) domain to eliminate the need to create and maintain multiple local user accounts. Using AD for user authentication simplifies the ESXi host configuration, ensures password complexity and reuse policies are enforced and reduces the risk of security breaches and unauthorized access.  Note: If the AD group \"ESX Admins\" (default) exists then all users and groups that are assigned as members to this group will have full administrative access to all ESXi hosts the domain.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63909",
+      "title": "The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using the vSphere Authentication Proxy.",
+      "description": "If you configure your host to join an Active Directory domain using Host Profiles the Active Directory credentials are saved in the host profile and are transmitted over the network. To avoid having to save Active Directory credentials in the Host Profile and to avoid transmitting Active Directory credentials over the network use the vSphere Authentication Proxy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63911",
+      "title": "The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by restricting use of Active Directory ESX Admin group membership.",
+      "description": "When adding ESXi hosts to Active Directory, if the group \"ESX Admins\" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the \"ESX Admins\" group.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63913",
+      "title": "The VMM must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.",
+      "description": "To assure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.",
+      "severity": "low"
+    },
+    {
+      "id": "V-63915",
+      "title": "The VMM must off-load audit records onto a different system or media than the system being audited by configuring remote logging.",
+      "description": "Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63919",
+      "title": "The VMM must enforce a minimum 15-character password length.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63921",
+      "title": "The VMM must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly by configuring remote logging.",
+      "description": "Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-63923",
+      "title": "The VMM must enforce password complexity by requiring that at least one special character be used.",
+      "description": "To enforce the use of complex passwords, minimum numbers of characters of different classes are mandated. The use of complex passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques. Complexity requirements increase the password search space by requiring users to construct passwords from a larger character set than they may otherwise use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-73129",
+      "title": "The system must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic.",
+      "description": "Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes VSAN, iSCSI, and NFS. This configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network must be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from other VMkernels and Virtual Machines will limit unauthorized users from viewing the traffic.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-73131",
+      "title": "The system must enable the VSAN Health Check.",
+      "description": "VSAN Health Check is enabled by default in vSphere 6.0 update 1 and later, it has to be manually installed and enabled on vSphere 6.0.0 prior to usage. The VSAN Health check is used for additional alerting capabilities, performance stress testing prior to production usage, and verifying that the underlying hardware officially is supported by being in compliance with the VSAN Hardware Compatibility Guide",
+      "severity": "low"
+    },
+    {
+      "id": "V-73133",
+      "title": "The connectivity between VSAN Health Check and public Hardware Compatibility List must be disabled or restricted by use of an external proxy server.",
+      "description": "The VSAN Health Check is able to download the hardware compatibility list from VMware in order to check compliance against the underlying VSAN Cluster hosts. To ensure the vCenter server is not directly downloading content from the internet this functionality must be disabled or if this feature is necessary an external proxy server must be configured.",
+      "severity": "low"
+    },
+    {
+      "id": "V-73135",
+      "title": "The system must configure the VSAN Datastore name to a unique name.",
+      "description": "VSAN Datastore name by default is \"vsanDatastore\". If more than one VSAN cluster is present in vCenter both datastores will have the same name by default potentially leading to confusion and manually misplaced workloads.",
+      "severity": "low"
+    }
+  ]
+}