Check: ESX0280
VMware ESX 3 Server:
ESX0280
(in version v1 r2)
Title
Promiscuous mode is enabled for virtual switches during the ESX Server boot process. (Cat I impact)
Discussion
ESX Server has the ability to run virtual and physical network adapters in promiscuous mode. Promiscuous mode may be enabled on public and private virtual switches. When promiscuous mode is enabled for a public virtual switch, all virtual machines connected to the public virtual switch have the potential of reading all packets sent across that network, from other virtual machines and any physical machines or other network devices. When promiscuous mode is enabled for a private virtual switch, all virtual machines connected to the private virtual switch have the potential of reading all packets across that network, meaning only the virtual machines connected to that private virtual switch. By default, promiscuous mode is set to Reject, meaning that the virtual network adapter cannot operate in Promiscuous mode. Promiscuous mode will be disabled on the ESX Server virtual switches since confidential data may be revealed while in this mode. Promiscuous mode is disabled by default on the ESX Server; however there might be a legitimate reason to enable it for debugging, monitoring, or troubleshooting reasons. To enable promiscuous mode for a virtual switch, a value is inserted into a special virtual file in the /proc file system. After a reboot of the ESX Server, promiscuous mode will be disabled again since the value is in the /proc directory. One way to ensure promiscuous mode is enabled indefinitely is to add a command to the /etc/rc.local boot script in the service console.
Check Content
On the ESX service console, perform the following: # less /etc/rc.local #!/bin/sh # # This script will be executed *after* all other init scripts. # You can put your own initialization entries in here if you don’t # want to do the full Sys V style init stuff. Touch /var/lock/subsys/local If you see something similar to the following, this is a finding: echo “PromiscuousAllowed yes” > /proc/vmware/net/vmnic0/config Note: If promiscuous mode is turned on for troubleshooting purposes, it must be documented and approved with the IAO/SA.
Fix Text
Disable promiscuous mode during the ESX Server boot process.
Additional Identifiers
Rule ID: SV-16758r1_rule
Vulnerability ID: V-15819
Group Title: Promiscuous mode is set for virtual switches.
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |