Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must ensure uniqueness of CHAP authentication secrets.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-99999-ESXI5-000147 | SRG-OS-99999-ESXI5-000147 | SRG-OS-99999-ESXI5-000147_rule | Low |
| Description |
|---|
| The mutual authentication secret for each host must be different and the secret for each client authenticating to the server must be different as well. This ensures if a single host is compromised, an attacker cannot create another arbitrary host and authenticate to the storage device. With a single shared secret, compromise of one host can allow an attacker to authenticate to the storage device. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-99999-ESXI5-000147_chk ) |
|---|
| From the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if a different authentication secret is configured for each ESXi host. If a different authentication secret is not configured for each ESXi host, this is a finding. If iSCSI is not used, this is not a finding. |
| Fix Text (F-SRG-OS-99999-ESXI5-000147_fix) |
|---|
| From the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - configure the authentication secret. |