Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-94349 | ESXI-65-000070 | SV-104303r1_rule | Medium |
Description |
---|
The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges. |
STIG | Date |
---|---|
VMware vSphere 6.5 ESXi Security Technical Implementation Guide | 2019-10-01 |
Check Text ( C-93535r1_chk ) |
---|
From the vSphere Web Client, select the ESXi host, and go to "Permissions". Select the CIM account user, then click Edit settings to verify read-only access. If write access is not required and the access level is not "read-only", this is a finding. |
Fix Text (F-100465r1_fix) |
---|
From the vSphere Web Client, select the ESXi host, go to “Permissions”. Click the green plus sign and click Add to add a limited-privileged, read-only service account for CIM. Place the CIM account into the "root" group. Select Users and right-click in the user screen. Select "Add", then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the "Host >> Config >> System Management" and "Host >> CIM >> CIMInteraction" privileges. |