VMware vSphere 7.0 Virtual Machine Security Technical Implementation Guide
Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
Details
Version / Release: V1R1
Published: 2023-02-27
Updated At: 2023-05-04 00:38:36
Actions
Download
Filter
Findings
| Severity | Open | Not Reviewed | Not Applicable | Not a Finding |
|---|---|---|---|---|
| Overall | 0 | 0 | 0 | 0 |
| Low | 0 | 0 | 0 | 0 |
| Medium | 0 | 0 | 0 | 0 |
| High | 0 | 0 | 0 | 0 |
Drop CKL or SCAP (XCCDF) results here.
| Vuln | Rule | Version | CCI | Severity | Title | Description | Status | Finding Details | Comments |
|---|---|---|---|---|---|---|---|---|---|
| SV-256450r886393_rule | VMCH-70-000001 | CCI-000366 | LOW | Copy operations must be disabled on the virtual machine (VM). | Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the | ||||
| SV-256451r886396_rule | VMCH-70-000002 | CCI-000366 | LOW | Drag and drop operations must be disabled on the virtual machine (VM). | Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the | ||||
| SV-256452r886399_rule | VMCH-70-000003 | CCI-000366 | LOW | Paste operations must be disabled on the virtual machine (VM). | Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to verify this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest operating system and the | ||||
| SV-256453r886402_rule | VMCH-70-000004 | CCI-000366 | MEDIUM | Virtual disk shrinking must be disabled on the virtual machine (VM). | Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes (those without root or administrator privileges) wi | ||||
| SV-256454r886405_rule | VMCH-70-000005 | CCI-000366 | MEDIUM | Virtual disk wiping must be disabled on the virtual machine (VM). | Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes (those without root or adminis | ||||
| SV-256455r886408_rule | VMCH-70-000006 | CCI-000366 | MEDIUM | Independent, nonpersistent disks must not be used on the virtual machine (VM). | The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use | ||||
| SV-256456r886411_rule | VMCH-70-000007 | CCI-000366 | MEDIUM | Host Guest File System (HGFS) file transfers must be disabled on the virtual machine (VM). | Setting "isolation.tools.hgfsServerSet.disable" to "true" disables registration of the guest's HGFS server with the host. Application Programming Interfaces (APIs) that use HGFS to transfer files to and from the guest operating system, such as some VIX co | ||||
| SV-256457r886414_rule | VMCH-70-000008 | CCI-000366 | MEDIUM | Unauthorized floppy devices must be disconnected on the virtual machine (VM). | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during so | ||||
| SV-256458r886417_rule | VMCH-70-000009 | CCI-000366 | LOW | Unauthorized CD/DVD devices must be disconnected on the virtual machine (VM). | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during so | ||||
| SV-256459r886420_rule | VMCH-70-000010 | CCI-000366 | MEDIUM | Unauthorized parallel devices must be disconnected on the virtual machine (VM). | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during so | ||||
| SV-256460r886423_rule | VMCH-70-000011 | CCI-000366 | MEDIUM | Unauthorized serial devices must be disconnected on the virtual machine (VM). | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during sof | ||||
| SV-256461r886426_rule | VMCH-70-000012 | CCI-000366 | MEDIUM | Unauthorized USB devices must be disconnected on the virtual machine (VM). | Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are rarely used for virtual machines in a data center environment, and CD/DVD drives are usually connected only temporarily during so | ||||
| SV-256462r886429_rule | VMCH-70-000013 | CCI-000366 | MEDIUM | Console connection sharing must be limited on the virtual machine (VM). | By default, more than one user at a time can connect to remote console sessions. When multiple sessions are activated, each terminal window receives a notification about the new session. If an administrator in the VM logs in using a VMware remote console | ||||
| SV-256463r886432_rule | VMCH-70-000015 | CCI-000366 | LOW | Informational messages from the virtual machine to the VMX file must be limited on the virtual machine (VM). | The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest operating system are capable of sending a large and continuous data stream to the host. This 1MB capacity should be sufficient | ||||
| SV-256464r886435_rule | VMCH-70-000016 | CCI-000366 | MEDIUM | Unauthorized removal, connection, and modification of devices must be prevented on the virtual machine (VM). | In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration edit | ||||
| SV-256465r886438_rule | VMCH-70-000017 | CCI-000366 | MEDIUM | The virtual machine (VM) must not be able to obtain host information from the hypervisor. | If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary could use thi | ||||
| SV-256466r886441_rule | VMCH-70-000018 | CCI-000366 | LOW | Shared salt values must be disabled on the virtual machine (VM). | When salting is enabled (Mem.ShareForceSalting=1 or 2) to share a page between two virtual machines, both salt and the content of the page must be same. A salt value is a configurable advanced option for each virtual machine. The salt values can be specif | ||||
| SV-256467r886444_rule | VMCH-70-000019 | CCI-000366 | LOW | Access to virtual machines (VMs) through the "dvfilter" network Application Programming Interface (API) must be controlled. | An attacker might compromise a VM by using the "dvFilter" API. Configure only VMs that need this access to use the API. | ||||
| SV-256468r886447_rule | VMCH-70-000020 | CCI-000366 | LOW | System administrators must use templates to deploy virtual machines (VMs) whenever possible. | Capture a hardened base operating system image (with no applications installed) in a template to ensure all VMs are created with a known baseline level of security. Use this template to create other, application-specific templates, or use the application | ||||
| SV-256469r886450_rule | VMCH-70-000021 | CCI-000366 | MEDIUM | Use of the virtual machine (VM) console must be minimized. | The VM console enables a connection to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. The VM console also provides power management and removable device connectivity controls, which could allow a malicio | ||||
| SV-256470r886453_rule | VMCH-70-000022 | CCI-000366 | MEDIUM | The virtual machine (VM) guest operating system must be locked when the last console connection is closed. | When accessing the VM console, the guest operating system must be locked when the last console user disconnects, limiting the possibility of session hijacking. This setting only applies to Windows-based VMs with VMware tools installed. | ||||
| SV-256471r886456_rule | VMCH-70-000023 | CCI-000366 | LOW | All 3D features on the virtual machine (VM) must be disabled when not required. | For performance reasons, it is recommended that 3D acceleration be disabled on virtual machines that do not require 3D functionality (e.g., most server workloads or desktops not using 3D applications). | ||||
| SV-256472r886459_rule | VMCH-70-000024 | CCI-000366 | MEDIUM | Encryption must be enabled for vMotion on the virtual machine (VM). | vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5, this transfer can be transparently encrypted using 256-bit AES-GCM with negligible performance im | ||||
| SV-256473r886462_rule | VMCH-70-000025 | CCI-000366 | MEDIUM | Logging must be enabled on the virtual machine (VM). | The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations | ||||
| SV-256474r886465_rule | VMCH-70-000026 | CCI-000366 | MEDIUM | Log size must be configured properly on the virtual machine (VM). | The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations, | ||||
| SV-256475r886468_rule | VMCH-70-000027 | CCI-000366 | MEDIUM | Log retention must be configured properly on the virtual machine (VM). | The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity, time sync, virtual hardware changes, vMotion migrations, | ||||
| SV-256476r886471_rule | VMCH-70-000028 | CCI-000366 | MEDIUM | DirectPath I/O must be disabled on the virtual machine (VM) when not required. | VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a powerful feature for legitimate applications such as virtu | ||||
| SV-256477r886474_rule | VMCH-70-000029 | CCI-000366 | MEDIUM | Encryption must be enabled for Fault Tolerance on the virtual machine (VM). | Fault Tolerance log traffic can be encrypted. This could contain sensitive data from the protected machine's memory or CPU instructions. vSphere Fault Tolerance performs frequent checks between a primary VM and secondary VM so the secondary VM can quickl | ||||