8.6.1 (L2) Ensure nonpersistent disks are limited

Information

By default, VM disks use dependent mode, which means they are affected by snapshots. To avoid this, VM disks can use independent mode instead. Independent mode can be configured as persistent (data is written permanently to the disk) or nonpersistent (all changes made to disk are lost when the system is rebooted). Use of nonpersistent mode should be avoided unless the data is not needed (e.g., already duplicated elsewhere).

From a security standpoint, nonpersistent mode allows successful attackers to remove evidence of their actions or even their presence within a VM by performing a simple shutdown or reboot.

Solution

To limit the use of nonpersistent mode, run the following PowerCLI command:

#Add the parameters for the following cmdlet to set the VM Disk Type:
Get-VM | Get-HardDisk | Set-HardDisk

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AU-11, 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, 800-53|SI-12, CSCv7|5.1

Plugin: VMware

Control ID: 8b12403ba88fec8c8003659052da03b4484b221117ee1873240d8806394d2cd9