Title

There is no VirtualCenter baseline configuration document for users, groups, permissions, and roles. (Cat II impact)

Discussion

When pairing users or groups with permissions to an object, a role is defined for users and groups. There are two default roles defined in VirtualCenter called System roles and Sample roles. System roles are permanent and the permissions associated with these roles cannot be changed. Sample roles are provided for convenience as guidelines and suggestions. These roles may be modified or removed. VirtualCenter situations may arise where a user is a member of multiple groups with different permissions or user permissions are explicitly defined when the user is a member of different groups. These situations can create confusion and permissions that were thought to be limited might actually be elevated. Furthermore, all changes take affect immediately not requiring users to log off and log back in. Therefore, all users, groups, permissions, and roles will be documented and approved to ensure proper permissions are granted only to authorized users.

Check Content

Request a copy of the baseline configuration document for all VirtualCenter users, groups, permissions, and roles. If the document is incomplete or does not exist, this is a finding.

Fix Text

Create a baseline configuration document for all VirtualCenter users, groups, permissions, and roles.

Additional Identifiers

Rule ID: SV-16820r1_rule

Vulnerability ID: V-15879

Group Title: No VirtualCenter baseline configuration document

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.