Details

The VMsafe CPU/memory API allows a security virtual machine to inspect and modify the

contents of the memory and CPU registers on other VMs, for the purpose of detecting and

preventing malware attacks. A VM must be configured explicitly to accept access by the

VMsafe CPU/memory API. This involves three parameters to perform the following:

1. Enable the API.

2. Set the IP address used by the security virtual appliance on the introspection

vSwitch.

3. Set the port number for that IP address.

The first parameter must be set correctly in the vmsafe.enable option in the virtual

machine configuration file for any VMs that should be protected by the API. For any VMs

that should not be protected by the API, this option should not exist in the configuration file.

*Rationale*

An attacker might compromise the VMs by making unauthorized use of the introspection channel provided by the API.

Solution

To configure the VMsafe Agent correctly, perform the following steps:

1. If the VM is not being protected by a VMsafe CPU/memory product, remove vmsafe.enable from the virtual machine configuration file or set it to a value of FALSE.
2. If the VM is being protected by a VMsafe CPU/Memory product, set vmsafe.enable to the correct value.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2168

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system VMware.

References

• 800-53|SI-4
• CSCv7|9.2

Source

• Tenable.com/audits