The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256427	ESXI-70-000070	SV-256427r886062_rule		Medium

Description
The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard application programming interfaces (APIs). In environments that implement CIM hardware monitoring, create a limited-privilege, read-only service account for CIM and place this user in the Exception Users list. When CIM write access is required, create a new role with only the "Host.CIM.Interaction" permission and apply that role to the CIM service account.

Description

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard application programming interfaces (APIs). In environments that implement CIM hardware monitoring, create a limited-privilege, read-only service account for CIM and place this user in the Exception Users list. When CIM write access is required, create a new role with only the "Host.CIM.Interaction" permission and apply that role to the CIM service account.

STIG	Date
VMware vSphere 7.0 ESXi Security Technical Implementation Guide	2023-06-21

Details

Check Text ( C-60102r886060_chk )
If CIM monitoring is not implemented, this is not applicable. From the Host Client, select the ESXi host, right-click, and go to "Permissions". Verify the CIM service account is assigned the "Read-only" role or a custom role as described in the discussion. If there is no dedicated CIM service account, this is a finding. If the CIM service account has more permissions than necessary as noted in the discussion, this is a finding.

Check Text ( C-60102r886060_chk )

If CIM monitoring is not implemented, this is not applicable.

From the Host Client, select the ESXi host, right-click, and go to "Permissions".

Verify the CIM service account is assigned the "Read-only" role or a custom role as described in the discussion.

If there is no dedicated CIM service account, this is a finding.

If the CIM service account has more permissions than necessary as noted in the discussion, this is a finding.

Fix Text (F-60045r886061_fix)
If write access is required, create a new role for the CIM service account: From the Host Client, go to Manage >> Security & Users. Select "Roles" and click "Add role". Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add". Add a CIM service account: From the Host Client, go to Manage >> Security & Users. Select "Users" and click "Add user". Provide a name, description, and password for the new user and click "Add". Assign the CIM service account permissions to the host with the new role: From the Host Client, select the ESXi host, right-click, and go to "Permissions". Click "Add User", select the CIM service account from the drop-down list, and select either "Read-only" or the role just created. Click "Add User".

Fix Text (F-60045r886061_fix)

If write access is required, create a new role for the CIM service account:

From the Host Client, go to Manage >> Security & Users.

Select "Roles" and click "Add role".

Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add".

Add a CIM service account:

From the Host Client, go to Manage >> Security & Users.

Select "Users" and click "Add user".

Provide a name, description, and password for the new user and click "Add".

Assign the CIM service account permissions to the host with the new role:

From the Host Client, select the ESXi host, right-click, and go to "Permissions".

Click "Add User", select the CIM service account from the drop-down list, and select either "Read-only" or the role just created. Click "Add User".