Skip to content

VMware vSphere 8.0 Virtual Machine Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Virtual machines (VMs) must disable 3D features when not required.

    <VulnDiscussion>For performance reasons, it is recommended that 3D acceleration be disabled on virtual machines that do not require 3D functi...
    Rule Low Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must have drag and drop operations disabled.

    &lt;VulnDiscussion&gt;Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to v...
    Rule Low Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must have paste operations disabled.

    &lt;VulnDiscussion&gt;Copy and paste operations are disabled by default; however, explicitly disabling this feature will enable audit controls to v...
    Rule Low Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must have virtual disk shrinking disabled.

    &lt;VulnDiscussion&gt;Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must have virtual disk wiping disabled.

    &lt;VulnDiscussion&gt;Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process ...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must limit console sharing.

    &lt;VulnDiscussion&gt;By default, more than one user at a time can connect to remote console sessions. When multiple sessions are activated, each t...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must limit informational messages from the virtual machine to the VMX file.

    &lt;VulnDiscussion&gt;The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the gue...
    Rule Low Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must prevent unauthorized removal, connection, and modification of devices.

    &lt;VulnDiscussion&gt;In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must not be able to obtain host information from the hypervisor.

    &lt;VulnDiscussion&gt;If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This ...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must have shared salt values disabled.

    &lt;VulnDiscussion&gt;When salting is enabled (Mem.ShareForceSalting=1 or 2) to share a page between two virtual machines, both salt and the conten...
    Rule Low Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must disable access through the "dvfilter" network Application Programming Interface (API).

    &lt;VulnDiscussion&gt;An attacker might compromise a VM by using the "dvFilter" API. Configure only VMs that need this access to use the API.&lt;/V...
    Rule Low Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must be configured to lock when the last console connection is closed.

    &lt;VulnDiscussion&gt;When accessing the VM console, the guest operating system must be locked when the last console user disconnects, limiting the...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must enable encryption for vMotion.

    &lt;VulnDiscussion&gt;vMotion migrations in vSphere 6.0 and earlier transferred working memory and CPU state information in clear text over the vMo...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must enable encryption for Fault Tolerance.

    &lt;VulnDiscussion&gt;Fault Tolerance log traffic can be encrypted. This could contain sensitive data from the protected machine's memory or CPU in...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must configure log size.

    &lt;VulnDiscussion&gt;The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limite...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must configure log retention.

    &lt;VulnDiscussion&gt;The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including but not limite...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must enable logging.

    &lt;VulnDiscussion&gt;The ESXi hypervisor maintains logs for each individual VM by default. These logs contain information including, but not limit...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must not use independent, nonpersistent disks.

    &lt;VulnDiscussion&gt;The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must remove unneeded floppy devices.

    &lt;VulnDiscussion&gt;Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must remove unneeded CD/DVD devices.

    &lt;VulnDiscussion&gt;Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...
    Rule Low Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must remove unneeded parallel devices.

    &lt;VulnDiscussion&gt;Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must remove unneeded serial devices.

    &lt;VulnDiscussion&gt;Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must remove unneeded USB devices.

    &lt;VulnDiscussion&gt;Ensure no device is connected to a virtual machine if it is not required. For example, floppy, serial, and parallel ports are...
    Rule Medium Severity
  • SRG-OS-000480-VMM-002000

    <GroupDescription></GroupDescription>
    Group
  • Virtual machines (VMs) must disable DirectPath I/O devices when not required.

    &lt;VulnDiscussion&gt;VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to th...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules