8.4.1 Control access to VMs through the dvfilter network APIs

Information

Configure VMs protected by dvfilter network APIs correctly.

*Rationale*

A VM must be configured explicitly to accept access by the dvfilter network API. Only
configure VMs that will be specifically accessed by the API. An attacker might compromise
a VM by making use the dvFilter API.

Solution

If a VM is supposed to be protected:

Configure the following in its VMX file:

ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine
that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the
VM.

Ensure that the name of the data path kernel is set correctly.If a VM is not supposed to be protected:

Remove the following from its VMX file:

ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine
that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the
VM.

Impact-Incorrectly configuring this option can negatively impact functionality of tools that use
vmsafe API. It can also prevent VMs from connecting to the network.

Default Value-The prescribed state is the default state.

See Also

https://workbench.cisecurity.org/files/145

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: VMware

Control ID: 495a4bfd85246e3dd355398f91fbaf3e06da22421636551934260f5b3e14d5ae