Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-256337 | VCSA-70-000123 | SV-256337r885622_rule | Medium |
Description |
---|
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. They may also try to hijack an existing account by changing a password or enabling a previously disabled account. Therefore, all actions performed on accounts in the SSO domain much be alerted on in vCenter at a minimum and ideally on a Security Information and Event Management (SIEM) system as well. To ensure the appropriate personnel are alerted about SSO account actions, create a new vCenter alarm for the "com.vmware.sso.PrincipalManagement" event ID and configure the alert mechanisms appropriately. Satisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000320 |
STIG | Date |
---|---|
VMware vSphere 7.0 vCenter Security Technical Implementation Guide | 2023-12-21 |
Check Text ( C-60012r885620_chk ) |
---|
From the vSphere Client, go to Host and Clusters. Select a vCenter Server >> Configure >> Security >> Alarm Definitions. Verify an alarm has been created to alert upon all SSO account actions. The alarm name may vary, but it is suggested to name it "SSO account actions - com.vmware.sso.PrincipalManagement". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "com.vmware.sso.PrincipalManagement"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}} If an alarm is not created to alert on SSO account actions, this is a finding. |
Fix Text (F-59955r885621_fix) |
---|
From the vSphere Client, go to Host and Clusters. Select a vCenter Server >> Configure >> Security >> Alarm Definitions. Click "Add". Provide the alarm name of "SSO account actions - com.vmware.sso.PrincipalManagement" and an optional description. From the "Target type" drop-down menu, select "vCenter Server". Click "Next". Paste "com.vmware.sso.PrincipalManagement" (without quotes) in the line after "IF" and press "Enter". Next to "Trigger the alarm and", select "Show as Warning". Configure the desired notification actions that will inform the SA and ISSO of the event. Click "Next". Click "Next" again. Click "Create". |