STIGQter STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The ESXi host must be configured to disable nonessential capabilities by disabling SSH.

DISA Rule

SV-239290r674799_rule

Vulnerability Number

V-239290

Group Title

SRG-OS-000095-VMM-000480

Rule Version

ESXI-67-000035

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the vSphere Client, select the ESXi host and go to Configure >> System >> Services.

Under "Services", select "SSH" service and click the "Stop" button to stop the service. Use Edit Startup policy to "Start and stop manually" and click "OK".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Set-VMHostService -Policy Off
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"} | Stop-VMHostService

Check Contents

From the vSphere Client, select the ESXi host and go to Configure >> System >> Services.

Under "Services", select "Edit", view the "SSH" service, and verify it is stopped.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"}

If the ESXi SSH service is running, this is a finding.

Vulnerability Number

V-239290

Documentable

False

Rule Version

ESXI-67-000035

Severity Override Guidance

From the vSphere Client, select the ESXi host and go to Configure >> System >> Services.

Under "Services", select "Edit", view the "SSH" service, and verify it is stopped.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-VMHostService | Where {$_.Label -eq "SSH"}

If the ESXi SSH service is running, this is a finding.

Check Content Reference

M

Target Key

5326

Comments