The ESXi host must deny shell access for the dcui account.

An XCCDF Rule

Description

<VulnDiscussion>The dcui user is used for process isolation for the DCUI itself. The account has shell access which can be deactivated to reduce attack surface.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-265976r1003584_rule
Severity: Medium
References: CCI-000366
Updated: 3 months ago

From an ESXi shell, run the following command:

# esxcli system account set -i dcui -s false

or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.account.set.CreateArgs()
$arguments.id = "dcui"
$arguments.shellaccess = "false"
$esxcli.system.account.set.invoke($arguments)

The ESXi host must deny shell access for the dcui account.

Description

Remediation - Manual Procedure