The vCenter server must enforce SNMPv3 security features where SNMP is required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258931	VCSA-80-000253	SV-258931r961878_rule		Medium

Description
SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. SNMPv3 can be configured for identification and cryptographically based authentication. SNMPv3 defines a user-based security model (USM) and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. Implement both VACM and USM for full protection. SNMPv3 must be disabled by default and enabled only if used. SNMP v3 provides security feature enhancements to SNMP, including encryption and message authentication.

Description

SNMPv3 supports commercial-grade security, including authentication, authorization, access control, and privacy. Previous versions of the protocol contained well-known security weaknesses that were easily exploited. SNMPv3 can be configured for identification and cryptographically based authentication. SNMPv3 defines a user-based security model (USM) and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM provides access control to determine whether a specific type of access (read or write) to the management information is allowed. Implement both VACM and USM for full protection. SNMPv3 must be disabled by default and enabled only if used. SNMP v3 provides security feature enhancements to SNMP, including encryption and message authentication.

STIG	Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide	2024-07-11

Details

Check Text ( C-62671r934449_chk )
At the command prompt on the vCenter Server Appliance, run the following commands: # appliancesh # snmp.get Note: The "appliancesh" command is not needed if the default shell has not been changed for root. If "Enable" is set to "False", this is not a finding. If "Enable" is set to "True" and "Authentication" is not set to "SHA1", this is a finding. If "Enable" is set to "True" and "Privacy" is not set to "AES128", this is a finding. If any "Users" are configured with a "Sec_level" that does not equal "priv", this is a finding.

Check Text ( C-62671r934449_chk )

At the command prompt on the vCenter Server Appliance, run the following commands:

# appliancesh
# snmp.get

Note: The "appliancesh" command is not needed if the default shell has not been changed for root.

If "Enable" is set to "False", this is not a finding.

If "Enable" is set to "True" and "Authentication" is not set to "SHA1", this is a finding.

If "Enable" is set to "True" and "Privacy" is not set to "AES128", this is a finding.

If any "Users" are configured with a "Sec_level" that does not equal "priv", this is a finding.

Fix Text (F-62580r934450_fix)
At the command prompt on the vCenter Server Appliance, run the following commands: # appliancesh # snmp.set --authentication SHA1 # snmp.set --privacy AES128 To change the security level of a user, run the following command: # snmp.set --users / /priv