VCENTER-000023 - A least-privileges assignment must be used for the vCenter Server database user.

Information

Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Set the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server as noted below.

Grant the following permissions to the vCenter user in the vCenter database:
GRANT ALTER ON SCHEMA :: <schema> to <user>;
GRANT REFERENCES ON SCHEMA :: <schema> to <user>;
GRANT INSERT ON SCHEMA :: <schema> to <user>;
GRANT CREATE TABLE to <user>;
GRANT CREATE VIEW to <user>;
GRANT CREATE Procedure to <user>;

Grant the following permissions to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs.
GRANT SELECT on msdb.dbo.syscategories to <user>;
GRANT SELECT on msdb.dbo.sysjobsteps to <user>;
GRANT SELECT ON msdb.dbo.sysjobs to <user>;
GRANT EXECUTE ON msdb.dbo.sp_add_job TO <user>;
GRANT EXECUTE ON msdb.dbo.sp_delete_job TO <user>;
GRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO <user>;
GRANT EXECUTE ON msdb.dbo.sp_update_job TO <user>;
GRANT EXECUTE ON msdb.dbo.sp_add_category TO <user>;
GRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO <user>;
GRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO <user>;

For Oracle, either assign the DBA role or grant the following permissions to the user.
grant connect to <user>
grant resource to <user>
grant create view to <user>
grant create materialized view to <user>
grant execute on dbms_job to <user>
grant execute on dbms_lock to <user>
grant unlimited tablespace to <user>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_vCenter_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-39561, Rule-ID|SV-250742r799916_rule, STIG-ID|VCENTER-000023, STIG-Legacy|SV-51419, STIG-Legacy|V-39561, Vuln-ID|V-250742

Plugin: VMware

Control ID: d018fc04de6b5f9f9a21cf9dc8c5f6333a2e91b4649623c2ee00211f07e0f3ac