Detections
Analytics

ESXI5-VM-000046 - The system must prevent unauthorized removal, connection and modification of devices.

Information

Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, the virtual machine settings should use editor or configuration editor to remove any unneeded or unused hardware devices. However, the device may need to be used again, so removing it is not always a good solution. In that case, prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with non-administrator privileges in a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive.

Solution

Configure the VM with the correct '<keyword> = <keyval>' pair.

To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file.

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials.
If connecting to vCenter Server, click on the desired host.
Click the Configuration tab.
Click Storage.
Right-click on the appropriate datastore and click Browse Datastore.
Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file.
Right-click the .vmx file and click Remove from inventory.

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client.

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials.
If connecting to vCenter Server, click on the desired host.
Click the Configuration tab.
Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively.
Start the ESXi Shell service, where/as required.

As root, log in to the ESXi host and locate the VM's vmx file.
# find / | grep vmx

Add the following to the VM's vmx file.
keyword = 'keyval'

Where:
keyword = isolation.device.edit.disable
keyval = TRUE

Re-enable Lockdown Mode on the host.

Re-register the VM with the vCenter Server:
Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials.
If connecting to vCenter Server, click on the desired host.
Click the Configuration tab.
Click Storage.
Right-click on the appropriate datastore and click Browse Datastore.
Navigate to the folder named after the virtual machine, and locate the <virtual machine>.vmx file.
Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens.
Continue to follow the wizard to add the virtual machine.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Virtual_Machine_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-39500, Rule-ID|SV-250718r799616_rule, STIG-ID|ESXI5-VM-000046, STIG-Legacy|SV-51358, STIG-Legacy|V-39500, Vuln-ID|V-250718

Plugin: VMware

Control ID: a26522cd0d8e8e989d34c5ad6c80049ca081973f2238f142d1370a094e5a7f5d