Check: VMCH-70-000028
VMware vSphere 7.0 Virtual Machine STIG:
VMCH-70-000028
(in versions v1 r3 through v1 r1)
Title
DirectPath I/O must be disabled on the virtual machine (VM) when not required. (Cat II impact)
Discussion
VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a powerful feature for legitimate applications such as virtualized storage appliances, backup appliances, dedicated graphics, etc., but it also allows a potential attacker highly privileged access to underlying hardware and the PCI bus.
Check Content
From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find any "pciPassthruX.present" value (where "X" is a count starting at 0) and verify it is set to "FALSE" or "". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name "pciPassthru*.present" | Select Entity, Name, Value If the virtual machine advanced setting "pciPassthruX.present" is present, and the specific device returned is not approved, this is a finding. If the virtual machine advanced setting "pciPassthruX.present" is not present, this is not a finding.
Fix Text
From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> Virtual Hardware tab. Find the unexpected PCI device returned from the check. Hover the mouse over the device and click the circled "X" to remove the device. Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-AdvancedSetting -Name pciPassthruX.present | Remove-AdvancedSetting Note: Change the "X" value to match the specific setting in the organization's environment.
Additional Identifiers
Rule ID: SV-256476r886471_rule
Vulnerability ID: V-256476
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |