STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects.

DISA Rule

SV-243091r719516_rule

Vulnerability Number

V-243091

Group Title

SRG-APP-000516

Rule Version

VCTR-67-000025

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

If the datastore browser is enabled and required for object maintenance, no fix is immediately required.

Disable the managed object browser by editing the /etc/vmware-vpx/vpxd.cfg file.

Edit the file and locate the <vpxd> ... </vpxd> element.

Add or update the following element in the vpxd section:
<enableDebugBrowse>false</enableDebugBrowse>

Note: It is not present by default and is case sensitive.

Restart the vCenter Service to ensure the configuration file change(s) are in effect by running the following command on the vCenter appliance:

service-control --restart vmware-vpxd

Check Contents

Check the operational status of the MOB by performing one of the following or both:

Browse to the MOB page on the vCenter server:

https://<vcenter fqdn or IP>/mob

If a "503 Service Unavailable" error is returned, the MOB is disabled.

If a prompt for authentication appears, it is enabled.

or

Run the following command from the vCenter appliance:

grep -i "enableDebugBrowse" /etc/vmware-vpx/vpxd.cfg

If the MOB is enabled, ask the SA if it is being used for object maintenance and if so, this is not a finding.

If the "enableDebugBrowse" element is enabled (set to true) or absent, and object maintenance is not being performed, this is a finding.

Vulnerability Number

V-243091

Documentable

False

Rule Version

VCTR-67-000025

Severity Override Guidance

Check the operational status of the MOB by performing one of the following or both:

Browse to the MOB page on the vCenter server:

https://<vcenter fqdn or IP>/mob

If a "503 Service Unavailable" error is returned, the MOB is disabled.

If a prompt for authentication appears, it is enabled.

or

Run the following command from the vCenter appliance:

grep -i "enableDebugBrowse" /etc/vmware-vpx/vpxd.cfg

If the MOB is enabled, ask the SA if it is being used for object maintenance and if so, this is not a finding.

If the "enableDebugBrowse" element is enabled (set to true) or absent, and object maintenance is not being performed, this is a finding.

Check Content Reference

M

Target Key

5399

Comments