The ESXi host must disable Simple Network Management Protocol (SNMP) v1 and v2c.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258767	ESXI-80-000212	SV-258767r933362_rule		Medium

Description
If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can use this information to plan an attack.

STIG	Date
VMware vSphere 8.0 ESXi Security Technical Implementation Guide	2023-10-11

Details

Check Text ( C-62507r933360_chk )
From an ESXi shell, run the following command: # esxcli system snmp get or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostSnmp \| Select * If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and is not using v3 targets with authentication, this is a finding. Note: SNMP v3 targets can only be viewed and configured via the "esxcli" command.

Check Text ( C-62507r933360_chk )

From an ESXi shell, run the following command:

# esxcli system snmp get

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHostSnmp | Select *

If SNMP is not in use and is enabled, this is a finding.

If SNMP is enabled and is not using v3 targets with authentication, this is a finding.

Note: SNMP v3 targets can only be viewed and configured via the "esxcli" command.

Fix Text (F-62416r933361_fix)
To disable SNMP from an ESXi shell, run the following command: # esxcli system snmp set -e no or From a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp \| Set-VMHostSnmp -Enabled $false