STIGQter: STIG Summary: VMware vSphere 6.7 Virtual Machine Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

Access to virtual machines through the dvfilter network APIs must be controlled.

DISA Rule

SV-239350r679599_rule

Vulnerability Number

V-239350

Group Title

SRG-OS-000480-VMM-002000

Rule Version

VMCH-67-000019

Severity

CAT III

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Look for settings with the format ethernet*.filter*.name. Ensure only required VMs use this setting.

Note: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name ethernetX.filterY.name | Remove-AdvancedSetting

Note: Change the X and Y values to match the specific setting in your environment.

Check Contents

From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Look for settings with the format ethernet*.filter*.name.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name "ethernet*.filter*.name*"

If the virtual machine advanced setting ethernet*.filter*.name exists and dvfilters are not in use, this is a finding.

If the virtual machine advanced setting ethernet*.filter*.name exists and the value is not valid, this is a finding.

Vulnerability Number

V-239350

Documentable

False

Rule Version

VMCH-67-000019

Severity Override Guidance

From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Look for settings with the format ethernet*.filter*.name.

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name "ethernet*.filter*.name*"

If the virtual machine advanced setting ethernet*.filter*.name exists and dvfilters are not in use, this is a finding.

If the virtual machine advanced setting ethernet*.filter*.name exists and the value is not valid, this is a finding.

Check Content Reference

Target Key

5327

Access to virtual machines through the dvfilter network APIs must be controlled.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments