Check: VMCH-67-000017
VMware vSphere 6.7 Virtual Machine STIG:
VMCH-67-000017
(in versions v1 r3 through v1 r1)
Title
The virtual machine must not be able to obtain host information from the hypervisor. (Cat II impact)
Discussion
If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host.
Check Content
From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the tools.guestlib.enableHostInfo value is set to false. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo If the virtual machine advanced setting tools.guestlib.enableHostInfo does not exist or is not set to false, this is a finding.
Fix Text
From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the tools.guestlib.enableHostInfo value and set it to false. If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name tools.guestlib.enableHostInfo -Value false If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name tools.guestlib.enableHostInfo | Set-AdvancedSetting -Value false
Additional Identifiers
Rule ID: SV-239348r679593_rule
Vulnerability ID: V-239348
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |