The system must disable the Managed Object Browser (MOB).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-OS-99999-ESXI5-000137	SRG-OS-99999-ESXI5-000137	SRG-OS-99999-ESXI5-000137_rule		Medium

Description
The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it could also be used as a method obtain information about a host being targeted for unauthorized access.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-SRG-OS-99999-ESXI5-000137_chk )
Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and determine if the MOB is enabled. # vim-cmd proxysvc/service_list \| grep proxy-mob If the command return lists "proxy-mob", this is a finding. Re-enable Lockdown Mode on the host.

Check Text ( C-SRG-OS-99999-ESXI5-000137_chk )

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client.

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials.
If connecting to vCenter Server, click on the desired host.
Click the Configuration tab.
Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively.
Start the ESXi Shell service, where/as required.

As root, log in to the ESXi Shell and determine if the MOB is enabled.
# vim-cmd proxysvc/service_list | grep proxy-mob

If the command return lists "proxy-mob", this is a finding.

Re-enable Lockdown Mode on the host.

Fix Text (F-SRG-OS-99999-ESXI5-000137_fix)
Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and disable the MOB. # vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect". Re-enable Lockdown Mode on the host.

Fix Text (F-SRG-OS-99999-ESXI5-000137_fix)

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client.

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials.
If connecting to vCenter Server, click on the desired host.
Click the Configuration tab.
Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively.
Start the ESXi Shell service, where/as required.

As root, log in to the ESXi Shell and disable the MOB.
# vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect".

Re-enable Lockdown Mode on the host.