8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctly

Information

A VM must be configured explicitly to accept access by the dvfilter network API. Only VMs that need to be accessed by that API should be configured to accept such access.

Rationale:

An attacker might compromise a VM by making use of the dvfilter API.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To configure a VM to allow dvfilter access, perform the following steps:

Configure the following in the VMX file: ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM.

Set the name of the data path kernel correctly.

To configure a VM to not allow dvfilter access, perform the following steps:

Remove the following from its VMX file: ethernet0.filter1.name = dv-filter1.

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|9.2, CSCv7|12.4

Plugin: VMware

Control ID: 680abcd8c96833f4449944f0621d76739c8a79791cab242cb625ab91a44cf682