The NSX Manager must disable SSH.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-265353 | SRG-APP-000516-NDM-000317 | NMGR-4X-000097 | SV-265353r994282_rule | 2024-12-13 | 1 |
| Description |
|---|
| The NSX shell provides temporary access to commands essential for server maintenance. Intended primarily for use in break-fix scenarios, the NSX shell is well suited for checking and modifying configuration details, not always generally accessible, using the web interface. The NSX shell is accessible remotely using SSH. Under normal operating conditions, SSH access to the managers must be disabled as is the default. As with the NSX shell, SSH is also intended only for temporary use during break-fix scenarios. SSH must therefore be disabled under normal operating conditions and must only be enabled for diagnostics or troubleshooting. Remote access to the managers must therefore be limited to the web interface and API at all other times. |
| ℹ️ Check |
|---|
| From an NSX Manager shell, run the following command: > get service ssh Expected results: Service name: ssh Service state: stopped Start on boot: False If the SSH server is not stopped or starts on boot, this is a finding. |
| ✔️ Fix |
|---|
| From an NSX Manager shell, run the following command(s): > stop service ssh > clear service ssh start-on-boot |