Overview

This guide will walk through conducting an ESXi version 6.7, 7.0, or 8.0 Benchmark assessment using the CIS-CAT Pro Assessor v4 GUI (Windows only). Assessor utilizes components of VMware PowerCLI to validate settings and gather information during the scan.

For more information on this process, please refer to the Configuration Guide:
https://ciscat-assessor.docs.cisecurity.org/en/latest/Configuration%20Guide/#vmware-esxi-assessment

Requirements

• An ESXi 6.7, 7.0, or 8.0 host reachable on port 443 along with administrative or root credentials.

• PowerShell installed on the Windows system running Assessor
  (included by default in Windows 7 SP1 / Windows Server 2008 R2 and later):
  Installing PowerShell on Windows - PowerShell

• The PowerShell VMware.VimAutomation.Core module contained in VMware PowerCLI.

  • Open an administrative PowerShell prompt and enter:
    Install-Module -Name VMware.PowerCLI

  • Verify the installation succeeded with:
    Get-Module VMware.* -listAvailable
    Included in the output list should be the required VMware.VimAutomation.Core module:

    Open

    

Implementation Steps

1	Verify PowerCLI is installed before running CIS-CAT Pro Assessor v4 (see above).
2	Launch Assessor-GUI.exe as Administrator (right-click -> “Run as administrator”). Open
3	Select the “Advanced” → “Add Remote or Local Target System” option:
4	In the following screen, enter the required prompts. Fill in the “Target System Name” (cannot start with a number, contain spaces or special characters). This entry does not need to match the ESXi hostname and is used for reporting only. Set the “Target System Type” to “Local” This choice may be counterintuitive (as the target ESXi host is not local), but is required as the assessment itself is carried out via PowerShell from the local host. Under “Benchmarks”, choose the applicable Benchmark (either ESXi 6.7, 7.0, or 8.0) as well as your desired Profile level (L1 or L2), then select “Add”.
5	You will be prompted for a connection string to your ESXi host. Enter your ESXi username (such as root), followed by / and the password, and finally the connection IP or hostname after the @ character. Example: root/mysecurepassword@192.168.41.60 Select “OK“ followed by “Save” in the bottom right to proceed to the next screen.
6	Review your settings and choose “Next” (no connection test is necessary for this assessment).
7	Under “Report Output Options”, select your desired reporting formats (HTML is recommended) and choose “Next” to launch the ESXi assessment.

CLI & Troubleshooting Steps

For details on running an ESXi assessment via CLI instead, please refer to this KB article:
How to use CIS-CAT Pro Assessor v4 to assess VMWare ESXi

If the final report returns “Unknown” results for each Recommendation, or you encounter Certificate or other connectivity errors, please refer to the following troubleshooting articles:

Getting Unknown Results on ESXi Assessment

ESXi Certificate issues

Cannot connect to ESXi Target for Assessment

Copyright © 2024 Center for Internet Security® Privacy Policy