The vCenter Server must limit membership to the "SystemConfiguration.BashShellAdministrators" Single Sign-On (SSO) group.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258956 | VCSA-80-000290 | SV-258956r934526_rule | CCI-000366 | medium |
| Description | ||||
| vCenter SSO integrates with PAM in the underlying Photon operating system so members of the "SystemConfiguration.BashShellAdministrators" SSO group can log on to the operating system without needing a separate account. However, even though unique SSO users log on, they are transparently using a group account named "sso-user" as far as Photon auditing is concerned. While the audit trail can still be traced back to the individual SSO user, it is a more involved process. To force accountability and nonrepudiation, the SSO group "SystemConfiguration.BashShellAdministrators" must be severely restricted. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Security Technical Implementation Guide | 2023-10-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-258956r934526_chk)
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.
Click the next page arrow until the "SystemConfiguration.BashShellAdministrators" group appears.
Click "SystemConfiguration.BashShellAdministrators".
Review the members of the group and ensure that only authorized accounts are present.
Note: By default the Administrator and a unique service account similar to "vmware-applmgmtservice-714684a4-342f-4eff-a232-cdc21def00c2" will be in the group and should not be removed.
If there are any accounts present as members of SystemConfiguration.BashShellAdministrators that are not authorized, this is a finding.
Fix Text (F-62605r934525_fix)
From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Groups.
Click the next page arrow until the "SystemConfiguration.BashShellAdministrators" group appears.
Click "SystemConfiguration.BashShellAdministrators".
Click the three vertical dots next to the name of each unauthorized account.
Select "Remove Member".