8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly


A VM must be configured explicitly to accept access by the dvfilter network API. Only VMs that need to be accessed by that API should be configured to accept such access.


An attacker might compromise a VM by making use of the dvfilter API.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


To set this configuration utilize the vSphere interface as follows:

Select the VM then select Actions followed by Edit Settings.

Click on the VM Options tab then expand Advanced.


Remove the value from ethernet0.filter1.name = dv-filter.

Parameters are removed when no value is present

Click OK.

You may also configure a VM to allow dvfilter access via the following method in the VMX file:

Configure the following in the VMX file: ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM.

If dvfilter access should not be permitted: Remove the following from its VMX file: ethernet0.filter1.name = dv-filter1.

Set the name of the data path kernel correctly.

See Also