UCF STIG Viewer Logo

The system must control virtual machine access to host resources.


Overview

Finding ID Version Rule ID IA Controls Severity
ESXI5-VM-000001 ESXI5-VM-000001 ESXI5-VM-000001_rule High
Description
By default, all virtual machines on an ESXi host share the resources equally. By using the resource management capabilities of ESXi, such as shares and limits, you can control the server resources that a virtual machine consumes. You can use this mechanism to prevent a denial of service that causes one virtual machine to consume so much of the host's resources that other virtual machines on the same host cannot perform their intended functions.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-ESXI5-VM-000001_chk )
Virtual machines (VMs) that have a greater risk of being exploited or attacked, or that run applications known to potentially consume resources must be constrained. From the vSphere Client/vCenter, select the Datacenter/host. Right-click the VM, select Edit Settings to check the virtual machine's memory and/or CPU reservation(s). Values must be set for memory, CPU, advanced CPU, and disk variables.

If any host VMs do not have share, limit and/or reservation setpoints initialized, this is a finding.
Fix Text (F-ESXI5-VM-000001_fix)
From the vCenter client, select the Datacenter/host. Right-click the VM select Edit Settings to configure the virtual machine's memory and/or CPU reservation(s). Values must be set for memory, CPU, advanced CPU, and disk variables. With the appropriate (site-specific) level selected for the VM, select the OK button to save any change(s).