The ESXi host lockdown mode exception users list must be verified.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258760 | ESXI-80-000201 | SV-258760r933341_rule | CCI-000366 | medium |
| Description | ||||
| While a host is in lockdown mode (strict or normal), only users on the "Exception Users" list are allowed access. These users do not lose their permissions when the host enters lockdown mode. The organization may want to add service accounts such as a backup agent to the Exception Users list. Verify the list of users exempted from losing permissions is legitimate and as needed per the environment. Adding unnecessary users to the exception list defeats the purpose of lockdown mode. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 ESXi Security Technical Implementation Guide | 2023-10-11 | |||
Details
Check Text (C-258760r933341_chk)
For environments that do not use vCenter server to manage ESXi, this is not applicable.
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> System >> Security Profile.
Under "Lockdown Mode", review the Exception Users list.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following script:
$vmhost = Get-VMHost | Get-View
$lockdown = Get-View $vmhost.ConfigManager.HostAccessManager
$lockdown.QueryLockdownExceptions()
If the Exception Users list contains accounts that do not require special permissions, this is a finding.
Note: The Exception Users list is empty by default and should remain that way except under site-specific circumstances.
Fix Text (F-62409r933340_fix)
From the vSphere Client, go to Hosts and Clusters.
Select the ESXi Host >> Configure >> System >> Security Profile.
Under "Lockdown Mode", click "Edit" and remove unnecessary users from the Exception Users list.