Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS-CAT Pro Assessor

Product VersionAll

v4.0.24+

Date



Problem

Info

Even after reviewing this Knowledge Base article on assessing an ESXi Benchmark , CIS-CAT Pro Assessor v4 cannot connect to your ESXi host.

Solution

Review the ‘assessor-cli.log’ which was produced after following these steps for CIS-CAT Pro Assessor v4: Diagnostic / debug information to troubleshoot CIS-CAT PRO Assessor v4 issues or these for CIS-CAT Pro Assessor v3: Diagnostic / debug information to troubleshoot CIS-CAT PRO Assessor v3 issues /wiki/spaces/STPS/pages/728727902

Search for errors such as these VIServer errors:

Code Block
14/10/2020 16:28:40.466 INFO org.cisecurity.powershell.impl.LocalPowershell - Response: Connect-VIServer : 
10/14/2020 4:28:39 PM Connect-VIServer Error: Invalid server certificate.

or these again regarding VI errors

Code Block
+ CategoryInfo          : ObjectNotFound: (:) [Connect-VIServer], ViServerConnectionException
+ FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_NameResolutionFailure,VMware.VimAutomation.Vi 
   Core.Cmdlets.Commands.ConnectVIServer

or these, server certificate is not configured properly errors

Code Block
20/10/2020 19:43:10.507 INFO org.cisecurity.powershell.impl.LocalPowershell - Response:
Connect-VIServer : 
2020-10-20 19:43:09	Connect-VIServer An error occurred while making the HTTP request to 
https://192.168.101.46/sdk. This could be due to the fact that the server certificate is not configured properly with 
HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the 
server.	

Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you'd like to connect once or to add a permanent exception for this server.Additional Information: Could not establish trust relationship for the SSL/TLS secure channel with authority '192.168.234.33'.

Remediation: The certificate must be ignored for the assessment to execute. In Powershell, execute the following command:

Code Block
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

Note

Setting this option to “Ignore” should be reviewed against organizational policies.


Copyright © 2020

Center for Internet Security®