The ESXi host must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-94349 | ESXI-65-000070 | SV-104303r1_rule | Medium |
| Description |
|---|
| The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges. |
| STIG | Date |
|---|---|
| VMware vSphere 6.5 ESXi Security Technical Implementation Guide | 2019-10-01 |
Details
| Check Text ( C-93535r1_chk ) |
|---|
| From the vSphere Web Client, select the ESXi host, and go to "Permissions". Select the CIM account user, then click Edit settings to verify read-only access. If write access is not required and the access level is not "read-only", this is a finding. |
| Fix Text (F-100465r1_fix) |
|---|
| From the vSphere Web Client, select the ESXi host, go to “Permissions”. Click the green plus sign and click Add to add a limited-privileged, read-only service account for CIM. Place the CIM account into the "root" group. Select Users and right-click in the user screen. Select "Add", then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the "Host >> Config >> System Management" and "Host >> CIM >> CIMInteraction" privileges. |