Check: VMCH-70-000016
VMware vSphere 7.0 Virtual Machine STIG:
VMCH-70-000016
(in versions v1 r3 through v1 r1)
Title
Unauthorized removal, connection, and modification of devices must be prevented on the virtual machine (VM). (Cat II impact)
Discussion
In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. To use the device again, prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with nonadministrator privileges in a virtual machine can: 1. Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive. 2. Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service. 3. Modify settings on a device.
Check Content
From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the "isolation.device.connectable.disable" value is set to "true". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable If the virtual machine advanced setting "isolation.device.connectable.disable" does not exist or is not set to "true", this is a finding.
Fix Text
From the vSphere Client, right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the "isolation.device.connectable.disable" value and set it to "true". If the setting does not exist, add the Name and Value setting at the bottom of screen. Note: The VM must be powered off to configure the advanced settings through the vSphere Client. Therefore, it is recommended to configure these settings with PowerCLI as this can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below. If the setting does not exist, run: Get-VM "VM Name" | New-AdvancedSetting -Name isolation.device.connectable.disable -Value true If the setting exists, run: Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable | Set-AdvancedSetting -Value true
Additional Identifiers
Rule ID: SV-256464r886435_rule
Vulnerability ID: V-256464
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |