Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-99999-ESXI5-000139 | SRG-OS-99999-ESXI5-000139 | SRG-OS-99999-ESXI5-000139_rule | Medium |
| Description |
|---|
| The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Place the CIM account into the "root" group. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges. CIM accounts should be limited to the "Host >> Config >> System Management" and "Host >> CIM >> CIMInteraction" privileges. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-99999-ESXI5-000139_chk ) |
|---|
| From the vSphere client, select the ESXi host, and go to "Permissions". Select the CIM account user, then right-click and select properties to verify read-only access. If write access is required, this check is not applicable. If write access is not required and the access level is not "read-only", this is a finding. |
| Fix Text (F-SRG-OS-99999-ESXI5-000139_fix) |
|---|
| From the vSphere client, select the ESXi host; go to "Local Users and Groups". Create a limited-privileged, read-only service account for CIM. Place the CIM account into the "root" group. Select Users and right-click in the user screen. Select "Add", then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the "Host > Config > System Management" and "Host > CIM > CIMInteraction" privileges. |