STIGQter STIGQter: STIG Summary: VMware vSphere 6.5 Virtual Machine Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 25 Oct 2019:

Unauthorized removal, connection and modification of devices must be prevented on the virtual machine.

DISA Rule

SV-104459r1_rule

Vulnerability Number

V-94629

Group Title

SRG-OS-000480-VMM-002000

Rule Version

VMCH-65-000037

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.device.connectable.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.

Note: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

If the setting does not exist, run:

Get-VM "VM Name" | New-AdvancedSetting -Name isolation.device.connectable.disable -Value true

If the setting exists, run:

Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable | Set-AdvancedSetting -Value true

Check Contents

From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.device.connectable.disable value is set to true.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable

If the virtual machine advanced setting isolation.device.connectable.disable does not exist or is not set to true, this is a finding.

Vulnerability Number

V-94629

Documentable

False

Rule Version

VMCH-65-000037

Severity Override Guidance

From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Verify the isolation.device.connectable.disable value is set to true.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name isolation.device.connectable.disable

If the virtual machine advanced setting isolation.device.connectable.disable does not exist or is not set to true, this is a finding.

Check Content Reference

M

Target Key

3489

Comments