UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SCOM Run As accounts used to manage Linux/UNIX endpoints must be configured for least privilege.


Overview

Finding ID Version Rule ID IA Controls Severity
V-237425 SCOM-AC-000003 SV-237425r643921_rule High
Description
The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. A SCOM Run As account must only have the level of privileges required to perform the defined SCOM actions. An account with full administrative (SUDO) privileges could be used to breach security boundaries and compromise the endpoint.
STIG Date
Microsoft SCOM Security Technical Implementation Guide 2021-03-15

Details

Check Text ( C-40644r643919_chk )
If the Microsoft SCOM environment is not used to monitor Linux/UNIX endpoints, this check is Not Applicable.

Review the account permission settings on the SCOM Management server.

Log on to a subset of Linux or UNIX servers being monitored by SCOM and look at the Sudoers file. Verify that the SCOM account does not have Sudo all permissions. Alternatively, the following command can be run from the machine "sudo -l -U ".

If any Run As account used for Linux\UNIX endpoint management has the SUDO ALL permissions, this is a finding.
Fix Text (F-40607r643920_fix)
Configure the permissions on the Run As accounts used on Linux/UNIX endpoints to remove the SUDO ALL permissions. This will be dependent on the specific versions and flavor of the Linux/UNIX operating systems in question.

Microsoft's least privilege recommendations for supported versions can be found at the following location: https://social.technet.microsoft.com/wiki/contents/articles/7375.scom-configuring-sudo-elevation-for-UNIX-and-linux-monitoring.aspx.