Remote Assessments against ESXi hosts in Lockdown Mode

Product Name

CIS-CAT Pro Assessor v4

Product Version

v4.x.x+

Date

Aug 7, 2024

Problem

An ESXi host is placed into Lockdown Mode as per the following L1/L2 Benchmark Recommendations:

Once applied, the CIS-CAT Pro Assessor tool can no longer perform a remote assessment against the target.

Solution

Add the root user (or other applicable ESXi scan user account) to the Exception Users list as outlined in the following Recommendation:

3.19 (L1) Host must have an accurate Exception Users list (Manual)

If using a non-root account, the user must also be explicitly added to the DCUI.Access list:

3.18 (L1) Host must have an accurate DCUI.Access list (Manual)

This will then exempt the scan user from Lockdown mode restrictions, allowing an assessment to be conducted. For additional guidance on ESXi assessments using CIS-CAT Pro Assessor, please refer to the following Quick Start Guide:
Quick Start Guide: ESXi Assessment using GUI (Windows)

Keywords; ESXi Lockdown Mode root exception Assessor scan

Content by Label

Page:

Feature Enhancement Requests for CIS Products

Center for Internet Security®

Privacy Policy