Detections
Analytics
VCSA-70-000290 - The vCenter Server must limit membership to the 'SystemConfiguration.BashShellAdministrators' Single Sign-On (SSO) group.
Information
vCenter SSO integrates with PAM in the underlying Photon operating system so members of the 'SystemConfiguration.BashShellAdministrators' SSO group can log on to the operating system without needing a separate account. However, even though unique SSO users log on, they are transparently using a group account named 'sso-user' as far as Photon auditing is concerned. While the audit trail can still be traced back to the individual SSO user, it is a more involved process.To force accountability and nonrepudiation, the SSO group 'SystemConfiguration.BashShellAdministrators' must be severely restricted.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.Click the next page arrow until the 'SystemConfiguration.BashShellAdministrators' group appears.
Click 'SystemConfiguration.BashShellAdministrators'.
Click the three vertical dots next to the name of each unauthorized account.
Select 'Remove Member'.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 7.0 vCenter v1r3
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-256370r885721_rule, STIG-ID|VCSA-70-000290, Vuln-ID|V-256370
Plugin: VMware
Control ID: 25d4e507f8595a8dc1c22be912e2422c84e7f222eeef8acb7b71cb0e95288e27