UCF STIG Viewer Logo

The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-OS-99999-ESXI5-000139 SRG-OS-99999-ESXI5-000139 SRG-OS-99999-ESXI5-000139_rule Medium
Description
The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Place the CIM account into the "root" group. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges. CIM accounts should be limited to the "Host >> Config >> System Management" and "Host >> CIM >> CIMInteraction" privileges.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-SRG-OS-99999-ESXI5-000139_chk )
From the vSphere client, select the ESXi host, and go to "Permissions". Select the CIM account user, then right-click and select properties to verify read-only access.

If write access is required, this check is not applicable.

If write access is not required and the access level is not "read-only", this is a finding.
Fix Text (F-SRG-OS-99999-ESXI5-000139_fix)
From the vSphere client, select the ESXi host; go to "Local Users and Groups". Create a limited-privileged, read-only service account for CIM. Place the CIM account into the "root" group. Select Users and right-click in the user screen. Select "Add", then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the "Host > Config > System Management" and "Host > CIM > CIMInteraction" privileges.