Details
The CIM system provides an interface that enables hardware-level management from remote applications via a set of standard APIs. Create a limited-privilege, read-only service account for CIM. Grant this role to the user on the ESXi server. Place this user in the Exception Users list. When/where write access is required, create/enable a limited-privilege, service account and grant only the minimum required privileges.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the vSphere client, select the ESXi host; go to ‘Local Users and Groups’. Create a limited-privileged, read-only service account for CIM. Place the CIM account into the ‘root’ group. Select Users and right-click in the user screen. Select ‘Add’, then Add a new user. If write access is required only grant the minimum required privileges. CIM accounts should be limited to the ‘Host >> Config >> System Management’ and ‘Host >> CIM >> CIMInteraction’ privileges.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- Group-ID|V-63309
- Rule-ID|SV-77799r1_rule
- STIG-ID|ESXI-06-000070
- Vuln-ID|V-63309