TickYouOff
Sign in
Back
🔒

Nutanix Acropolis STIG Compliance Checklist

Hard 19 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps system owners and administrators harden and assess Nutanix Acropolis (AOS/AHV/CVM/Prism) according to the DISA STIG. It’s aimed at DoD and federal teams, and any IT team responsible for secure Nutanix HCI deployments.

Source: https://ncp.nist.gov/checklist/1325

Progress
0 / 19
  1. Download the Nutanix Acropolis STIG from DISA — Obtain the latest STIG package (XCCDF) from the DoD Cyber Exchange or public site.
  2. Test STIG settings in a representative lab environment — Validate functionality before applying to production to avoid service disruption.
  3. Inventory Nutanix components and record installed versions — Create a baseline list of clusters, nodes, CVMs, AOS, AHV, Prism, and Files versions.
  4. List AOS versions for each cluster — Record AOS release/build per cluster for patch planning.
  5. List AHV versions on each host — Note AHV/hypervisor builds to identify required updates.
  6. List CVM and Prism versions and IPs — Capture CVM and Prism Element/Central versions and management endpoints.
  7. Patch AOS, AHV, CVM, and Prism to approved versions — Apply vendor-approved patches and security updates during maintenance windows.
  8. Review and implement DISA STIG configuration settings — Map STIG controls to platform settings and implement required controls.
  9. Change default accounts and enforce strong passwords — Disable or rename defaults; enforce password complexity and rotation.
  10. Enable role-based access control (RBAC) and least privilege — Create roles for admins, operators, and auditors with minimal privileges.
  11. Enforce TLS with valid certificates for Prism and CVM interfaces — Replace self-signed certs with CA-signed certs and disable weak ciphers.
  12. Restrict management access via IP allowlists and network segmentation — Limit Prism/CVM access to management network and trusted IP ranges.
  13. Disable or remove unused services and ports on AHV/CVM — Close unnecessary ports and stop unused services to reduce attack surface.
  14. Configure syslog and forward logs to a centralized SIEM — Send system, audit, and security logs to an approved central collector.
  15. Enable auditing and retain logs per DoD retention policy — Ensure audit trails are enabled and retention meets policy requirements.
  16. Ensure NTP is configured and synchronized across the cluster — Point to approved NTP servers to maintain time consistency for logs and auth.
  17. Backup configuration and create a cluster recovery plan — Export and store Prism and CVM configs; document restore procedures.
  18. Scan for known CVEs and apply remediation or mitigations — Use vendor advisories and vulnerability scanners; prioritize critical fixes.
  19. Document deviations, risks, and obtain AO-approved waivers — Record justification and approvals for any non-applicable or risky settings.
Sign in to save
📝 My Notes