Check: VCENTER-000012
VMware vCenter Server Version 5 STIG:
VCENTER-000012
(in versions v2 r1 through v1 r7)
Title
The vCenter Server administrative users must have the correct roles assigned. (Cat II impact)
Discussion
Administrative users must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.
Check Content
Check that roles are created in vCenter with the required granularity of privilege for the organization's administrator types, and that these roles are assigned to the correct, site-specific users: Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home>> Administration>> Roles" and verify that a role exists for each of the administrator privilege sets the organization requires and allows. Right click on each Role name and select "Edit". Verify under "All Privileges>> Virtual Machines" that only site-specific, required checkboxes are selected. If the organization does not require roles for administrator privilege sets, this is a finding. If a role does not exist for each of the organization-required, administrator privilege sets, this is a finding.
Fix Text
Create roles in vCenter with the required granularity of privilege for the organization's administrator types, and ensure that these roles are assigned to the correct, site-specific users. As a vCenter Server administrator, log into the vCenter Server with the vSphere Client. Go to "Home>> Administration>> Roles" and create a role for each of the administrator privilege sets the organization requires and allows. Right click on each role name and select "Edit". Verify under "All Privileges>> Virtual Machines" that only site-specific, required checkboxes are selected.
Additional Identifiers
Rule ID: SV-250732r799886_rule
Vulnerability ID: V-250732
Group Title: SRG-APP-000133
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
Controls
Number | Title |
---|---|
CM-5 (6) |
Limit Library Privileges |