The system must enable lockdown mode to restrict remote access.

From VMware ESXi Server 5.0 Security Technical Implementation Guide

Part of SRG-OS-000092

Associated with: CCI-000371

SV-51243r2_rule The system must enable lockdown mode to restrict remote access.

Vulnerability discussion

Enabling lockdown prevents all API-based access by the accounts to the ESXi host. Enabling lockdown mode disables all remote access to ESXi machines. There are some operations, such as backup and troubleshooting that require direct access to the host. In these cases Lockdown Mode can be disabled on a temporary basis for specific hosts as needed, and then re-enabled when the task is completed. Lockdown restricts access to the ESXi console to the root user only, requiring non-root users access the host through vSphere Client/vCenter where RBAC and logging can be used to restrict and log activity. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note: Lockdown mode does not apply to root users who log in using authorized keys. When an authorized key file is used for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Use of an authorized key file for root must therefore be disallowed.

Check content

For ESXi hosts that are not managed by a vCenter Server, this check is not applicable. From the vSphere client, select the host then select "Configuration >> Security Profile". Verify Lockdown Mode is enabled. Alternatively, issue the following command via the CLI: # vim-cmd vimsvc/auth/lockdown_is_enabled If Lockdown Mode is not enabled (true), this is a finding.

Fix text

To enable Lockdown mode on an ESXi host managed by a vCenter Server, log in directly the ESXi host as root. Open the DCUI on the host. Press F2 for Initial Setup. Toggle the Configure Lockdown Mode setting and configure Lockdown Mode.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer