UCF STIG Viewer Logo

The system must ensure proper SNMP configuration.


Overview

Finding ID Version Rule ID IA Controls Severity
V-39417 SRG-OS-99999-ESXI5-000144 SV-51275r1_rule Medium
Description
If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack. SNMP must be configured on each ESXi host using Power/v CLI. vSphere PowerCLI is a command line tool used to automate vSphere management. PowerCLI is distributed as a Windows PowerShell snapin, and includes 300+ PowerShell cmdlets and use documentation.
STIG Date
VMware ESXi Server 5.0 Security Technical Implementation Guide 2017-01-06

Details

Check Text ( C-46691r2_chk )
From the Power/v CLI, run:
"vicfg-snmp.pl --server -s" to determine if SNMP is being used. An alternative command option instead of the "-s" is "--show".

If SNMP is not being used and "enabled" = 1, this is a finding. If the read-only community name is set to "public", this is a finding. If the read-write community name is set to private, this is a finding.
Fix Text (F-44430r2_fix)
If SNMP is not being used, configure "enabled" = 0. From the Power/v CLI, execute "vicfg-snmp.pl --server -D".

If SNMP is being used, ensure the community name is configured:
From the vSphere CLI, type "vicfg-snmp.pl --server hostname --username --password -c ".

To enable SNMP from the vSphere CLI, type.
# vicfg-snmp.pl --server --username --password --enable