← Back to VMware NSX 4.x Manager NDM Security Technical Implementation Guide

V-265353

CAT II (Medium)

The NSX Manager must disable SSH.

Rule ID

SV-265353r994282_rule

STIG

VMware NSX 4.x Manager NDM Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366

Discussion

The NSX shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the NSX shell is well suited for checking and modifying configuration details, not always generally accessible, using the web interface. The NSX shell is accessible remotely using SSH. Under normal operating conditions, SSH access to the managers must be disabled as is the default. As with the NSX shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the managers must therefore be limited to the web interface and API at all other times.

Check Content

From an NSX Manager shell, run the following command:

> get service ssh

Expected results:
Service name: ssh
Service state: stopped
Start on boot: False

If the SSH server is not stopped or starts on boot, this is a finding.

Fix Text

From an NSX Manager shell, run the following command(s):

> stop service ssh
> clear service ssh start-on-boot