STIGQter STIGQter: STIG Summary: VMware ESXi Server 5.0 Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 27 Jan 2017: The system must zero out VMDK files prior to deletion.

DISA Rule

SV-51211r2_rule

Vulnerability Number

V-39353

Group Title

SRG-OS-99999-ESXI5

Rule Version

SRG-OS-99999-ESXI5-000161

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Create and document a procedure to zero out sensitive data prior to removal of the VMDK file. Command line interface commands such as vmkfstools, dd, and rm must be used, per the examples below.

vmkfstools --writezeroes <path+vmdk_flat_file>
or
dd if=/dev/zero of=<path+vmdk_flat_file>

Note: The vSphere Client does not automatically zero out a VMDK file when it is destroyed.

Check Contents

Ask the SA if a documented procedure is used to overwrite sensitive data in VMDK flat files prior to deletion. The procedure must include a command to zero out data and the file must then be deleted. See some examples directly below.

vmkfstools --writezeroes <path+vmdk_flat_file>
or
dd if=/dev/zero of=<path+vmdk_flat_file>

If a documented procedure to overwrite sensitive data in VMDK flat files prior to deletion does not exist, this is a finding.

Vulnerability Number

V-39353

Documentable

False

Rule Version

SRG-OS-99999-ESXI5-000161

Severity Override Guidance

Ask the SA if a documented procedure is used to overwrite sensitive data in VMDK flat files prior to deletion. The procedure must include a command to zero out data and the file must then be deleted. See some examples directly below.

vmkfstools --writezeroes <path+vmdk_flat_file>
or
dd if=/dev/zero of=<path+vmdk_flat_file>

If a documented procedure to overwrite sensitive data in VMDK flat files prior to deletion does not exist, this is a finding.

Check Content Reference

M

Target Key

2370

Comments