Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-239323 | ESXI-67-000070 | SV-239323r674898_rule | Medium |
Description |
---|
The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege service account and grant only the minimum required privileges. |
STIG | Date |
---|---|
VMware vSphere 6.7 ESXi Security Technical Implementation Guide | 2022-01-05 |
Check Text ( C-42556r674896_chk ) |
---|
From the Host Client, select the ESXi host, right-click and go to "Permissions". Verify the CIM account user role is limited to read only and CIM permissions. If there is no dedicated CIM account and the root is used for CIM monitoring, this is a finding. If write access is not required and the access level is not "read-only", this is a finding. |
Fix Text (F-42515r674897_fix) |
---|
Create a role for the CIM account: From the Host Client, go to Manage >> Security & Users. Select "Roles" and click "Add Role". Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add". Add a CIM user account: From the Host Client, go to Manage >> Security & Users. Select "Users" and click "Add User". Provide a name, description, and password for the new user and click "Add". Assign the CIM account permissions to the host with the new role. From the Host Client, select the ESXi host, right-click, and go to "Permissions". Click "Add User", select the CIM account from the drop-down list, select the new CIM role from the drop-down list, and click "Add User". |