Title

Virtual machine moves are not logged from one physical server to another. (Cat II impact)

Discussion

Virtual machines may be moved from one computer to another similar to a normal file. This portability gives rise to a host of security problems. In the virtual machine world, the trusted computing base consists of all the hosts that the virtual machine has run on. If no history was maintained for each virtual machine, this can make it very difficult to figure out how far a security compromise has extended if the virtual machine has been moved several times.

Check Content

Ask the IAO/SA if Vmotion is used to migrate virtual machines from one ESX Server host to another. If not, this is Not Applicable. If so, perform the following on the ESX Server service console: # grep –in vmotion /var/log/vmware/vpx/vpxa*.log If the logs are compressed, perform the following: # zcat /var/log/vmware/vpx/vpxa*.log.gz | grep –i vmotion If no result is returned, this is a finding.

Fix Text

Log all VMotion migrations.

Additional Identifiers

Rule ID: SV-16843r1_rule

Vulnerability ID: V-15901

Group Title: Virtual machine moves are not logged

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.