Check: ESXI-67-000012
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000012
(in versions v1 r3 through v1 r1)
Title
The ESXi host SSH daemon must ignore .rhosts files. (Cat II impact)
Discussion
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via ".rhosts" files.
Check Content
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^IgnoreRhosts" /etc/ssh/sshd_config If there is no output or the output is not exactly "IgnoreRhosts yes", this is a finding.
Fix Text
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Add or correct the following line in "/etc/ssh/sshd_config": IgnoreRhosts yes
Additional Identifiers
Rule ID: SV-239268r674733_rule
Vulnerability ID: V-239268
Group Title: SRG-OS-000107-VMM-000530
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
Controls
Number | Title |
---|---|
IA-2 (3) |
Local Access To Privileged Accounts |