TickYouOff
Sign in
Back
🔒

VMware vSphere 8.0 STIG Implementation

Hard 18 items · 1 day
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides IT and security teams through obtaining, applying, and validating the DISA VMware vSphere 8.0 STIG across vCenter, ESXi hosts, virtual machines and appliance services. It’s intended for system administrators and compliance engineers managing vSphere 8.0 environments aiming for DoD-aligned hardening.

Source: https://ncp.nist.gov/checklist/1075

Progress
0 / 18
  1. Download the VMware vSphere 8.0 STIG from Cyber.mil — Get the latest XCCDF/STIG bundle from https://cyber.mil/ (or https://public.cyber.mil/ if no CAC).
  2. Review STIG scope and component list — Identify which STIGs apply: vCenter, ESXi, Virtual Machine, and appliance services.
  3. Inventory all vSphere assets and versions — List vCenter instances, ESXi hosts, appliances, and critical VMs with software versions.
  4. Verify vSphere Update level or plan upgrade to Update 2 — Ensure systems run vSphere 8.0 Update 2 or schedule an upgrade before applying STIGs.
  5. Backup vCenter, ESXi configurations, and critical VMs — Take full backups and export configs before making STIG changes.
  6. Apply vCenter STIG configuration settings — Implement recommended hardening, authentication, and logging per vCenter STIG.
  7. Harden ESXi hosts according to ESXi STIG — Configure host lockdown, secure services, SSH access, and auditing settings.
  8. Harden virtual machines per the VM STIG — Disable unnecessary virtual devices and apply guest OS STIG guidance.
  9. Secure vCenter Appliance services — Apply STIG controls to vCenter appliance components and services.
  10. Harden Photon OS on the vCenter Appliance — Apply OS-level hardening, patching, and secure defaults for Photon OS 4.0.
  11. Secure PostgreSQL on the vCenter Appliance — Enforce DB authentication, remove default accounts, and enable encryption where required.
  12. Verify and restrict appliance service accounts and permissions — Ensure least privilege for EAM, Envoy, Lookup, Perfcharts, UI, STS, and VAMI services.
  13. Enable centralized logging and auditing for vCenter and ESXi — Forward logs to SIEM, enable audit trails, and configure retention per policy.
  14. Run an automated STIG compliance scan (SCAP/XCCDF) — Use the provided XCCDF or DISA tooling to generate a compliance report.
  15. Review scan results and remediate findings — Prioritize high-risk findings, apply fixes, and rerun scans until compliance met.
  16. Document all configuration changes and maintain a change log — Record who made changes, approvals, and rollback steps for audits.
  17. Subscribe for STIG updates and schedule periodic audits — Monitor Cyber.mil for updates and plan regular compliance reviews.
  18. Submit comments or change requests to DISA if needed — Send proposed revisions to [email protected] per the STIG change process.
Sign in to save
📝 My Notes