The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-39297	SRG-OS-99999-ESXI5-000139	SV-51113r1_rule		Medium

Description
The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Place the CIM account into the "root" group. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges. CIM accounts should be limited to the "Host >> Config >> System Management" and "Host >> CIM >> CIMInteraction" privileges.

Description

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Place the CIM account into the "root" group. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges. CIM accounts should be limited to the "Host >> Config >> System Management" and "Host >> CIM >> CIMInteraction" privileges.

STIG	Date
VMware ESXi Server 5.0 Security Technical Implementation Guide	2013-09-12

Details

Check Text ( C-46561r1_chk )
If write access is required, this check is not applicable. From the vSphere client, select the ESXi host, and go to "Permissions". Select the CIM account user, then right-click and select properties to verify read-only access. If write access is not required and the access level is not "read-only", this is a finding.

Fix Text (F-44276r1_fix)
From the vSphere client, select the ESXi host; go to "Local Users and Groups". Create a limited-privileged, read-only service account for CIM. Place the CIM account into the "root" group. Select Users and right-click in the user screen. Select "Add", then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the "Host > Config > System Management" and "Host > CIM > CIMInteraction" privileges.

Fix Text (F-44276r1_fix)

From the vSphere client, select the ESXi host; go to "Local Users and Groups". Create a limited-privileged, read-only service account for CIM. Place the CIM account into the "root" group. Select Users and right-click in the user screen. Select "Add", then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the "Host > Config > System Management" and "Host > CIM > CIMInteraction" privileges.