5.3 Ensure the ESXi shell is disabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The ESXi shell is an interactive command line environment available from the Direct Console User Interface (DCUI) or remotely via SSH. The ESXi shell should only be enabled on a host when running diagnostics or troubleshooting.

Rationale:

Activities performed from the ESXi shell bypass vCenter RBAC and audit controls, so the ESXi shell should only be enabled when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere web client or vCLI/PowerCLI.

Solution

To disable the ESXi shell, perform the following:

From the vSphere web client, select the host.

Select 'Configure' -> 'System' -> 'Security Profile'.

Scroll down to 'Services'.

Click 'Edit...'.

Select 'ESXi Shell'.

Click 'Stop'.

Change the Startup Policy to 'Start and Stop Manually'.

Click 'OK'.

Alternately, use the following PowerCLI command:

# Set the ESXi shell to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq 'TSM' } | Set-VMHostService -Policy Off

See Also

https://workbench.cisecurity.org/files/3511