Title

ESX Server service console administrators are not documented (Cat II impact)

Discussion

User access to the service console should be restricted. The service console has privileged access to the ESX Server and only authorized users should be provided logon access. Personnel that manage the ESX Server will have individual usernames for accessing the ESX Server, creating an audit trail of activities. Virtual machine users will not have ESX Server logins, since there is no inherent need.

Check Content

Request the ESX Server service console user documentation from the IAO/SA. Compare this documentation to the users on the ESX Server by performing the following at the service console: # less /etc/passwd If a discrepancy exists between the ESX Server and the documentation, this is a finding.

Fix Text

Document all ESX Server service console users for the ESX Server.

Additional Identifiers

Rule ID: SV-16767r1_rule

Vulnerability ID: V-15828

Group Title: ESX service console users are not documented.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.