OS patches and updates are out of date on “off” and “suspended” virtual machines.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15932	ESX1210	SV-16874r1_rule	ECSC-1	Medium

Description
Virtual machines create a condition where they may be on, off, or suspended. The requirement that machines be on in a conventional approach to patch management, virus and vulnerability scanning, and machine configuration creates an issue in the virtual world. Virtual machines can appear and disappear from the network sporadically. Conventional networks can “anneal” new machines into a known good configuration state very quickly. However, converging virtual machines to a known good state is more challenging since the state may change quickly. For instance, a vulnerable machine can appear briefly and either become infected or reappear in a vulnerable state at a later time. Therefore, vulnerable virtual machines may become infected with a virus and never be detected since the virtual machine may be suspended or off. Suspended and off virtual machines should be patched regularly to ensure patches are up to date. Virtual machines that are on will be kept current with the OS per the appropriate OS STIG.

Description

Virtual machines create a condition where they may be on, off, or suspended. The requirement that machines be on in a conventional approach to patch management, virus and vulnerability scanning, and machine configuration creates an issue in the virtual world. Virtual machines can appear and disappear from the network sporadically. Conventional networks can “anneal” new machines into a known good configuration state very quickly. However, converging virtual machines to a known good state is more challenging since the state may change quickly. For instance, a vulnerable machine can appear briefly and either become infected or reappear in a vulnerable state at a later time. Therefore, vulnerable virtual machines may become infected with a virus and never be detected since the virtual machine may be suspended or off. Suspended and off virtual machines should be patched regularly to ensure patches are up to date. Virtual machines that are on will be kept current with the OS per the appropriate OS STIG.

STIG	Date
VMware ESX 3 Virtual Machine	2016-05-03

Details

Check Text ( C-16280r1_chk )
Work with the OS reviewer to determine if the requirement is being met. 1. Login to VirtualCenter with the VI Client and select a suspended or off virtual machine. 2. Turn on the virtual machine and have the IAO/SA login. 3. Have the IAO/SA obtain the latest patch level for the OS and compare this to the latest release from the OS vendor. If the patch level is older than the latest release, this is a finding.

Check Text ( C-16280r1_chk )

Work with the OS reviewer to determine if the requirement is being met.
1. Login to VirtualCenter with the VI Client and select a suspended or off virtual machine.
2. Turn on the virtual machine and have the IAO/SA login.
3. Have the IAO/SA obtain the latest patch level for the OS and compare this to the latest release from the OS vendor. If the patch level is older than the latest release, this is a finding.

Fix Text (F-15878r1_fix)
Apply the latest OS patches for all “suspended” and “off” virtual machines.