Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-216883 | VCWN-65-000064 | SV-216883r612237_rule | Medium |
Description |
---|
These permissions must be reserved for cryptographic administrators where VM encryption and/or vSAN encryption is in use. Catastrophic data loss can result from a poorly administered cryptography. |
STIG | Date |
---|---|
VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide | 2021-06-23 |
Check Text ( C-18114r366363_chk ) |
---|
From the vSphere Web Client go to Administration >> Access Control >> Roles Highlight each role and click the pencil button if it is enabled. Verify that only the "Administrator" and any site-specific cryptographic group(s) have the following permissions: Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups or From a PowerCLI command prompt while connected to the vCenter server run the following command: $roles = Get-VIRole ForEach($role in $roles){ $privileges = $role.PrivilegeList If($privileges -match "Crypto*" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add*" -or $privileges -match "Host.Local operations.Manage user groups"){ Write-Host "$role has Cryptographic privileges" } } If any role other than "Administrator" or any site-specific group(s) have any of these permissions, this is a finding. |
Fix Text (F-18112r366364_fix) |
---|
From the vSphere Web Client go to Administration >> Access Control >> Roles Highlight each role and click the pencil button if it is enabled. Remove the following permissions from any group other than Administrator and any site-specific cryptographic group(s): Cryptographic Operations privileges Global.Diagnostics Host.Inventory.Add host to cluster Host.Inventory.Add standalone host Host.Local operations.Manage user groups |