Privileges for Scanning ESXi Hosts
Click here to view navigation pane

Privileges for Scanning ESXi Hosts

Support is added for scanning ESXi hosts using ESXi or vCenter credentials. For such scans, the authenticator sends a request to the ESXi host and then scans it using the vCenter credentials. This involves authenticating with vCenter, identifying specific ESXi hosts, and performing a compliance scan against this particular host. For an indirect scan, the privileges required by the user performing the scan are different from those required for a direct scan of the ESXi host.

Minimum privileges required for scanning ESXi hosts using ESXi credentials

To successfully authenticate and audit each ESXi host, a vCenter credential with read-only access to the ESXi host is required. However, there are some special Controls such as CID 9393, 9394, and 9012, that need extra privileges. These extra privileges are required to read VIBs and Kernel modules.

To create the scan user account that can cover all ESXi CIDs in PC library:

  1. Create a role with read-only access and assign the Global.Settings and Host.Config.Change settings privilege for the role.
    1. Expand Global and select Settings.  (Affect CID 1129 6094 6097 9393 9394 17320)
    2. Expand Host > Configuration and select Change settings. (Affect CID 9012)
    3. Expand Permissions and select Modify permission. (Affect CID 8972 on ESXi 6.x)
    4. Expand Certificates > Manage Certificates (Affect CID 23394)
    5. Expand Host > Config and select Image. (Affect CID 23394 on ESXi 7.x and ESXi 8.x)
  2. Add the scan user account with the following role privilege:

Version

Privilege Needed

Navigation

ESXi 8.0

Global.Settings

Host.Config.Change settings
Host.Config.Image configuration
Certificates.Manage Certificates
Authorization.ModifyPermissions

Global > Settings
Host >Config > Settings
Host > Config > Image
Certificates > Manage Certificates
Authorization > Modify Permissions
ESXi 7.0 Global.Settings
Host.Config.Change settings
Host.Config.Image configuration
Certificates.Manage Certificates
Authorization.ModifyPermissions		 Global > Settings
Host > Configuration > Change Settings
Host > Configuration > Image Configuration
Certificates > Manage Certificates
Permissions > Modify Permission
ESXi 6.5 Global.Settings
Host.Config.Change settings
Certificates.Manage Certificates
Authorization.ModifyPermissions		 Global > Settings
Host > Configuration > Change Settings
Certificates > Manage Certificates
Permissions > Modify Permission
ESXi 6.0 Global.Settings
Host.Config.Change settings
Certificates.Manage Certificates
Authorization.ModifyPermissions		 Global > Settings
Host > Configuration > Change Settings
Certificates > Manage Certificates
Permissions > Modify Permission
ESXi 5.5 Global.Settings
Host.Config.Change settings		 Global > Settings
Host > Configuration > Change Settings
ESXi 5.0 Global.Settings
Host.Config.Change settings		 Global > Settings
Host > Configuration > Change Settings
All versions Global.Settings
Host.Config.Change settings
Authorization.ModifyPermissions		 Global > Settings
Host > Configuration > Change Settings
Permissions > Modify Permission

 

Specific privileges required for scanning user accounts are as follows:

CID

STMT

DPID

 Permission (8.0) Permission (7.0) Permission (6.5) Permission (6.0) Permission (5.x)
1129 Status of Simple Network Management Protocol (SNMP) services (Linux/Unix/ESXi) 805040 Global > Settings Global > Settings Global > Settings Global > Settings Global > Settings
6094 Status of SNMP Trap settings for the ESXi host 805039 Global > Settings Global > Settings Global > Settings Global > Settings Global > Settings
6097 Status of readCommunities SNMP community string on the ESXi host 805046 Global > Settings Global > Settings Global > Settings Global > Settings Global > Settings
9394 Status of Acceptance Level of each VIB on the ESXi host 808077 Not Applicable Not Applicable Global > Settings Global > Settings Global > Settings
9393 Status of vSphere Installation Bundle (VIB) versions installed on the host 808078 Not Applicable Not Applicable Global > Settings Global > Settings Global > Settings
9012 Status of kernel modules loaded in memory 807342 Host > Config > Settings Host > Configuration > Change Settings Host > Configuration > Change Settings Host > Configuration > Change Settings Host > Config > Change Settings
8972 Status of users with shell access on the host 807339 Authorization > ModifyPermissions Permissions > Modify permission Permissions > Modify permission Permissions > Modify permission Read-only
17320 List of Lockdown Exception Users 817444 Global > Settings Global > Settings Global > Settings Global > Settings Global > Settings
22343 Status of certificate present on the ESXi host 822943 Certificates > Manage Certificates Certificates > Manage Certificates Certificates > Manage Certificates Certificates > Manage Certificates Not Applicable
23394 Status of software package versions and Acceptance Level of each package on the host

823956

 Host > Config > Image Host > Config > Image Not Applicable Not Applicable Not Applicable

 

Testing specific privileges using commands:

CID

STMT

 DPID Example
1129 Status of Simple Network Management Protocol (SNMP) services (Linux/Unix/ESXi) 805040 esxcfg-snmp --server 10.10.35.107 --username ahu --password 12345abc --show
6094 Status of SNMP Trap settings for the ESXi host 805039 esxcfg-snmp --server 10.10.35.107 --username ahu --password 12345abc --show
6097 Status of readCommunities SNMP community string on the ESXi host 805046 esxcfg-snmp --server 10.10.35.107 --username ahu --password 12345abc --show
9394 Status of Acceptance Level of each VIB on the ESXi host 808077 esxcli -s 10.10.35.107 -u ahu -p 12345abc software vib list
9393 Status of vSphere Installation Bundle (VIB) versions installed on the host 808078 esxcli -s 10.10.35.107 -u ahu -p 12345abc software vib list
9012 Status of kernel modules loaded in memory 807342 esxcfg-module --server 10.10.35.107 --username ahu --password 12345abc --list
8972 Status of users with shell access on the host 807339 esxcfg-user --server 10.10.35.107 --username ahu --password 12345abc -e user -o list

Minimal privileges of scanning ESXi hosts by using vCenter credentials

To successfully authenticate and audit each ESXi host, a vCenter credential with read-only access to the ESXi host is required. However, there are some special Controls such as CID 9393, 9394, and 9012, that need extra privileges. These extra privileges are required to read VIBs and Kernel modules.

To create the scan user account that could cover all ESXi CIDs in PC library:

  1. Create a role with read-only access and assign the Global.Settings and Host.Config.Change settings privilege for the role.
    1. Expand Global and select Settings.  (Affect CID 9393 9349 17320)
    2. Expand Certificates > Manage Certificates (Affect CID 23394)
    3. Expand Host > Configuration and select Change settings (Affect CID 9012)
  2. Add the scan user account with this role privilege.

CID

STMT

 DPID Extra Privileges
9394 Status of the Acceptance Level of each VIB on the ESXi host 808077 Global.Settings (Global > Settings)
9393 Status of the vSphere Installation Bundle (VIB) versions installed on the host 808078 Global.Settings (Global > Settings)
9012 Status of the kernel modules loaded in memory 807342 Host.Config.Change settings (Host > Configuration > Change settings)
17320 List of the Lockdown Exception Users 817444 Global.Settings (Global > Settings)
23394 Status of the software package versions and Acceptance Level of each package on the host 822943 Certificates.Manage Certificates (Certificates > Manage Certificates)

 

Note: For CID 8972, the status of the users with shell access on the host 807339 (ML-11758) is not supported by VMware indirect scan.