Details
Least-privileges mitigate attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
For Oracle DB normal runtime operation, set the following permissions.
grant connect to vumAdmin
grant resource to vumAdmin
grant create any job to vumAdmin
grant create view to vumAdmin
grant create any sequence to vumAdmin
grant create any table to vumAdmin
grant lock any table to vumAdmin
grant create procedure to vumAdmin
grant create type to vumAdmin
grant execute on dbms_lock to vumAdmin
grant unlimited tablespace to vumAdmin
# To ensure space limitation is not an issue
For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database.
The db_owner role on the MSDB database is required for installation and upgrade only.
Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- Rule-ID|SV-216854r612237_rule
- STIG-ID|VCWN-65-000032
- STIG-Legacy|SV-104603
- STIG-Legacy|V-94773
- Vuln-ID|V-216854