Information
A VM must be configured explicitly to accept access by the dvfilter network API. Only VMs that need to be accessed by that API should be configured to accept such access.
Rationale:
An attacker might compromise a VM by making use of the dvfilter API.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To set this configuration utilize the vSphere interface as follows:
Select the VM then select Actions followed by Edit Settings.
Click on the VM Options tab then expand Advanced.
Click on EDIT CONFIGURATION.
Remove the value from ethernet0.filter1.name = dv-filter.
Parameters are removed when no value is present
Click OK.
You may also configure a VM to allow dvfilter access via the following method in the VMX file:
Configure the following in the VMX file: ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM.
If dvfilter access should not be permitted: Remove the following from its VMX file: ethernet0.filter1.name = dv-filter1.
Set the name of the data path kernel correctly.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|9.2, CSCv7|12.4
Control ID: 78606f058860490ff8abfe3b32ec65e5e2f2aa6d09288bda5e0ef6d23f5f5cbf