8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly

Information

A VM must be configured explicitly to accept access by the dvfilter network API. Only VMs
that need to be accessed by that API should be configured to accept such access.

*Rationale*

An attacker might compromise a VM by making use of the dvfilter API.

Solution

To configure a VM to allow dvfilter access, perform the following steps:

1. Configure the following in the VMX file: ethernet0.filter1.name = dv-filter1
where ethernet0 is the network adapter interface of the virtual machine that is to
be protected, filter1 is the number of the filter that is being used, and dv-filter1 is
the name of the particular data path kernel module that is protecting the VM.
2. Set the name of the data path kernel correctly.

To configure a VM to not allow dvfilter access, perform the following steps:

1. Remove the following from its VMX file: ethernet0.filter1.name = dv-filter1.

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SC-7, 800-53|SI-4, CSCv7|9.2, CSCv7|12.4

Plugin: VMware

Control ID: 29d35d40a0aa2d9025cf466d2f355c4e3ca3d1e7d63fcaff805a5a7e427eb4f2