The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258956	VCSA-80-000290	SV-258956r961863_rule		Medium

Description
vCenter SSO integrates with PAM in the underlying Photon operating system so members of the "SystemConfiguration.BashShellAdministrators" SSO group can log on to the operating system without needing a separate account. However, even though unique SSO users log on, they are transparently using a group account named "sso-user" as far as Photon auditing is concerned. While the audit trail can still be traced back to the individual SSO user, it is a more involved process. To force accountability and nonrepudiation, the SSO group "SystemConfiguration.BashShellAdministrators" must be severely restricted.

Description

vCenter SSO integrates with PAM in the underlying Photon operating system so members of the "SystemConfiguration.BashShellAdministrators" SSO group can log on to the operating system without needing a separate account. However, even though unique SSO users log on, they are transparently using a group account named "sso-user" as far as Photon auditing is concerned. While the audit trail can still be traced back to the individual SSO user, it is a more involved process. To force accountability and nonrepudiation, the SSO group "SystemConfiguration.BashShellAdministrators" must be severely restricted.

STIG	Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide	2024-07-11

Details

Check Text ( C-62696r934524_chk )
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups. Click the next page arrow until the "SystemConfiguration.BashShellAdministrators" group appears. Click "SystemConfiguration.BashShellAdministrators". Review the members of the group and ensure that only authorized accounts are present. Note: By default the Administrator and a unique service account similar to "vmware-applmgmtservice-714684a4-342f-4eff-a232-cdc21def00c2" will be in the group and should not be removed. If there are any accounts present as members of SystemConfiguration.BashShellAdministrators that are not authorized, this is a finding.

Check Text ( C-62696r934524_chk )

From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.

Click the next page arrow until the "SystemConfiguration.BashShellAdministrators" group appears.

Click "SystemConfiguration.BashShellAdministrators".

Review the members of the group and ensure that only authorized accounts are present.

Note: By default the Administrator and a unique service account similar to "vmware-applmgmtservice-714684a4-342f-4eff-a232-cdc21def00c2" will be in the group and should not be removed.

If there are any accounts present as members of SystemConfiguration.BashShellAdministrators that are not authorized, this is a finding.

Fix Text (F-62605r934525_fix)
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups. Click the next page arrow until the "SystemConfiguration.BashShellAdministrators" group appears. Click "SystemConfiguration.BashShellAdministrators". Click the three vertical dots next to the name of each unauthorized account. Select "Remove Member".