1. Home
  2. Security Hardening
  3. DISA STIG VMware ESXi VCenter 5 STIG V2R1
  4. VCENTER-000023 – A least-privileges assignment must be used for the vCenter Server database user.
Searching...

VCENTER-000023 – A least-privileges assignment must be used for the vCenter Server database user.

Details

Least-privileges mitigates attacks if the vCenter database account is compromised. vCenter requires very specific privileges on the database. Privileges normally required only for installation and upgrade must be removed for/during normal operation. These privileges may be reinstated if/when any future upgrade must be performed.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Set the runtime privileges needed for the current vCenter state, on either Oracle or Microsoft SQL Server as noted below.

Grant the following permissions to the vCenter user in the vCenter database:
GRANT ALTER ON SCHEMA :: to ;
GRANT REFERENCES ON SCHEMA :: to ;
GRANT INSERT ON SCHEMA :: to ;
GRANT CREATE TABLE to ;
GRANT CREATE VIEW to ;
GRANT CREATE Procedure to ;

Grant the following permissions to the user in the MSDB database. Note that the msdb database is used by SQL Server Agent for scheduling alerts and jobs.
GRANT SELECT on msdb.dbo.syscategories to ;
GRANT SELECT on msdb.dbo.sysjobsteps to ;
GRANT SELECT ON msdb.dbo.sysjobs to ;
GRANT EXECUTE ON msdb.dbo.sp_add_job TO ;
GRANT EXECUTE ON msdb.dbo.sp_delete_job TO ;
GRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO ;
GRANT EXECUTE ON msdb.dbo.sp_update_job TO ;
GRANT EXECUTE ON msdb.dbo.sp_add_category TO ;
GRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO ;
GRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO ;

For Oracle, either assign the DBA role or grant the following permissions to the user.
grant connect to
grant resource to
grant create view to
grant create materialized view to
grant execute on dbms_job to
grant execute on dbms_lock to
grant unlimited tablespace to

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.

References

Source

Updated on July 16, 2022
Was this article helpful?
Yes No

Related Articles