Details
The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode; additionally, make sure that activity within the VM is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a VM, administrators might never know whether they have been attacked or hacked.
Solution
The target VM must be powered off prior to changing the hard disk mode.
From the vSphere Client select the Virtual Machine right click and go to Edit Settings. Select the target hard disk and change the mode to persistent or uncheck Independent.
or
From a PowerCLI command prompt while connected to the ESXi host or vCenter server run the following command:
Get-VM ‘VM Name’ | Get-HardDisk | Set-HardDisk -Persistence IndependentPersistent
or
Get-VM ‘VM Name’ | Get-HardDisk | Set-HardDisk -Persistence Persistent
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.
References
- 800-53|CM-6b.
- CAT|I
- CCI|CCI-000366
- Group-ID|V-64051
- Rule-ID|SV-78541r1_rule
- STIG-ID|VMCH-06-000007
- Vuln-ID|V-64051