Title

SCOM Run As accounts used to manage Linux/UNIX endpoints must be configured for least privilege. (Cat I impact)

Discussion

The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. A SCOM Run As account must only have the level of privileges required to perform the defined SCOM actions. An account with full administrative (SUDO) privileges could be used to breach security boundaries and compromise the endpoint.

Check Content

If the Microsoft SCOM environment is not used to monitor Linux/UNIX endpoints, this check is Not Applicable. Review the account permission settings on the SCOM Management server. Log on to a subset of Linux or UNIX servers being monitored by SCOM and look at the Sudoers file. Verify that the SCOM account does not have Sudo all permissions. Alternatively, the following command can be run from the machine "sudo -l -U <Run As account Name>". If any Run As account used for Linux\UNIX endpoint management has the SUDO ALL permissions, this is a finding.

Fix Text

Configure the permissions on the Run As accounts used on Linux/UNIX endpoints to remove the SUDO ALL permissions. This will be dependent on the specific versions and flavor of the Linux/UNIX operating systems in question. Microsoft's least privilege recommendations for supported versions can be found at the following location: https://social.technet.microsoft.com/wiki/contents/articles/7375.scom-configuring-sudo-elevation-for-UNIX-and-linux-monitoring.aspx.

Additional Identifiers

Rule ID: SV-237425r643921_rule

Vulnerability ID: V-237425

Group Title: SRG-APP-000033-NDM-000212

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.