STIGQter STIGQter: STIG Summary: VMware vSphere 6.7 Virtual Machine Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

Unauthorized USB devices must be disconnected on the virtual machine.

DISA Rule

SV-239343r679578_rule

Vulnerability Number

V-239343

Group Title

SRG-OS-000480-VMM-002000

Rule Version

VMCH-67-000012

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Select the USB controller and click the circle-x to remove then OK.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-USBDevice | Remove-USBDevice

Note: This will not remove the USB controller just any connected devices.

Check Contents

From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Review the VMs hardware and verify no USB devices exist.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands:

Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "usb"}
Get-VM | Get-UsbDevice

If a virtual machine has any USB devices or USB controllers present, this is a finding.

If USB smart card readers are used to pass smart cards through the VM console to a VM then the use of a USB controller and USB devices for that purpose is not a finding.

Vulnerability Number

V-239343

Documentable

False

Rule Version

VMCH-67-000012

Severity Override Guidance

From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings. Review the VMs hardware and verify no USB devices exist.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following commands:

Get-VM | Where {$_.ExtensionData.Config.Hardware.Device.DeviceInfo.Label -match "usb"}
Get-VM | Get-UsbDevice

If a virtual machine has any USB devices or USB controllers present, this is a finding.

If USB smart card readers are used to pass smart cards through the VM console to a VM then the use of a USB controller and USB devices for that purpose is not a finding.

Check Content Reference

M

Target Key

5327

Comments