Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The ESXi host must deny shell access for the dcui account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-265976 | ESXI-80-000249 | SV-265976r1003584_rule | Medium |
| Description |
|---|
| The dcui user is used for process isolation for the DCUI itself. The account has shell access which can be deactivated to reduce attack surface. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 ESXi Security Technical Implementation Guide | 2024-07-11 |
Details
| Check Text ( C-69899r1003582_chk ) |
|---|
| From an ESXi shell, run the following command: # esxcli system account list or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.account.list.Invoke() | Where-Object {$_.UserID -eq 'dcui'} If shell access is not disabled for the dcui account, this is a finding. |
| Fix Text (F-69802r1003583_fix) |
|---|
| From an ESXi shell, run the following command: # esxcli system account set -i dcui -s false or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.account.set.CreateArgs() $arguments.id = "dcui" $arguments.shellaccess = "false" $esxcli.system.account.set.invoke($arguments) |