DirectPath I/O must be disabled on the virtual machine (VM) when not required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256476	VMCH-70-000028	SV-256476r886471_rule		Medium

Description
VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a powerful feature for legitimate applications such as virtualized storage appliances, backup appliances, dedicated graphics, etc., but it also allows a potential attacker highly privileged access to underlying hardware and the PCI bus.

Description

VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a powerful feature for legitimate applications such as virtualized storage appliances, backup appliances, dedicated graphics, etc., but it also allows a potential attacker highly privileged access to underlying hardware and the PCI bus.

STIG	Date
VMware vSphere 7.0 Virtual Machine Security Technical Implementation Guide	2023-12-01

Details

Check Text ( C-60151r886469_chk )
From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration. Find any "pciPassthruX.present" value (where "X" is a count starting at 0) and verify it is set to "FALSE" or "". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" \| Get-AdvancedSetting -Name "pciPassthru*.present" \| Select Entity, Name, Value If the virtual machine advanced setting "pciPassthruX.present" is present, and the specific device returned is not approved, this is a finding. If the virtual machine advanced setting "pciPassthruX.present" is not present, this is not a finding.

Check Text ( C-60151r886469_chk )

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> VM Options tab >> Advanced >> Configuration Parameters >> Edit Configuration.

Find any "pciPassthruX.present" value (where "X" is a count starting at 0) and verify it is set to "FALSE" or "".

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name "pciPassthru*.present" | Select Entity, Name, Value

If the virtual machine advanced setting "pciPassthruX.present" is present, and the specific device returned is not approved, this is a finding.

If the virtual machine advanced setting "pciPassthruX.present" is not present, this is not a finding.

Fix Text (F-60094r886470_fix)
From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> Virtual Hardware tab. Find the unexpected PCI device returned from the check. Hover the mouse over the device and click the circled "X" to remove the device. Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" \| Get-AdvancedSetting -Name pciPassthruX.present \| Remove-AdvancedSetting Note: Change the "X" value to match the specific setting in the organization's environment.

Fix Text (F-60094r886470_fix)

From the vSphere Client, select the Virtual Machine, right-click, and go to Edit Settings >> Virtual Hardware tab.

Find the unexpected PCI device returned from the check.

Hover the mouse over the device and click the circled "X" to remove the device. Click "OK".

or

From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

Get-VM "VM Name" | Get-AdvancedSetting -Name pciPassthruX.present | Remove-AdvancedSetting

Note: Change the "X" value to match the specific setting in the organization's environment.