STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021: STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:SV-243095r719528_rule
V-243095
SRG-APP-000516
VCTR-67-000033
CAT II
10
Configure correct permissions and roles for SQL:
Grant these privileges to a vCenter database administrator role used only for initial setup and periodic maintenance of the database:
Schema permissions ALTER, REFERENCES, and INSERT.
Permissions CREATE TABLE, VIEW, and CREATE PROCEDURES
Grant these privileges to a vCenter database user role:
SELECT, INSERT, DELETE, UPDATE, and EXECUTE
EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures.
SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables.
Grant the permissions VIEW SERVER STATE and VIEW ANY DEFINITIONS to the vCenter database user.
For more information, refer to the following website: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.install.doc/GUID-66638880-75B5-446E-BD8C-0230FECF60E0.html
Note: For vCenter Server Appliance, this is not applicable.
Verify that only the following permissions are allowed on the vCenter database for the following roles and users.
vCenter database administrator role used only for initial setup and periodic maintenance of the database:
Schema permissions: ALTER, REFERENCES, and INSERT.
Permissions CREATE TABLE, CREATE VIEW, and CREATE PROCEDURE
vCenter database user role:
Schema permissions: SELECT, INSERT, DELETE, UPDATE, and EXECUTE
EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures.
SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables.
vCenter database user:
VIEW SERVER STATE and VIEW ANY DEFINITIONS.
Equivalent permissions must be set for non-MSSQL databases.
If the above database permissions are not set correctly, this is a finding.
If the database user role is not assigned to the database account after installation, this is a finding.
If the embedded Postgres database is used, this finding is not applicable.
For more information, refer to the following website: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.install.doc/GUID-66638880-75B5-446E-BD8C-0230FECF60E0.html
V-243095
False
VCTR-67-000033
Note: For vCenter Server Appliance, this is not applicable.
Verify that only the following permissions are allowed on the vCenter database for the following roles and users.
vCenter database administrator role used only for initial setup and periodic maintenance of the database:
Schema permissions: ALTER, REFERENCES, and INSERT.
Permissions CREATE TABLE, CREATE VIEW, and CREATE PROCEDURE
vCenter database user role:
Schema permissions: SELECT, INSERT, DELETE, UPDATE, and EXECUTE
EXECUTE permissions on sp_add_job, sp_delete_job, sp_add_jobstep, sp_update_job, sp_add_jobserver, sp_add_jobschedule, and sp_add_category stored procedures.
SELECT permission on syscategories, sysjobsteps, sysjobs_view, and sysjobs tables.
vCenter database user:
VIEW SERVER STATE and VIEW ANY DEFINITIONS.
Equivalent permissions must be set for non-MSSQL databases.
If the above database permissions are not set correctly, this is a finding.
If the database user role is not assigned to the database account after installation, this is a finding.
If the embedded Postgres database is used, this finding is not applicable.
For more information, refer to the following website: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.install.doc/GUID-66638880-75B5-446E-BD8C-0230FECF60E0.html
M
5399