VCENTER-000024 - A least-privileges assignment must be used for the Update Manager database user.

Information

Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

For Oracle DB normal runtime operation, set the following permissions.
Create session
create any table
drop any table

For SQL Server DB normal runtime operation remove/delete the dba_owner role or sysadmin role from the MSDB database. The dba_owner role or sysadmin role is still required for the Update Manager database.

Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_vCenter_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-39562, Rule-ID|SV-250743r799919_rule, STIG-ID|VCENTER-000024, STIG-Legacy|SV-51420, STIG-Legacy|V-39562, Vuln-ID|V-250743

Plugin: VMware

Control ID: 50ac512e6ec64de422ffd496757ca75f41682ff56dd582ea50de088645481f15