Independent, nonpersistent disks must not be used on the virtual machine (VM).

An XCCDF Rule

Description

<VulnDiscussion>The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode; additionally, ensure activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked. There can be valid use cases for these types of disks, such as with an application presentation solution where read-only disks are desired, and such cases should be identified and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256455r886408_rule
Severity: Medium
References: CCI-000366
Updated: 8 months ago

From the vSphere Client, right-click the Virtual Machine and go to "Edit Settings".

Select the target hard disk and change the mode to "persistent" or uncheck "Independent".

or
From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the provided commands as shown below.

Get-VM "VM Name" | Get-HardDisk | Set-HardDisk -Persistence IndependentPersistent

or

Get-VM "VM Name" | Get-HardDisk | Set-HardDisk -Persistence Persistent

Independent, nonpersistent disks must not be used on the virtual machine (VM).

Description

Remediation - Manual Procedure