Privileges for Scanning ESXi Hosts
Click here to view navigation pane

Privileges for Scanning ESXi Hosts

To successfully authenticate and audit each ESXi host, we'll need a service credential with at least Read-Only access to the ESXi host.

For scanning some controls, the account must also have privileges to read SNMP, Software, VIBs, Users and Kernel modules. Tip - The system defined Read-Only role cannot be changed so you'll need to make a clone in order to add privileges.

See below for the controls that require additional privileges. If you're not interested in scanning all controls, then the additional privileges are not needed.

How to create a role with additional privileges

1) Edit the role assigned to the scanner account.

2) Add privileges to the role (see table below)

3) Click OK to save your changes.

4) Verify that the scanner account has the proper role assigned, and add it to your authentication record. Add to the VMware ESXi record when using ESXi credentials or the vCenter record when using vCenter credentials.

Are your ESXi hosts joined to an Active Directory domain? If yes, then a Domain-level credential can be used. If not, then an individual credential on each target machine will be required.

Scanning ESXi hosts using ESXi credentials

Version

Privilege Needed

Affected Controls

ESXi 7.0, 6.5, 6.0, 5.5, 5.0

Global.Settings

How to set: Expand Global and select "Settings"

1129, 6094, 6097

9394, 9393 (not applicable to ESXi version 7.0)

ESXi 7.0, 6.5, 6.0, 5.5, 5.0

Host.Config.Change settings

 

How to set: Expand Host > Configuration and select "Change settings"

9012

ESXi 7.0, 6.5, 6.0

Authorization.ModifyPermissions

 

How to set: Expand Permissions and select "Modify permission"

8972

 

Scanning ESXi hosts using vCenter credentials

Version

Privilege Needed

Affected Controls

All Versions

Global.Settings

 

How to set: Expand Global and select "Settings"

9394, 9393

All Versions

Host.Config.Change settings

 

How to set: Expand Host > Configuration and select "Change settings"

9012

 

Control Details

Control ID (CID)

Control Statement

1129

Status of the 'Simple Network Management Protocol (SNMP)' services (Linux/Unix/ESXi)

6094

Status of the 'SNMP Trap' settings for the ESXi host

6097

Status of the 'readCommunities' SNMP community string on the ESXi host

9394

Status of the Acceptance Level of each VIB on the ESXi host

9393

Status of the vSphere Installation Bundle (VIB) versions installed on the host

9012

Status of the kernel modules loaded in memory

8972

Status of the users with shell access on the host