UCF STIG Viewer Logo

The vCenter Server must restrict access to cryptographic permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258952 VCSA-80-000285 SV-258952r1003608_rule Medium
Description
These permissions must be reserved for cryptographic administrators where virtual machine encryption and/or vSAN encryption is in use. Catastrophic data loss can result from poorly administered cryptography.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62692r1003607_chk )
By default, there are five roles that contain cryptographic related permissions: Administrator, No Trusted Infrastructure Administrator, vCLSAdmin, VMOperator Controller Manager, and vSphere Kubernetes Manager.

From the vSphere Client, go to Administration >> Access Control >> Roles.

Highlight each role and click the "Privileges" button in the right pane.

Verify that only the Administrator, No Trusted Infrastructure Administrator, vCLSAdmin, and vSphere Kubernetes Manager and any site-specific cryptographic roles have the following permissions:

Cryptographic Operations privileges
Global.Diagnostics
Host.Inventory.Add host to cluster
Host.Inventory.Add standalone host
Host.Local operations.Manage user groups

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$roles = Get-VIRole
ForEach($role in $roles){
$privileges = $role.PrivilegeList
If($privileges -match "Crypto*" -or $privileges -match "Global.Diagnostics" -or $privileges -match "Host.Inventory.Add*" -or $privileges -match "Host.Local operations.Manage user groups"){
Write-Host "$role has Cryptographic privileges"
}
}

If any role other than the five default roles contain the permissions listed above and is not authorized to perform cryptographic related operations, this is a finding.
Fix Text (F-62601r934513_fix)
From the vSphere Client, go to Administration >> Access Control >> Roles.

Highlight the target custom role and click "Edit".

Remove the following permissions from any custom role that is not authorized to perform cryptographic related operations:

Cryptographic Operations privileges
Global.Diagnostics
Host.Inventory.Add host to cluster
Host.Inventory.Add standalone host
Host.Local operations.Manage user groups