1 Reply Latest reply on Jan 26, 2012 2:17 PM by gammann

    How to verify VSH07

    geekinabox Enthusiast

      Looking to add some verification of VSH07 to my environment.  Basically it involves looking for a message in a log file on vCenter.

       

      Problem is:  they do not specify which file to monitor (they just provide a link to a list of 'all log files'), nor do they give an example of what the message should look like.

       

      To monitor I need to know where to go and what to look for.  Can anyone provide any help here?  

       

      Thanks.

       

       

      Here're additional details from the 4.1 Hardening Guide:

       

       

      During a restart of vCenter Server, if the user or

      user group that is assigned Administrator Role on

      the root folder could not be verified as a valid

      user/group during the restart, the user/group's

      permission as Administrator will removed. In its

      place, vCenter Server grants the Administrator role

      to the local Windows administrators group, to act as

      a new vCenter Server administrator.

      Since it is not recommended to grant vCenter

      Server Administrator rights to Windows

      Administrators, this results in a situation that should

      be rectified by re-establishing a legitimate

      administrator account.

       

       

       

       

      Separation of duties dictates that full vSphere

      administrative rights should be granted only to

      those administrators who are required to have it.

      This privilege should not be granted to any group

      whose membership is not strictly controlled.

      Therefore, administrative rights should be removed

      from the local Windows administrator account and

      instead be given to a

       

       

       

      Any time that vCenter Server restarts, the log file

      should be scanned to ensure that no privileges

      were re-assigned.

        • 1. Re: How to verify VSH07
          gammann Lurker

          Not sure if you found this yet, as the post is a couple of months old.  I just did some testing and here is what I found.

           

          When the vCenter server boots (or I assume a restart of the services), if it can't find the user or group that is assigned to the Administrator role, it will delete that user/group and grant the local Administrators group for the windows server the Administrators role.

           

          I found an entery in the vpxd-nnn.log:

          [YYYY-MM-DD HH:MM:SS.XXX 01312 info 'Libs'] [ADS] Failed to lookup account DOMAIN\Account (err: 1332, [16,256])

          [YYYY-MM-DD HH:MM:SS.XXX 01312 error 'App'] Removing invalid permission 19: user DOMAIN\Account not found

          [YYYY-MM-DD HH:MM:SS.XXX 01312 warning 'App'] Removing permission for entity "group-X", group "DOMAIN\Account", role -1.  Reason: User or group not found.

           

          I found some other log entries that also looked like they identified the issue, but it was in the log both when my domain group didn't exist, and when it did:

           

          [YYYY-MM-DD HH:MM:SS.XXX 01312 info 'App'] [GetLdapAdmin] No admin user set.  Checking if 'Administrators' is part of LDAP admin list

          [YYYY-MM-DD HH:MM:SS.XXX 01312 info 'App'] [VpxdLdap] Successfully retrieved LDAP admin principal.

           

          There was also an entry in the Windows Application Log raising the event that my group was removed:

           

          Log Name: Application

          Source: VMWare VirtualCenter Server

          Date: M/DD/YYYY H:MM:SS PM

          Event ID: 1000

          Task Category: None

          Level: Warning

          Keywords: Classic

          User: N/A

          Computer: [vCenter Server]

          Description:  Removing permission for entity "group-X", group "DOMAIN\Account", role -1.  Reason: User or group not found.