Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-39346 | SRG-OS-99999-ESXI5-000151 | SV-51204r1_rule | Low |
Description |
---|
If products that use the dvfilter network API are not used, the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, thereby potentially providing access to the network of other VMs on the host. If a product uses this API, the host must be verified as being correctly configured. |
STIG | Date |
---|---|
VMware ESXi Server 5.0 Security Technical Implementation Guide | 2015-09-15 |
Check Text ( C-46620r3_chk ) |
---|
From the vSphere client select the host and click "Configuration >> Advanced Settings >> Net" and verify the value of Net.DVFilterBindIpAddress. For a host without a dvfilter-based network security appliance, the following kernel parameter value must be blank/empty: /Net/DVFilterBindIpAddress. For a host with a dvfilter-based network security appliance is being used, the value of this parameter must be set to match the appliance. If a dvfilter-based network security appliance is not used and the kernel parameter /Net/DVFilterBindIpAddress is populated, this is a finding. If a dvfilter-based network security appliance is used and the kernel parameter /Net/DVFilterBindIpAddress does not match the appliance, this is a finding. |
Fix Text (F-44360r5_fix) |
---|
From the vSphere client select the host and click "Configuration >> Advanced Settings >> Net" Set the value of Net.DVFilterBindIpAddress to blank if a dvfilter-based network security appliance is not used or (where used) set the value of Net.DVFilterBindIpAddress to match the dvfilter-based network security appliance. |