VCTR-67-000033 - The vCenter Server must use a least-privileges assignment for the vCenter Server database user.

Information

Least privileges mitigate attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure correct permissions and roles for SQL:

Grant these privileges to a vCenter database administrator role used only for initial setup and periodic maintenance of the database:

Schema permissions ALTER, REFERENCES, and INSERT.
Permissions CREATE TABLE, VIEW, and CREATE PROCEDURES

Grant these privileges to a vCenter database user role:

SELECT, INSERT, DELETE, UPDATE, and EXECUTE

EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures.

SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables.

Grant the permissions VIEW SERVER STATE and VIEW ANY DEFINITIONS to the vCenter database user.

For more information, refer to the following website: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.install.doc/GUID-66638880-75B5-446E-BD8C-0230FECF60E0.html

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243095r879887_rule, STIG-ID|VCTR-67-000033, Vuln-ID|V-243095

Plugin: VMware

Control ID: f16dc8f6b468e6d1dac4d3dbbc85b4e3a6ac7375f3aaf4e6a3a94e15cc921b1c