ESXI-67-000070 - The ESXi host must not provide root/administrator-level access to CIM-based hardware monitoring tools or other third-party applications.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege service account and grant only the minimum required privileges.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create a role for the CIM account:

From the Host Client, go to Manage >> Security & Users.

Select 'Roles' and click 'Add Role'.

Provide a name for the new role and select Host >> Cim >> Ciminteraction and click 'Add'.

Add a CIM user account:

From the Host Client, go to Manage >> Security & Users.

Select 'Users' and click 'Add User'.

Provide a name, description, and password for the new user and click 'Add'.

Assign the CIM account permissions to the host with the new role.

From the Host Client, select the ESXi host, right-click, and go to 'Permissions'.

Click 'Add User', select the CIM account from the drop-down list, select the new CIM role from the drop-down list, and click 'Add User'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y22M10_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000366, Rule-ID|SV-239323r674898_rule, STIG-ID|ESXI-67-000070, Vuln-ID|V-239323

Plugin: VMware

Control ID: cc55f99c49b2aec090ef4554a8bb6c6d539ff854df07b000481e4007c10c2093