STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 7.0 vCenter Security Technical Implementation Guide

V-256337

CAT II (Medium)

The vCenter Server must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, on every Single Sign-On (SSO) account action.

Rule ID

SV-256337r885622_rule

STIG

VMware vSphere 7.0 vCenter Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002132

Discussion

Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. They may also try to hijack an existing account by changing a password or enabling a previously disabled account. Therefore, all actions performed on accounts in the SSO domain much be alerted on in vCenter at a minimum and ideally on a Security Information and Event Management (SIEM) system as well. To ensure the appropriate personnel are alerted about SSO account actions, create a new vCenter alarm for the "com.vmware.sso.PrincipalManagement" event ID and configure the alert mechanisms appropriately. Satisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000320

Check Content

From the vSphere Client, go to Host and Clusters.

Select a vCenter Server >> Configure >> Security >> Alarm Definitions.

Verify an alarm has been created to alert upon all SSO account actions.

The alarm name may vary, but it is suggested to name it "SSO account actions - com.vmware.sso.PrincipalManagement".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-AlarmDefinition | Where {$_.ExtensionData.Info.Expression.Expression.EventTypeId -eq "com.vmware.sso.PrincipalManagement"} | Select Name,Enabled,@{N="EventTypeId";E={$_.ExtensionData.Info.Expression.Expression.EventTypeId}}

If an alarm is not created to alert on SSO account actions, this is a finding.

Fix Text

From the vSphere Client, go to Host and Clusters.

Select a vCenter Server >> Configure >> Security >> Alarm Definitions.

Click "Add".

Provide the alarm name of "SSO account actions - com.vmware.sso.PrincipalManagement" and an optional description.

From the "Target type" drop-down menu, select "vCenter Server".

Click "Next".

Paste "com.vmware.sso.PrincipalManagement" (without quotes) in the line after "IF" and press "Enter".

Next to "Trigger the alarm and", select "Show as Warning".

Configure the desired notification actions that will inform the SA and ISSO of the event.

Click "Next". Click "Next" again. Click "Create".