SNMP communities, users, and passphrases must be changed from the default.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39247 | GEN005300-ESXI5-000099 | SV-51063r1_rule | Medium |
| Description |
|---|
| Whether active or inactive, default communities, users, and passwords must be changed to maintain security. A service running with default authenticators allows acquisition of data about the system and the network to potentially compromise the integrity of the system or network(s). |
| STIG | Date |
|---|---|
| VMware ESXi Server 5.0 Security Technical Implementation Guide | 2017-01-06 |
Details
| Check Text ( C-46511r1_chk ) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Login as root and check the snmp configuration file for default(s): # egrep -i "community|communities" /etc/vmware/snmp.xml If any community name or password is set to a default value such as public, private or password, this is a finding. Re-enable lock down mode. |
| Fix Text (F-44226r4_fix) |
|---|
| From the Power/v CLI, run the (below example) command: > # vicfg-snmp.pl --server In the above example, -E enables the VMware SNMP agent, and -c sets communities to the provided name. |