Title

Users assigned to VirtualCenter groups are not documented. (Cat III impact)

Discussion

Ensuring privileged group membership is controlled requires updates to group documentation, and periodic reviews to determine that unauthorized users are not members. If an unauthorized user is able to gain membership to the Database Administrator group, Virtual Machine Administrator group, or the Resource Administrator group, etc., that user would be able to display, add, or change permissions to objects that could impact the confidentiality, integrity, or availability of an entire virtualization structure.

Check Content

Request a copy of the VirtualCenter group documentation listing the users in the following groups: Database Administrators, Virtual Machine Administrators, Resource Pool Administrators, ESX Administrators, Virtual Machine Power Users, and All Custom Roles If documentation can not be produced, this is a finding. Compare the documentation to the actual users assigned in the groups. If there are discrepancies, this is a finding.

Fix Text

Document all the users assigned to all VirtualCenter groups.

Additional Identifiers

Rule ID: SV-16816r1_rule

Vulnerability ID: V-15875

Group Title: VirtualCenter groups are not documented

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.