ESXI-65-000070 - The ESXi host must not provide root/administrator level access to CIM-based hardware monitoring tools or other third-party applications.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create a role for the CIM account.

From the Host Client, go to manage, then Security & Users. Select Roles then click Add Role. Provide a name for the new role then select Host >> Cim >> Ciminteraction and click Add.

Add a CIM user account.

From the Host Client, go to manage, then Security & Users. Select Users then click Add User. Provide a name, description, and password for the new user then click Add.

Assign the CIM account permissions to the host with the new role.

From the Host Client, select the ESXi host, right click and go to 'Permissions'. Click Add User and select the CIM account from the drop down list and select the new CIM role from the drop down list and click Add User.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y21M10_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000366, Rule-ID|SV-207668r388482_rule, STIG-ID|ESXI-65-000070, STIG-Legacy|SV-104303, STIG-Legacy|V-94349, Vuln-ID|V-207668

Plugin: VMware

Control ID: 65da13fbde1c1d69876039f63181fd880c049ff1a3c2adabb82e071892ae852e