VMware vSphere 7.0 Virtual Machine Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480-VMM-002000
Group -
SRG-OS-000480-VMM-002000
Group -
Log size must be configured properly on the virtual machine (VM).
The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
Log retention must be configured properly on the virtual machine (VM).
The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
DirectPath I/O must be disabled on the virtual machine (VM) when not required.
VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a ...Rule Medium Severity -
SRG-OS-000480-VMM-002000
Group -
Virtual disk shrinking must be disabled on the virtual machine (VM).
Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and pro...Rule Medium Severity -
Host Guest File System (HGFS) file transfers must be disabled on the virtual machine (VM).
Setting "isolation.tools.hgfsServerSet.disable" to "true" disables registration of the guest's HGFS server with the host. Application Programming Interfaces (APIs) that use HGFS to transfer files t...Rule Medium Severity -
Console connection sharing must be limited on the virtual machine (VM).
By default, more than one user at a time can connect to remote console sessions. When multiple sessions are activated, each terminal window receives a notification about the new session. If an admi...Rule Medium Severity -
Unauthorized removal, connection, and modification of devices must be prevented on the virtual machine (VM).
In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use...Rule Medium Severity -
Access to virtual machines (VMs) through the "dvfilter" network Application Programming Interface (API) must be controlled.
An attacker might compromise a VM by using the "dvFilter" API. Configure only VMs that need this access to use the API.Rule Low Severity -
Encryption must be enabled for vMotion on the virtual machine (VM).
vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMotion network. As of vSphere 6.5, this transfer can be transparently encr...Rule Medium Severity -
Logging must be enabled on the virtual machine (VM).
The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limited to power events, system failure information, tools status and activity...Rule Medium Severity -
Encryption must be enabled for Fault Tolerance on the virtual machine (VM).
Fault Tolerance log traffic can be encrypted. This could contain sensitive data from the protected machine's memory or CPU instructions. vSphere Fault Tolerance performs frequent checks between a ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.