UCF STIG Viewer Logo

The ESXi host must not provide root/administrator-level access to CIM-based hardware monitoring tools or other third-party applications.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239323 ESXI-67-000070 SV-239323r674898_rule Medium
Description
The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege service account and grant only the minimum required privileges.
STIG Date
VMware vSphere 6.7 ESXi Security Technical Implementation Guide 2022-01-05

Details

Check Text ( C-42556r674896_chk )
From the Host Client, select the ESXi host, right-click and go to "Permissions".

Verify the CIM account user role is limited to read only and CIM permissions.

If there is no dedicated CIM account and the root is used for CIM monitoring, this is a finding.

If write access is not required and the access level is not "read-only", this is a finding.
Fix Text (F-42515r674897_fix)
Create a role for the CIM account:

From the Host Client, go to Manage >> Security & Users.

Select "Roles" and click "Add Role".

Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add".

Add a CIM user account:

From the Host Client, go to Manage >> Security & Users.

Select "Users" and click "Add User".

Provide a name, description, and password for the new user and click "Add".

Assign the CIM account permissions to the host with the new role.

From the Host Client, select the ESXi host, right-click, and go to "Permissions".

Click "Add User", select the CIM account from the drop-down list, select the new CIM role from the drop-down list, and click "Add User".