Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-256427 | ESXI-70-000070 | SV-256427r886062_rule | Medium |
Description |
---|
The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard application programming interfaces (APIs). In environments that implement CIM hardware monitoring, create a limited-privilege, read-only service account for CIM and place this user in the Exception Users list. When CIM write access is required, create a new role with only the "Host.CIM.Interaction" permission and apply that role to the CIM service account. |
STIG | Date |
---|---|
VMware vSphere 7.0 ESXi Security Technical Implementation Guide | 2023-02-21 |
Check Text ( C-60102r886060_chk ) |
---|
If CIM monitoring is not implemented, this is not applicable. From the Host Client, select the ESXi host, right-click, and go to "Permissions". Verify the CIM service account is assigned the "Read-only" role or a custom role as described in the discussion. If there is no dedicated CIM service account, this is a finding. If the CIM service account has more permissions than necessary as noted in the discussion, this is a finding. |
Fix Text (F-60045r886061_fix) |
---|
If write access is required, create a new role for the CIM service account: From the Host Client, go to Manage >> Security & Users. Select "Roles" and click "Add role". Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add". Add a CIM service account: From the Host Client, go to Manage >> Security & Users. Select "Users" and click "Add user". Provide a name, description, and password for the new user and click "Add". Assign the CIM service account permissions to the host with the new role: From the Host Client, select the ESXi host, right-click, and go to "Permissions". Click "Add User", select the CIM service account from the drop-down list, and select either "Read-only" or the role just created. Click "Add User". |