The ESXi host must deny shell access for the dcui account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-265976 | ESXI-80-000249 | SV-265976r1003584_rule | Medium |
| Description |
|---|
| The dcui user is used for process isolation for the DCUI itself. The account has shell access which can be deactivated to reduce attack surface. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 ESXi Security Technical Implementation Guide | 2024-07-11 |
Details
| Check Text ( C-69899r1003582_chk ) |
|---|
| From an ESXi shell, run the following command: # esxcli system account list or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.account.list.Invoke() | Where-Object {$_.UserID -eq 'dcui'} If shell access is not disabled for the dcui account, this is a finding. |
| Fix Text (F-69802r1003583_fix) |
|---|
| From an ESXi shell, run the following command: # esxcli system account set -i dcui -s false or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.account.set.CreateArgs() $arguments.id = "dcui" $arguments.shellaccess = "false" $esxcli.system.account.set.invoke($arguments) |