The system must set a timeout for the ESXi Shell to automatically disable itself after a predetermined period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39392 | SRG-OS-000126-ESXI5 | SV-51250r2_rule | Medium |
| Description |
|---|
| The ESXiShellTimeout setting is the number of seconds that can elapse before a logon occurs after the ESXi Shell is enabled. After the timeout period, if a logon has not occurred, the shell is disabled. Leaving the shell enabled unnecessarily increases the potential for someone to gain privileged access to the host |
| STIG | Date |
|---|---|
| VMware ESXi Server 5.0 Security Technical Implementation Guide | 2017-01-06 |
Details
| Check Text ( C-46666r2_chk ) |
|---|
| From the vSphere client select the host and click "Configuration >> Advanced Settings". Select "UserVars.ESXiShellTimeOut" parameter and verify it is set to a value not to exceed 900 seconds (15 minutes). A value of 0 disables the ESXi Shell timeout. If the "UserVars.ESXiShellTimeOut" parameter is set to a value less than 1 or greater than 900, this is a finding. |
| Fix Text (F-44405r2_fix) |
|---|
| From the vSphere client select the host and click "Configuration >> Advanced Settings". Select UserVars.ESXiShellTimeOut parameter and configure it to a value not to exceed 900 seconds (15 minutes). A value of 0 disables the ESXi Shell timeout. |