What were the basis for the security config guide, did you follow some directives, guidance ?
Thanks for the time
The guide has been around for around a decade and Pre-dates directives such as PCI. In fact, most PCI, HIPAA & DISA type directives use this guide as the basis for their requirements. This guide would be considered "vendor best practices" or something similar.
Applying guide settings but found a typo under heading Vulnerability Discussion for Guideline ID "VM.Enable-VGA-Only-Mode". The description is taken from the previous 3 settings "VM.disconnect-devices-serial" etc. IT starts "Ensure that no device is connected to a virtual machine if it is not required" but doesn't describe why VGA only should be used.
Thanks for catching this. I'll update the vulnerability discussion and it will come out in the next update of the guide.
The updated Vulnerability Discussion will be:
Many Server-class virtual machines need only a standard VGA console (typically a Unix/Linux server system). Enabling this setting removes additional unnecessary (for a server workload) functionality beyond disabling 3D.