8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly

Information

A VM must be configured explicitly to accept access by the dvfilter network API. Only VMs that need to be accessed by that API should be configured to accept such access.

Rationale:

An attacker might compromise a VM by making use of the dvfilter API.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To set this configuration utilize the vSphere interface as follows:

Select the VM then select Actions followed by Edit Settings.

Click on the VM Options tab then expand Advanced.

Click on EDIT CONFIGURATION.

Remove the value from ethernet0.filter1.name = dv-filter.

Parameters are removed when no value is present

Click OK.

You may also configure a VM to allow dvfilter access via the following method in the VMX file:

Configure the following in the VMX file: ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM.

If dvfilter access should not be permitted: Remove the following from its VMX file: ethernet0.filter1.name = dv-filter1.

Set the name of the data path kernel correctly.

See Also

https://workbench.cisecurity.org/files/3473