Details
CHAP (Challenge-Handshake Authentication Protocol) requires both Client and Host to
know the secret (Password) to establish connection. When setting up CHAP ensure each
host connects with a unique secret.
*Rationale*
The mutual authentication secret for each host should be different; if possible, the secret
should be different for each client authenticating to the server as well. This ensures that if a
single host is compromised, an attacker cannot create another arbitrary host and
authenticate to the storage device. With a single shared secret, compromise of one host can
allow an attacker to authenticate to the storage device.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To implement the recommended configuration state, run the following PowerCLI
command-# Set the Chap settings for the Iscsi Adapter
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq ‘Iscsi’} | Set-VMHostHba # Use desired parameters here
Default Value-The prescribed state is not the default state.
Supportive Information
The following resource is also helpful.
This control applies to the following type of system VMware.