Check: SRG-OS-000242-VMM-000850
Virtual Machine Manager SRG:
SRG-OS-000242-VMM-000850
(in versions v2 r2 through v1 r3)
Title
All interactions between guest VMs and external systems, via other interface devices, must be mediated by the VMM or its service VMs. (Cat II impact)
Discussion
Mechanisms to detect and prevent unauthorized communication flow must be configured or provided as part of the VMM design. If information flow control is not enforced based on proper functioning of the VMM and its service and helper VMs, the VMM may become compromised. Information flow control regulates where information is allowed to travel between a VMM (and its guest VMs) and external systems. In some cases, the VMM may delegate interface device management to a service VM, but the VMM still maintains control of all information flows. The flow of all system information must be monitored and controlled so it does not introduce any unacceptable risk to the VMM, its guest VMs, or data.
Check Content
Verify all interactions between guest VMs and external systems, via other interface devices, are mediated by the VMM or its service VMs. If they are not, this is a finding.
Fix Text
Configure all interactions between guest VMs and external systems, via other interface devices, are mediated by the VMM or its service VMs.
Additional Identifiers
Rule ID: SV-207417r958596_rule
Vulnerability ID: V-207417
Group Title: SRG-OS-000242
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001414 |
Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies. |
Controls
| Number | Title |
|---|---|
| AC-4 |
Information Flow Enforcement |