5.5 Ensure CIM access is limited

Information

The Common Information Model (CIM) system provides an interface that enables
hardware-level management from remote applications using a set of standard APIs.
Provide only the minimum access necessary to applications. Do not provision CIM-based
hardware monitoring tools and other third-party applications to run as root or as another
administrator account. Instead, create a dedicated service account specific to each CIM
application with the minimal access and privileges needed for that application.

*Rationale*

If CIM-based hardware monitoring tools or other third-party applications are granted
unneeded administrator level access, they could potentially be used to compromise the
security of the host.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To limit CIM access, perform the following:

1. Create a limited-privileged service account for CIM and other third-party applications.
2. This account should access the system via vCenter.
3. Give the account the "CIM Interaction" privilege only. This will enable the account to
obtain a CIM ticket, which can then be used to perform both read and write CIM operations on the target host.
If an account must connect to the host directly, this account must be granted the full "Administrator" role on the host.
This is not recommended unless required by the monitoring software being used.

Alternately, run the following PowerCLI command:

# Create a new host user account -Host Local connection required- New-VMHostAccount -ID ServiceUser -Password <password> -UserAccount

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(9), CSCv7|4.3

Plugin: VMware

Control ID: 9adf309ca49e3965c0150aff820fb7b9f61ecceba2102074e3f5fabf76b1720d