VCSA-70-000253 - The vCenter server must enforce SNMPv3 security features where SNMP is required.

Information

SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. SNMPv3 can be configured for identification and cryptographically based authentication.

SNMPv3 defines a user-based security model (USM) and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. Implement both VACM and USM for full protection.

SNMPv3 must be disabled by default and enabled only if used. SNMP v3 provides security feature enhancements to SNMP, including encryption and message authentication.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

At the command prompt on the vCenter Server Appliance, run the following commands:

# appliancesh
# snmp.set --authentication SHA1
# snmp.set --privacy AES128

To change the security level of a user, run the following command:

# snmp.set --users <username>/<auth_password> <priv_password>/priv

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3(1), CAT|II, CCI|CCI-001967, Rule-ID|SV-256344r885643_rule, STIG-ID|VCSA-70-000253, Vuln-ID|V-256344

Plugin: VMware

Control ID: 7c2835ba6c8ec8d7cd85350ea23d8f9d3b835d62d6f724411d285a9e477bae53