Title

Permissions on the configuration and virtual disk files are incorrect. (Cat II impact)

Discussion

Permissions for the virtual machine files will adhere to VMware’s best practices. The configuration file (.vmx), will be read, write, execute (rwx) for owner and read and execute (r-x) for group and read (r--) for others (754). The virtual machine’s virtual disk (.vmdk) will be read and write (rw-) for owner (600).

Check Content

On the ESX Server host, perform the following commands on the service console: # find /vmfs or nfs –type f –name ‘*.vmx’ –exec ls –Al {} \; | grep –v -- “rwxr-x-r--“ Review the results from this command. If the result has permissions that are more restrictive, then this is not a finding. Any result that has less restrictive permissions (greater than 754) is a finding. If no result is returned, then this is not a finding. Permissions for all .vmx files should be 754 or rwxr-xr—or more restrictive.

Fix Text

Configure .vmx files to 754.

Additional Identifiers

Rule ID: SV-16726r1_rule

Vulnerability ID: V-15787

Group Title: Virtual disk files permissions are incorrect.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.