Home
Security Hardening
DISA STIG VMware vSphere 6.7 ESXi OS V1R1

DISA STIG VMware vSphere 6.7 ESXi OS V1R1

ESXI-67-000025 – The ESXi host SSH daemon must not permit tunnels.
Details OpenSSH has the ability to create network tunnels (layer 2 and layer 3) over an SSH connection. This function...
ESXI-67-000026 – The ESXi host SSH daemon must set a timeout count on idle sessions.
Details Setting a timeout ensures that a user login will be terminated as soon as the ‘ClientAliveCountMax’ is reached. Solution...
ESXI-67-000027 – The ESXi host SSH daemon must set a timeout interval on idle sessions.
Details Automatically logging out idle users guards against compromises via hijacked administrative sessions. Solution From an SSH session connected to...
ESXI-67-000028 – The ESXi host SSH daemon must limit connections to a single session.
Details The SSH protocol has the ability to provide multiple sessions over a single connection without reauthentication. A compromised client...
ESXI-67-000029 – The ESXi host must remove keys from the SSH authorized_keys file.
Details ESXi hosts come with SSH, which can be enabled to allow remote access without requiring user authentication. To enable...
ESXI-67-000033 – The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
Details Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The...
ESXI-67-000020 – The ESXi host SSH daemon must perform strict mode checking of home directory configuration files.
Details If other users have access to modify user-specific SSH configuration files, they may be able to log on to...
ESXI-67-000021 – The ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication.
Details If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in...
ESXI-67-000022 – The ESXi host SSH daemon must be configured to not allow gateway ports.
Details SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can...
ESXI-67-000023 – The ESXi host SSH daemon must be configured to not allow X11 forwarding.
Details X11 forwarding over SSH allows for the secure remote execution of X11-based applications. This feature can increase the attack...

Prev Next

DISA STIG VMware vSphere 6.7 ESXi OS V1R1

ESXI-67-000025 – The ESXi host SSH daemon must not permit tunnels.

ESXI-67-000026 – The ESXi host SSH daemon must set a timeout count on idle sessions.

ESXI-67-000027 – The ESXi host SSH daemon must set a timeout interval on idle sessions.

ESXI-67-000028 – The ESXi host SSH daemon must limit connections to a single session.

ESXI-67-000029 – The ESXi host must remove keys from the SSH authorized_keys file.

ESXI-67-000033 – The password hashes stored on the ESXi host must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

ESXI-67-000020 – The ESXi host SSH daemon must perform strict mode checking of home directory configuration files.

ESXI-67-000021 – The ESXi host SSH daemon must not allow compression or must only allow compression after successful authentication.

ESXI-67-000022 – The ESXi host SSH daemon must be configured to not allow gateway ports.

ESXI-67-000023 – The ESXi host SSH daemon must be configured to not allow X11 forwarding.