UCF STIG Viewer Logo

The system must disconnect unauthorized floppy devices.


Overview

Finding ID Version Rule ID IA Controls Severity
V-39489 ESXI5-VM-000034 SV-51347r3_rule Medium
Description
Besides disabling unnecessary virtual devices from within the virtual machine, ensure no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, the parameter must be assigned a value of false. NOTE: The parameters listed are not sufficient to ensure a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel.
STIG Date
VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide 2017-07-11

Details

Check Text ( C-46749r4_chk )
Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client.

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required.

As root, log in to the ESXi Shell and locate any/all vmx files.
# find / | grep vmx

Check the ".vmx" file for the correct attribute/assignment pair. Note that the integer value of X (for the attribute floppyX.present) must be greater than or equal to 0, depending upon the system configuration.
# grep "^floppy"

Example output for the above command:
floppyX.present = "false"

If the floppyX.present attribute (X must be greater than or equal to 0) is set to "TRUE", this is a finding.

Re-enable Lockdown Mode on the host.
Fix Text (F-44785r2_fix)
Configure the vmx file with the correct attribute/assignment pair.

To edit a powered-down virtual machine's .vmx file, first remove it from vCenter Server's inventory. Manual additions to the .vmx file from ESXi will be overwritten by any registered entries stored in the vCenter Server database. Make a backup copy of the .vmx file. If the edit breaks the virtual machine, it can be rolled back to the original version of the file.

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage.
Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the .vmx file. Right-click the .vmx file and click Remove from inventory.

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client.

Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi host and locate the VM's vmx file.
# find / | grep vmx

Add the following line to the vmx file. Note that X must be greater than or equal to 0 (based on the system configuration).
floppyX.present = "false"

Re-enable Lockdown Mode on the host.

Re-register the VM with the vCenter Server:
Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Storage.
Right-click on the appropriate datastore and click Browse Datastore. Navigate to the folder named after the virtual machine, and locate the .vmx file. Right-click the .vmx file and click Add to inventory. The Add to Inventory wizard opens. Continue to follow the wizard to add the virtual machine.