Check: ESXI-67-000036
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000036
(in versions v1 r3 through v1 r1)
Title
The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting. (Cat II impact)
Discussion
The ESXi Shell is an interactive command line environment available locally from the DCUI or remotely via SSH. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The ESXi shell should only be turned on when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere client.
Check Content
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "Edit", view the "ESXi Shell" service, and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} If the ESXi Shell service is running, this is a finding.
Fix Text
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "ESXi Shell" service and click the "Stop" button to stop the service. Use Edit Startup policy to "Start and stop manually" and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "ESXi Shell"} | Stop-VMHostService
Additional Identifiers
Rule ID: SV-239291r674802_rule
Vulnerability ID: V-239291
Group Title: SRG-OS-000095-VMM-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |