Title

SCOM unsealed management packs must be backed up regularly. (Cat III impact)

Discussion

SCOM's configuration information is stored within unsealed management packs. Even without SQL backups, a catastrophic failure to SCOM can be recovered from quickly if the unsealed management packs have been backed up. Satisfies: SRG-APP-000516-NDM-000340, SRG-APP-000516-NDM-000341

Check Content

There is more than one way to configure this, and it will be at an administrator's discretion. Open task scheduler and check for the presence of a scheduled task to back up unsealed management packs. If present, review the script to determine where backups are being stored. Verify that the unsealed management packs are being saved to the location specified in the task and that the location is being backed up regularly. Alternatively, several free management packs do exist to automate this process within SCOM, or an administrator could automate this with their own custom management pack or using an orchestration tool such as System Center Orchestrator. This is not a finding if an administrator can show that one of these is installed/configured and that unsealed management packs are being written to the configured location. If unsealed management packs are not being exported to disk and backed up, this is a finding.

Fix Text

The quickest solution available is to download the management pack referenced in this article and configure it accordingly: https://kevinholman.com/2017/07/07/scom-2012-and-2016-unsealed-mp-backup/ Ultimately, this is an organizational decision as to how the administrator would like to proceed.

Additional Identifiers

Rule ID: SV-237433r643945_rule

Vulnerability ID: V-237433

Group Title: SRG-APP-000516-NDM-000340

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.