Details

A VM must be configured explicitly to accept access by the dvfilter network API. Only VMs that need to be accessed by that API should be configured to accept such access.

Rationale:

An attacker might compromise a VM by making use of the dvfilter API.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To configure a VM to allow dvfilter access, perform the following steps:

Configure the following in the VMX file: ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM.

Set the name of the data path kernel correctly.

To configure a VM to not allow dvfilter access, perform the following steps:

Remove the following from its VMX file: ethernet0.filter1.name = dv-filter1.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3511

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management, Identification and Authentication.This control applies to the following type of system VMware.

References

• 800-53|CM-1
• 800-53|CM-2
• 800-53|CM-6
• 800-53|CM-7
• 800-53|IA-5
• CSCv7|9.2
• CSCv7|12.4

Source

• Tenable.com/audits