Check: VCTR-67-000064
VMware vSphere 6.7 vCenter STIG:
VCTR-67-000064
(in versions v1 r4 through v1 r1)
Title
The vCenter Server must restrict access to cryptographic permissions. (Cat II impact)
Discussion
These permissions must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. Catastrophic data loss can result from poorly administered cryptography.
Check Content
From the vSphere Client, go to Administration >> Access Control >> Roles. Highlight each role and click the "Privileges" button in the right pane. Verify that only the Administrator and any site-specific cryptographic group(s) have the following permissions: Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups or From a PowerCLI command prompt while connected to the vCenter server, run the following command: $roles = Get-VIRole ForEach($role in $roles){ $privileges = $role.PrivilegeList If($privileges -match "Crypto*" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add*" -or $privileges -match "Host.Local operations.Manage user groups"){ Write-Host "$role has Cryptographic privileges" } } If any role other than Administrator and any site-specific group(s) have any of these permissions, this is a finding.
Fix Text
From the vSphere Client, go to Administration >> Access Control >> Roles. Highlight each role and click the pencil button if it is enabled. Remove the following permissions from any group other than Administrator and any site-specific cryptographic group(s): Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups
Additional Identifiers
Rule ID: SV-243119r879887_rule
Vulnerability ID: V-243119
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |