SCOM Run As accounts used to manage Linux/UNIX endpoints must be configured for least privilege.
An XCCDF Rule
Description
<VulnDiscussion>The Microsoft SCOM privileged Run As accounts are used to execute work flow tasks on target endpoints. A SCOM Run As account must only have the level of privileges required to perform the defined SCOM actions. An account with full administrative (SUDO) privileges could be used to breach security boundaries and compromise the endpoint.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-237425r643921_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Configure the permissions on the Run As accounts used on Linux/UNIX endpoints to remove the SUDO ALL permissions. This will be dependent on the specific versions and flavor of the Linux/UNIX operating systems in question.
Microsoft's least privilege recommendations for supported versions can be found at the following location: https://social.technet.microsoft.com/wiki/contents/articles/7375.scom-configuring-sudo-elevation-for-UNIX-and-linux-monitoring.aspx.