UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter server must enforce SNMPv3 security features where SNMP is required.


Overview

Finding ID Version Rule ID IA Controls Severity
V-256344 VCSA-70-000253 SV-256344r885643_rule Medium
Description
SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. SNMPv3 can be configured for identification and cryptographically based authentication. SNMPv3 defines a user-based security model (USM) and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. Implement both VACM and USM for full protection. SNMPv3 must be disabled by default and enabled only if used. SNMP v3 provides security feature enhancements to SNMP, including encryption and message authentication.
STIG Date
VMware vSphere 7.0 vCenter Security Technical Implementation Guide 2023-03-01

Details

Check Text ( C-60019r885641_chk )
At the command prompt on the vCenter Server Appliance, run the following commands:

# appliancesh
# snmp.get

Note: The "appliancesh" command is not needed if the default shell has not been changed for root.

If "Enable" is set to "False", this is not a finding.

If "Enable" is set to "True" and "Authentication" is not set to "SHA1", this is a finding.

If "Enable" is set to "True" and "Privacy" is not set to "AES128", this is a finding.

If any "Users" are configured with a "Sec_level" that does not equal "priv", this is a finding.
Fix Text (F-59962r885642_fix)
At the command prompt on the vCenter Server Appliance, run the following commands:

# appliancesh
# snmp.set --authentication SHA1
# snmp.set --privacy AES128

To change the security level of a user, run the following command:

# snmp.set --users / /priv