The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.

An XCCDF Rule

Description

The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard application programming interfaces (APIs). In environments that implement CIM hardware monitoring, create a limited-privilege, read-only service account for CIM and place this user in the Exception Users list. When CIM write access is required, create a new role with only the "Host.CIM.Interaction" permission and apply that role to the CIM service account.

ID: SV-256427r959010_rule
Version: ESXI-70-000070
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

If write access is required, create a new role for the CIM service account:

From the Host Client, go to Manage >> Security & Users.

Select "Roles" and click "Add role".
Provide a name for the new role and select Host >> Cim >> Ciminteraction and click "Add".

Add a CIM service account:

From the Host Client, go to Manage >> Security & Users.

Select "Users" and click "Add user".

Provide a name, description, and password for the new user and click "Add".

Assign the CIM service account permissions to the host with the new role:

From the Host Client, select the ESXi host, right-click, and go to "Permissions".

Click "Add User", select the CIM service account from the drop-down list, and select either "Read-only" or the role just created. Click "Add User".

The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications.

Description

Remediation Templates

A Manual Procedure