Details

When the ESXi Shell or SSH services are enabled on a host, they will run indefinitely. To avoid having these services left running, set the ‘ESXiShellTimeOut’. The ‘ESXiShellTimeOut’ defines a window of time after which the ESXi Shell and SSH services will be stopped automatically.

Satisfies: SRG-OS-000163-VMM-000700, SRG-OS-000279-VMM-001010

Solution

From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings.

Click ‘Edit’, select the ‘UserVars.ESXiShellTimeOut’ value, and configure it to ‘600’.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 600

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, System and Communications Protection.This control applies to the following type of system VMware.

References

• 800-53|AC-12
• 800-53|SC-10
• CAT|II
• CCI|CCI-001133
• CCI|CCI-002361
• Rule-ID|SV-239297r674820_rule
• STIG-ID|ESXI-67-000042
• STIG-Legacy|SV-104117
• STIG-Legacy|V-94031
• Vuln-ID|V-239297

Source

• Tenable.com/audits