The system must disable the Managed Object Browser (MOB).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39296 | SRG-OS-99999-ESXI5-000137 | SV-51112r1_rule | Medium |
| Description |
|---|
| The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it could also be used as a method obtain information about a host being targeted for unauthorized access. |
| STIG | Date |
|---|---|
| VMware ESXi Server 5.0 Security Technical Implementation Guide | 2017-01-06 |
Details
| Check Text ( C-46560r3_chk ) |
|---|
| Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and determine if the MOB is enabled. # vim-cmd proxysvc/service_list | grep proxy-mob If the command return lists "proxy-mob", this is a finding. Re-enable Lockdown Mode on the host. |
| Fix Text (F-44275r1_fix) |
|---|
| Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and disable the MOB. # vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect". Re-enable Lockdown Mode on the host. |