The ESXi host must deny shell access for the dcui account.

An XCCDF Rule

Description

The dcui user is used for process isolation for the DCUI itself. The account has shell access which can be deactivated to reduce attack surface.

ID: SV-265976r1003584_rule
Version: ESXI-80-000249
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

From an ESXi shell, run the following command:

# esxcli system account set -i dcui -s false

or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.account.set.CreateArgs()
$arguments.id = "dcui"
$arguments.shellaccess = "false"
$esxcli.system.account.set.invoke($arguments)