SNMP must be configured properly.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-63275	ESXI-06-000053	SV-77765r1_rule		Medium

Description
If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack.

STIG	Date
VMware vSphere ESXi 6.0 Security Technical Implementation Guide	2019-01-04

Details

Check Text ( C-64009r1_chk )
From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHostSnmp \| Select * or From a console or ssh session run the follow command: esxcli system snmp get If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and "read only communities" is set to public, this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured from the esxcli command.

Check Text ( C-64009r1_chk )

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHostSnmp | Select *

or

From a console or ssh session run the follow command:

esxcli system snmp get

If SNMP is not in use and is enabled, this is a finding.

If SNMP is enabled and "read only communities" is set to public, this is a finding.

If SNMP is enabled and is not using v3 targets, this is a finding.

Note: SNMP v3 targets can only be viewed and configured from the esxcli command.

Fix Text (F-69193r1_fix)
To disable SNMP run the following command from a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp \| Set-VMHostSnmp -Enabled $false or From a console or ssh session run the follow command: esxcli system snmp set -e no To configure SNMP for v3 targets use the "esxcli system snmp set" command set.