Check: ESXI-65-000003
VMware vSphere 6.5 ESXi STIG:
ESXI-65-000003
(in versions v2 r4 through v1 r1)
Title
The ESXi host must verify the exception users list for lockdown mode. (Cat III impact)
Discussion
In vSphere you can add users to the Exception Users list from the vSphere Web Client. These users do not lose their permissions when the host enters lockdown mode. Usually you may want to add service accounts such as a backup agent to the Exception Users list. Verify that the list of users who are exempted from losing permissions is legitimate and as needed per your environment. Users who do not require special permissions should not be exempted from lockdown mode.
Check Content
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under lockdown mode review the exception users list. or From a PowerCLI command prompt while connected to the ESXi host run the following script: $vmhost = Get-VMHost | Get-View $lockdown = Get-View $vmhost.ConfigManager.HostAccessManager $lockdown.QueryLockdownExceptions() If the Exception users list contains accounts that do not require special permissions, this is a finding. Note - This list is not intended for system administrator accounts but for special circumstances such as a service account. For environments that do not use vCenter server to manage ESXi, this is not applicable.
Fix Text
From the vSphere Web Client select the ESXi Host and go to Configure >> System >> Security Profile. Under lockdown mode click Edit and remove unnecessary users to the exceptions list.
Additional Identifiers
Rule ID: SV-207604r388482_rule
Vulnerability ID: V-207604
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |