A least-privileges assignment must be used for the Update Manager database user.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39562 | VCENTER-000024 | SV-51420r1_rule | Medium |
| Description |
|---|
| Least-privileges mitigates attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation. |
| STIG | Date |
|---|---|
| VMware vCenter Server Version 5 Security Technical Implementation Guide | 2013-12-18 |
Details
| Check Text ( C-46787r1_chk ) |
|---|
| Verify only the following permissions are allowed to the VUM DB user after installation. For Oracle DB normal operation, only the following permissions are required. Create session create any table drop any table For SQL Server DB normal operation, the dba_owner role or sysadmin role can be removed from the MSDB database. The dba_owner role or sysadmin role is still required for normal operation by the Update Manager database. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations. If the above vendor database-dependent permissions are not strictly adhered to, this is a finding. |
| Fix Text (F-44575r1_fix) |
|---|
| For Oracle DB normal runtime operation, set the following permissions. Create session create any table drop any table For SQL Server DB normal runtime operation remove/delete the dba_owner role or sysadmin role from the MSDB database. The dba_owner role or sysadmin role is still required for normal operation by the Update Manager database. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations. |