UCF STIG Viewer Logo

The system must zero out VMDK files prior to deletion.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-OS-99999-ESXI5-000161 SRG-OS-99999-ESXI5-000161 SRG-OS-99999-ESXI5-000161_rule Medium
Description
The virtual disk must be zeroed prior to deletion in order to prevent sensitive data in VMDK files from being recovered.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-SRG-OS-99999-ESXI5-000161_chk )

Ask the SA if a documented procedure is used to overwrite sensitive data in vmdk flat files prior to deletion. The procedure must include a command to zero data and the file must then be deleted. See some examples directly below.
vmkfstools --writezeroes
or
dd if=/dev/zero of=


If a documented procedure to overwrite sensitive data in vmdk flat files prior to deletion does not exist, this is a finding.

Fix Text (F-SRG-OS-99999-ESXI5-000161_fix)


Create and document a procedure to zero sensitive data prior to removal of the vmdk file. Command line interface commands such as vmkfstools, dd and rm must be used. Alternatively, from the vSphere Client, select the ESX host>> Configuration tab - Storage >> Add storage >>
Select the LUN ID to be destroyed.