Check: ESXI-67-000034
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000034
(in versions v1 r3 through v1 r1)
Title
The ESXi host must disable the Managed Object Browser (MOB). (Cat II impact)
Discussion
The MOB provides a way to explore the object model used by the VMkernel to manage the host and enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it could also be used as a method to obtain information about a host being targeted for unauthorized access.
Check Content
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Select the "Config.HostAgent.plugins.solo.enableMob" value and verify it is set to "false". or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob If the "Config.HostAgent.plugins.solo.enableMob" setting is not set to "false", this is a finding.
Fix Text
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings. Click "Edit" and select the "Config.HostAgent.plugins.solo.enableMob" value and configure it to "false". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value false
Additional Identifiers
Rule ID: SV-239289r674796_rule
Vulnerability ID: V-239289
Group Title: SRG-OS-000095-VMM-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |