Skip to content

Virtual Machine Manager Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000191

    <GroupDescription></GroupDescription>
    Group
  • The VMM must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).

    &lt;VulnDiscussion&gt;Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the VMM or other sy...
    Rule Medium Severity
  • SRG-OS-000203

    <GroupDescription></GroupDescription>
    Group
  • The VMM must check the validity of all data inputs except those specifically identified by the organization.

    &lt;VulnDiscussion&gt;Invalid user input occurs when a user inserts data or characters into data entry fields and the VMM is unprepared to process ...
    Rule Medium Severity
  • SRG-OS-000205

    <GroupDescription></GroupDescription>
    Group
  • The VMM must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

    &lt;VulnDiscussion&gt;Any VMM providing too much information in error messages risks compromising the data and security of the structure, and conte...
    Rule Medium Severity
  • SRG-OS-000206

    <GroupDescription></GroupDescription>
    Group
  • The VMM must reveal system error messages only to authorized users.

    &lt;VulnDiscussion&gt;Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an orga...
    Rule Medium Severity
  • SRG-OS-000221

    <GroupDescription></GroupDescription>
    Group
  • All interactions among guest VMs must be mediated by the VMM or its service VMs to support proper function.

    &lt;VulnDiscussion&gt;Mechanisms to detect and prevent unauthorized communication flow must be configured or provided as part of the VMM design. If...
    Rule Medium Severity
  • SRG-OS-000239

    <GroupDescription></GroupDescription>
    Group
  • The VMM must automatically audit account modification.

    &lt;VulnDiscussion&gt;Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing ...
    Rule Medium Severity
  • SRG-OS-000240

    <GroupDescription></GroupDescription>
    Group
  • The VMM must automatically audit account disabling actions.

    &lt;VulnDiscussion&gt;When VMM accounts are disabled, user accessibility is affected. Once an attacker establishes access to a system, the attacker...
    Rule Medium Severity
  • SRG-OS-000241

    <GroupDescription></GroupDescription>
    Group
  • The VMM must automatically audit account removal actions.

    &lt;VulnDiscussion&gt;When VMM accounts are removed, user accessibility is affected. Once an attacker establishes access to a system, the attacker ...
    Rule Medium Severity
  • SRG-OS-000242

    <GroupDescription></GroupDescription>
    Group
  • All guest VM network communications must be implemented through use of virtual network devices provisioned by the VMM.

    &lt;VulnDiscussion&gt;Mechanisms to detect and prevent unauthorized communication flow must be configured or provided as part of the VMM design. If...
    Rule Medium Severity
  • SRG-OS-000242

    <GroupDescription></GroupDescription>
    Group
  • All interactions between guest VMs and external systems, via other interface devices, must be mediated by the VMM or its service VMs.

    &lt;VulnDiscussion&gt;Mechanisms to detect and prevent unauthorized communication flow must be configured or provided as part of the VMM design. If...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules