Privileges for Scanning ESXi Hosts
We support scanning ESXi hosts using either direct ESXi credentials or indirect vCenter credentials. Refer to the following sections for the minimum privileges required for each authentication method:
- Assessing ESXi Hosts Using ESXi Credentials
When scanning ESXi hosts directly with ESXi credentials, authentication is performed against the ESXi host itself, and all access control decisions are made by that specific ESXi host. This method requires the scan user to have the appropriate permissions locally on each ESXi host. - Assessing ESXi Hosts Indirectly Using vCenter Credentials
- When scanning ESXi hosts using vCenter credentials, the scanner authenticates to vCenter, not to the ESXi host directly. vCenter is then used to identify the target ESXi host and perform the compliance assessment on that host. The required privileges for the scan user are, therefore, vCenter‑level permissions and not ESXi‑level permissions.
- Scanning Disconnected ESXi Hosts via vCenter - If you need to scan ESXi hosts that are disconnected or unreachable, select the Disconnected ESXi option to perform the scan without sending any data directly to the ESXi host. By default, this option is not enabled.
Minimum privileges required for scanning ESXi hosts using ESXi credentials
To successfully authenticate and audit each ESXi host, a vCenter credential with read-only access to the ESXi host is required. However, there are some special Controls such as CID 9393, 9394, and 9012, that need extra privileges. These extra privileges are required to read VIBs and Kernel modules.
To create a minimum privilege user for ESXi scan, refer to the Steps to Create Minimum Privilege User for ESXi Scan section.
To create the scan user account that can cover all ESXi CIDs in PA library:
- Create a role based on Read-only role, and add the following privilege to it:
- Expand Global and select Settings. (Affect CID 1129 6094 6097 9393 9394 17320)
- Expand Host > Configuration and select Change settings. (Affect CID 9012)
- Expand Permissions and select Modify permission. (Affect CID 8972)
- Expand Certificates > Manage Certificates (Affect CID 22343)
- Expand Host > Config and select Image. (Affect CID 23394)
- Add the scan user account with the following role privilege:
| Version | Privilege Needed | Navigation |
| ESXi 9.x | Global.Settings Host.Config.Change settings Host.Config.Image configuration Certificates.Manage Certificates Authorization.ModifyPermissions |
Global -->Settings Host -->Config -->Settings Host -->Config →Image Certificates-->Manage Certificates Authorization -->ModifyPermissions |
| ESXi 8.0 | Global.Settings Host.Config.Change settings Host.Config.Image configuration Certificates.Manage Certificates Authorization.ModifyPermissions |
Global -->Settings Host -->Config -->Settings Host -->Config →Image Certificates-->Manage Certificates Authorization -->ModifyPermissions |
| ESXi 7.0 | Global.Settings Host.Config.Change settings Host.Config.Image configuration Certificates.Manage Certificates Authorization.ModifyPermissions |
Global > Settings Host > Configuration > Change Settings Host > Configuration > Image Configuration Certificates > Manage Certificates Permissions > Modify Permission |
| ESXi 6.5 | Global.Settings Host.Config.Change settings Certificates.Manage Certificates Authorization.ModifyPermissions |
Global > Settings Host > Configuration > Change Settings Certificates > Manage Certificates Permissions > Modify Permission |
| ESXi 6.0 | Global.Settings Host.Config.Change settings Certificates.Manage Certificates Authorization.ModifyPermissions |
Global > Settings Host > Configuration > Change Settings Certificates > Manage Certificates Permissions > Modify Permission |
| ESXi 5.5 | Global.Settings Host.Config.Change settings |
Global > Settings Host > Configuration > Change Settings |
| ESXi 5.0 | Global.Settings Host.Config.Change settings |
Global > Settings Host > Configuration > Change Settings |
| All versions | Global.Settings Host.Config.Change settings Authorization.ModifyPermissions |
Global > Settings Host > Configuration > Change Settings Permissions > Modify Permission |
Specific privileges required for scanning user accounts are as follows:
| CID | STMT | Permission (9.0) | Permission (8.0) | Permission (7.0) | Permission (6.5) | Permission (6.0) | Permission (5.x) |
| 1129 | Status of Simple Network Management Protocol (SNMP) services (Linux/Unix/ESXi) | Global > Settings | Global > Settings | Global > Settings | Global > Settings | Global > Settings | Global > Settings |
| 6094 | Status of SNMP Trap settings for the ESXi host | Global > Settings | Global > Settings | Global > Settings | Global > Settings | Global > Settings | Global > Settings |
| 6097 | Status of readCommunities SNMP community string on the ESXi host | Global > Settings | Global > Settings | Global > Settings | Global > Settings | Global > Settings | Global > Settings |
| 9394 | Status of Acceptance Level of each VIB on the ESXi host | Not Applicable | Not Applicable | Not Applicable | Global > Settings | Global > Settings | Global > Settings |
| 9393 | Status of vSphere Installation Bundle (VIB) versions installed on the host | Not Applicable | Not Applicable | Not Applicable | Global > Settings | Global > Settings | Global > Settings |
| 9012 | Status of kernel modules loaded in memory | Host > Config > Settings | Host > Config > Settings | Host > Configuration > Change Settings | Host > Configuration > Change Settings | Host > Configuration > Change Settings | Host > Config > Change Settings |
| 8972 | Status of users with shell access on the host | Authorization > ModifyPermissions | Authorization > ModifyPermissions | Permissions > Modify permission | Permissions > Modify permission | Permissions > Modify permission | Read-only |
| 17320 | List of Lockdown Exception Users | Global > Settings | Global > Settings | Global > Settings | Global > Settings | Global > Settings | Global > Settings |
| 22343 | Status of certificate present on the ESXi host | Certificates > Manage Certificates | Certificates > Manage Certificates | Certificates > Manage Certificates | Certificates > Manage Certificates | Certificates > Manage Certificates | Not Applicable |
| 23394 | Status of software package versions and Acceptance Level of each package on the host | Host > Config > Image | Host > Config > Image | Host > Config > Image | Not Applicable | Not Applicable | Not Applicable |
Testing specific privileges using commands:
| CID | STMT | Example |
| 1129 | Status of Simple Network Management Protocol (SNMP) services (Linux/Unix/ESXi) | esxcfg-snmp --server <esxi ip> --username <scan user> --password <scan user password> --show |
| 6094 | Status of SNMP Trap settings for the ESXi host | esxcfg-snmp --server <esxi ip> --username <scan user> --password <scan user password> --show |
| 6097 | Status of readCommunities SNMP community string on the ESXi host | esxcfg-snmp --server <esxi ip> --username <scan user> --password <scan user password> --show |
| 9394 | Status of Acceptance Level of each VIB on the ESXi host | esxcli -s <esxi ip> -u <scan user> -p <scan user password> software vib list |
| 9393 | Status of vSphere Installation Bundle (VIB) versions installed on the host | esxcli -s <esxi ip> -u <scan user> -p <scan user password> software vib list |
| 9012 | Status of kernel modules loaded in memory | esxcfg-module --server <esxi ip> --username <scan user> --password <scan user password> --list |
| 8972 | Status of users with shell access on the host | esxcfg-user --server <esxi ip> --username <scan user> --password <scan user password> -e user -o list |
Minimal privileges of scanning ESXi hosts by using vCenter credentials
To successfully authenticate and audit each ESXi host, a vCenter credential with read-only access to the ESXi host is required. However, there are some special Controls such as CID 9393, 9394, and 9012, that need extra privileges. These extra privileges are required to read VIBs and Kernel modules.
To create a minimum privilege user for ESXi scan, refer to the Steps to Create Minimum Privilege User for ESXi Scan (from vCenter) section.
To create the scan user account that could cover all ESXi CIDs in PA library:
- Create a role with read-only access and assign the Global.Settings and Host.Config.Change settings privilege for the role.
- Expand Global and select Settings. (Affect CID 9393 9349 17320)
- Expand Certificates > Manage Certificates. (Affect CID 22343)
- Expand Host > Configuration and select Change settings.(Affect CID 9012)
- Expand Host > Config and select Image. (Affect CID 23394)
- Add the scan user account with this role privilege.
| CID | STMT | Extra Privileges |
| 9394 | Status of the Acceptance Level of each VIB on the ESXi host | Global.Settings (Global > Settings) |
| 9393 | Status of the vSphere Installation Bundle (VIB) versions installed on the host | Global.Settings (Global > Settings) |
| 9012 | Status of the kernel modules loaded in memory | Host.Config.Change settings (Host > Configuration > Change settings) |
| 17320 | List of the Lockdown Exception Users | Global.Settings (Global > Settings) |
| 23394 | Status of the software package versions and Acceptance Level of each package on the host | Certificates.Manage Certificates (Certificates > Manage Certificates) |
For CID 8972, the status of the users with shell access on the host is not supported by VMware indirect scan.