UCF STIG Viewer Logo

The NSX-T Manager must disable SSH.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251796 TNDM-3X-000099 SV-251796r810391_rule Low
Description
The NSX-T shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the NSX-T shell is well suited for checking and modifying configuration details, not always generally accessible, using the web interface. The NSX-T shell is accessible remotely using SSH. Under normal operating conditions, SSH access to the managers must be disabled as is the default. As with the NSX-T shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the managers must therefore be limited to the web interface and API at all other times.
STIG Date
VMware NSX-T Manager NDM Security Technical Implementation Guide 2022-09-01

Details

Check Text ( C-55256r810389_chk )
From an NSX-T Manager shell, run the following command(s):

> get service ssh

Expected results:
Service name: ssh
Service state: stopped
Start on boot: False

If the output does not match the expected results, this is a finding.
Fix Text (F-55210r810390_fix)
From an NSX-T Manager shell, run the following command(s):

> stop service ssh
> clear service ssh start-on-boot