STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The ESXi host must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.

DISA Rule

SV-207668r388482_rule

Vulnerability Number

V-207668

Group Title

SRG-OS-000480-VMM-002000

Rule Version

ESXI-65-000070

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Create a role for the CIM account.

From the Host Client, go to manage, then Security & Users. Select Roles then click Add Role. Provide a name for the new role then select Host >> Cim >> Ciminteraction and click Add.

Add a CIM user account.

From the Host Client, go to manage, then Security & Users. Select Users then click Add User. Provide a name, description, and password for the new user then click Add.

Assign the CIM account permissions to the host with the new role.

From the Host Client, select the ESXi host, right click and go to "Permissions". Click Add User and select the CIM account from the drop down list and select the new CIM role from the drop down list and click Add User.

Check Contents

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges.

From the Host Client, select the ESXi host, right click and go to "Permissions". Verify the CIM account user role is limited to read only and CIM permissions.

If there is no dedicated CIM account and the root is used for CIM monitoring, this is a finding.

If write access is not required and the access level is not "read-only", this is a finding.

Vulnerability Number

V-207668

Documentable

False

Rule Version

ESXI-65-000070

Severity Override Guidance

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges.

From the Host Client, select the ESXi host, right click and go to "Permissions". Verify the CIM account user role is limited to read only and CIM permissions.

If there is no dedicated CIM account and the root is used for CIM monitoring, this is a finding.

If write access is not required and the access level is not "read-only", this is a finding.

Check Content Reference

M

Target Key

2925

Comments