Title

Permissions on the virtual disk files are incorrect. (Cat II impact)

Discussion

Permissions for the virtual machine files will adhere to VMware’s best practices. The configuration file (.vmx), will be read, write, execute (rwx) for owner and read and execute (r-x) for group and read (r--) for others (754). The virtual machine’s virtual disk (.vmdk) will be read and write (rw-) for owner (600).

Check Content

On the ESX Server host, perform the following commands on the service console: # find /vmfs or nfs –type f –name ‘*.vmdk’ –exec ls –Al {} \; | grep –v -- “rw--------“ Any result from this command is a finding. If no result is returned, this is not a finding. Permissions for all .vmdk files should be 600 or rw-------. If they are not, this is a finding.

Fix Text

Configure .vmdk files to 600.

Additional Identifiers

Rule ID: SV-17881r1_rule

Vulnerability ID: V-16881

Group Title: Incorrect permissions on virtual disk files

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.