Check: ESXI-67-000053
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000053
(in versions v1 r3 through v1 r1)
Title
SNMP must be configured properly on the ESXi host. (Cat II impact)
Discussion
If SNMP is not being used, it must remain disabled. If it is being used, the proper trap destination must be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack.
Check Content
From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHostSnmp | Select * or From an console or ssh session, run the follow command: esxcli system snmp get If SNMP is not in use and is enabled, this is a finding. If SNMP is enabled and read-only communities is set to "public", this is a finding. If SNMP is enabled and is not using v3 targets, this is a finding. Note: SNMP v3 targets can only be viewed and configured from the esxcli command.
Fix Text
To disable SNMP, run the following command from a PowerCLI command prompt while connected to the ESXi Host: Get-VMHostSnmp | Set-VMHostSnmp -Enabled $false or From a console or ssh session, run the follow command: esxcli system snmp set -e no To configure SNMP for v3 targets, use the "esxcli system snmp set" command set.
Additional Identifiers
Rule ID: SV-239307r674850_rule
Vulnerability ID: V-239307
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |