From VMware ESXi Server 5.0 Security Technical Implementation Guide
Part of SRG-OS-99999-ESXI5
Associated with: CCI-000366
The mutual authentication secret for each host must be different and the secret for each client authenticating to the server must be different as well. This ensures if a single host is compromised, an attacker cannot create another arbitrary host and authenticate to the storage device. With a single shared secret, compromise of one host can allow an attacker to authenticate to the storage device.
From the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if a different authentication secret is configured for each ESXi host. If a different authentication secret is not configured for each ESXi host, this is a finding. If iSCSI is not used, this is not a finding.
From the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - configure the authentication secret.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer