The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256427 | ESXI-70-000070 | SV-256427r959010_rule | CCI-000366 | medium |
| Description | ||||
| The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard application programming interfaces (APIs). In environments that implement CIM hardware monitoring, create a limited-privilege, read-only service account for CIM and place this user in the Exception Users list. When CIM write access is required, create a new role with only the "Host.CIM.Interaction" permission and apply that role to the CIM service account. | ||||
| STIG | Date | |||
| VMware vSphere 7.0 ESXi Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V1R4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V1R4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V1R4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V1R4 · disa_xccdf · related
Details
Check Text (C-256427r959010_chk)
If CIM monitoring is not implemented, this is not applicable.
From the Host Client, select the ESXi host, right-click, and go to "Permissions".
Verify the CIM service account is assigned the "Read-only" role or a custom role as described in the discussion.
If there is no dedicated CIM service account, this is a finding.
If the CIM service account has more permissions than necessary as noted in the discussion, this is a finding.
Fix Text (F-60045r886061_fix)
If write access is required, create a new role for the CIM service account:
From the Host Client, go to Manage >> Security & Users.
Select "Roles" and click "Add role".
Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add".
Add a CIM service account:
From the Host Client, go to Manage >> Security & Users.
Select "Users" and click "Add user".
Provide a name, description, and password for the new user and click "Add".
Assign the CIM service account permissions to the host with the new role:
From the Host Client, select the ESXi host, right-click, and go to "Permissions".
Click "Add User", select the CIM service account from the drop-down list, and select either "Read-only" or the role just created. Click "Add User".