Privileges for Scanning ESXi Hosts

To successfully authenticate and audit each ESXi host, we'll need a service credential with at least Read-Only access to the ESXi host.

For scanning some controls, the account must also have privileges to read SNMP, Software, VIBs, Users and Kernel modules. Tip - The system defined Read-Only role cannot be changed so you'll need to make a clone in order to add privileges.

See below for the controls that require additional privileges. If you're not interested in scanning all controls, then the additional privileges are not needed.

How to create a role with additional privileges

1) Edit the role assigned to the scanner account.

2) Add privileges to the role (see table below)

3) Click OK to save your changes.

4) Verify that the scanner account has the proper role assigned, and add it to your authentication record. Add to the VMware ESXi record when using ESXi credentials or the vCenter record when using vCenter credentials.

Are your ESXi hosts joined to an Active Directory domain? If yes, then a Domain-level credential can be used. If not, then an individual credential on each target machine will be required.

Scanning ESXi hosts using ESXi credentials


Scanning ESXi hosts using vCenter credentials


Control Details