STIGQter STIGQter: STIG Summary: VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The vCenter Server for Windows must alert administrators on permission deletion operations.

DISA Rule

SV-216868r612237_rule

Vulnerability Number

V-216868

Group Title

SRG-APP-000275

Rule Version

VCWN-65-000049

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the vSphere Web Client select the vCenter server at the top of the hierarchy and go to >> Alarms >> Definitions. Right-click in the empty space and select "New Alarm". On the "General" tab provide an alarm name and description, Select "vCenter Server" for alarm type and "Monitor for specific events occurring on this object", check "Enable this alarm". On the "Triggers" tab, click "Add" for a trigger and in the event column enter "vim.event.PermissionRemovedEvent" and click "OK".

Check Contents

From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions.

Verify there is an alarm created to alert on permission additions.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionRemovedEvent"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}

If an alarm is not created to alert on permission addition events, this is a finding.

Vulnerability Number

V-216868

Documentable

False

Rule Version

VCWN-65-000049

Severity Override Guidance

From the vSphere Web Client go to Host and Clusters >> Select a vCenter Server >> Monitor >> Issues >> Alarm Definitions.

Verify there is an alarm created to alert on permission additions.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "vim.event.PermissionRemovedEvent"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}

If an alarm is not created to alert on permission addition events, this is a finding.

Check Content Reference

M

Target Key

4030

Comments