Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-256414 | ESXI-70-000053 | SV-256414r886023_rule | Medium |
Description |
---|
If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can use this information to plan an attack. |
STIG | Date |
---|---|
VMware vSphere 7.0 ESXi Security Technical Implementation Guide | 2023-06-21 |
Check Text ( C-60089r886021_chk ) |
---|
From an ESXi shell, run the following command: # esxcli system snmp get or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostSnmp | Select * If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and read-only communities are set to "public", this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured via the "esxcli" command. |
Fix Text (F-60032r886022_fix) |
---|
To disable SNMP from an ESXi shell, run the following command: # esxcli system snmp set -e no or From a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false To configure SNMP for v3 targets, use the "esxcli system snmp set" command set locally on the host or remotely via PowerCLI. |