STIGQter: STIG Summary: VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The vCenter Server for Windows must use a least-privileges assignment for the Update Manager database user.

DISA Rule

SV-216854r612237_rule

Vulnerability Number

V-216854

Group Title

SRG-APP-000516

Rule Version

VCWN-65-000032

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

For Oracle DB normal runtime operation, set the following permissions.
grant connect to vumAdmin
grant resource to vumAdmin
grant create any job to vumAdmin
grant create view to vumAdmin
grant create any sequence to vumAdmin
grant create any table to vumAdmin
grant lock any table to vumAdmin
grant create procedure to vumAdmin
grant create type to vumAdmin
grant execute on dbms_lock to vumAdmin
grant unlimited tablespace to vumAdmin
# To ensure space limitation is not an issue

For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database.

The db_owner role on the MSDB database is required for installation and upgrade only.

Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.

Check Contents

Verify only the following permissions are allowed to the VUM database user.

For Oracle DB normal operation, only the following permissions are required.
grant connect to vumAdmin
grant resource to vumAdmin
grant create any job to vumAdmin
grant create view to vumAdmin
grant create any sequence to vumAdmin
grant create any table to vumAdmin
grant lock any table to vumAdmin
grant create procedure to vumAdmin
grant create type to vumAdmin
grant execute on dbms_lock to vumAdmin
grant unlimited tablespace to vumAdmin
# To ensure space limitation is not an issue

For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database.

The db_owner role on the MSDB database is required for installation and upgrade only.

If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.

Vulnerability Number

V-216854

Documentable

False

Rule Version

VCWN-65-000032

Severity Override Guidance

Verify only the following permissions are allowed to the VUM database user.

For Oracle DB normal operation, only the following permissions are required.
grant connect to vumAdmin
grant resource to vumAdmin
grant create any job to vumAdmin
grant create view to vumAdmin
grant create any sequence to vumAdmin
grant create any table to vumAdmin
grant lock any table to vumAdmin
grant create procedure to vumAdmin
grant create type to vumAdmin
grant execute on dbms_lock to vumAdmin
grant unlimited tablespace to vumAdmin
# To ensure space limitation is not an issue

For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database.

The db_owner role on the MSDB database is required for installation and upgrade only.

If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.

Check Content Reference

M

Target Key

4030

Comments