The Common Information Model (CIM) system provides an interface that enables hardware-level management from remote applications using a set of standard APIs. To ensure that the CIM interface is secure, provide only the minimum access necessary to these remote applications. If you provision a remote application with a root or Administrator account, and if the application is compromised, the virtual environment can be compromised.
CIM is an open standard that defines a framework for agent-less, standards-based monitoring of hardware resources for ESXi hosts. This framework consists of a CIM object manager, often called a CIM broker, and a set of CIM providers.
CIM providers support management access to device drivers and underlying hardware. Hardware vendors, including server manufacturers and hardware device vendors, can write providers that monitor and manage their devices. VMware writes providers that monitor server hardware, ESXi storage infrastructure, and virtualization-specific resources. These providers run inside the ESXi host and are lightweight and focused on specific management tasks. The CIM broker takes information from all CIM providers and presents it to the outside world using standard APIs. The most common API is WS-MAN.
Do not provide root credentials to remote applications that access the CIM interface. Instead, create a service account for these applications. Grant read-only access to CIM information to any local account defined on the ESXi system, and any role defined in vCenter Server.
- Create a service account for CIM applications.
- Grant the service account read-only access to ESXi hosts that collect CIM information.
- (Optional) If the application requires write access, create a role with only two privileges.
- For each ESXi host that you are monitoring, create a permission that pairs the custom role with the service account.