5.4 Ensure CIM access is limited

Information

The Common Information Model (CIM) system provides an interface that enables hardware-level management from remote applications using a set of standard APIs. Provide only the minimum access necessary to applications. Do not provision CIM-based hardware monitoring tools and other third-party applications to run as root or as another administrator account. Instead, create a dedicated service account specific to each CIM application with the minimal access and privileges needed for that application.

Rationale:

If CIM-based hardware monitoring tools or other third-party applications are granted unneeded administrator level access, they could potentially be used to compromise the security of the host.

Impact:

CIM-based hardware monitoring tools or other third-party applications that utilize CIM may not function as expected.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To limit CIM access, perform the following:

Create a limited-privileged service account for CIM and other third-party applications.

This account should access the system via vCenter.

Give the account the CIM Interaction privilege only. This will enable the account to obtain a CIM ticket, which can then be used to perform both read and write CIM operations on the target host. If an account must connect to the host directly, this account must be granted the full 'Administrator' role on the host. This is not recommended unless required by the monitoring software being used.

Alternately, run the following PowerCLI command:

# Create a new host user account -Host Local connection required-
New-VMHostAccount -ID ServiceUser -Password <password> -UserAccount

See Also

https://workbench.cisecurity.org/benchmarks/12725