Check: ESXI-67-000035
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000035
(in versions v1 r3 through v1 r1)
Title
The ESXi host must be configured to disable nonessential capabilities by disabling SSH. (Cat II impact)
Discussion
The ESXi Shell is an interactive command line interface (CLI) available at the ESXi server console. The ESXi shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the ESXi shell is well suited for checking and modifying configuration details, not always generally accessible, using the vSphere Client. The ESXi shell is accessible remotely using SSH by users with the Administrator role. Under normal operating conditions, SSH access to the host must be disabled as is the default. As with the ESXi shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the host must therefore be limited to the vSphere Client or Host Client at all other times. Satisfies: SRG-OS-000095-VMM-000480, SRG-OS-000297-VMM-001040, SRG-OS-000298-VMM-001050
Check Content
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "Edit", view the "SSH" service, and verify it is stopped. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} If the ESXi SSH service is running, this is a finding.
Fix Text
From the vSphere Client, select the ESXi host and go to Configure >> System >> Services. Under "Services", select "SSH" service and click the "Stop" button to stop the service. Use Edit Startup policy to "Start and stop manually" and click "OK". or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService
Additional Identifiers
Rule ID: SV-239290r854588_rule
Vulnerability ID: V-239290
Group Title: SRG-OS-000095-VMM-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
CCI-002314 |
The information system controls remote access methods. |
CCI-002322 |
The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period. |