UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.


Overview

Finding ID Version Rule ID IA Controls Severity
V-256337 VCSA-70-000123 SV-256337r885622_rule Medium
Description
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. They may also try to hijack an existing account by changing a password or enabling a previously disabled account. Therefore, all actions performed on accounts in the SSO domain much be alerted on in vCenter at a minimum and ideally on a Security Information and Event Management (SIEM) system as well. To ensure the appropriate personnel are alerted about SSO account actions, create a new vCenter alarm for the "com.vmware.sso.PrincipalManagement" event ID and configure the alert mechanisms appropriately. Satisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000320
STIG Date
VMware vSphere 7.0 vCenter Security Technical Implementation Guide 2023-12-21

Details

Check Text ( C-60012r885620_chk )
From the vSphere Client, go to Host and Clusters.

Select a vCenter Server >> Configure >> Security >> Alarm Definitions.

Verify an alarm has been created to alert upon all SSO account actions.

The alarm name may vary, but it is suggested to name it "SSO account actions - com.vmware.sso.PrincipalManagement".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "com.vmware.sso.PrincipalManagement"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}

If an alarm is not created to alert on SSO account actions, this is a finding.
Fix Text (F-59955r885621_fix)
From the vSphere Client, go to Host and Clusters.

Select a vCenter Server >> Configure >> Security >> Alarm Definitions.

Click "Add".

Provide the alarm name of "SSO account actions - com.vmware.sso.PrincipalManagement" and an optional description.

From the "Target type" drop-down menu, select "vCenter Server".

Click "Next".

Paste "com.vmware.sso.PrincipalManagement" (without quotes) in the line after "IF" and press "Enter".

Next to "Trigger the alarm and", select "Show as Warning".

Configure the desired notification actions that will inform the SA and ISSO of the event.

Click "Next". Click "Next" again. Click "Create".