SNMP must be configured properly on the ESXi host.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239307	ESXI-67-000053	SV-239307r674850_rule		Medium

Description
If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack.

STIG	Date
VMware vSphere 6.7 ESXi Security Technical Implementation Guide	2022-01-05

Details

Check Text ( C-42540r674848_chk )
From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostSnmp \| Select * or From an console or ssh session, run the follow command: esxcli system snmp get If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and read-only communities is set to "public", this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured from the esxcli command.

Check Text ( C-42540r674848_chk )

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHostSnmp | Select *

or

From an console or ssh session, run the follow command:

esxcli system snmp get

If SNMP is not in use and is enabled, this is a finding.

If SNMP is enabled and read-only communities is set to "public", this is a finding.

If SNMP is enabled and is not using v3 targets, this is a finding.

Note: SNMP v3 targets can only be viewed and configured from the esxcli command.

Fix Text (F-42499r674849_fix)
To disable SNMP, run the following command from a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp \| Set-VMHostSnmp -Enabled $false or From a console or ssh session, run the follow command: esxcli system snmp set -e no To configure SNMP for v3 targets, use the "esxcli system snmp set" command set.