cstewart28
Contributor
Contributor

DISA STIG Req to set shares, limits and reservations

I'm trying to implement the following requirement:

Ref: VMware ESXi Version 5 Virtual Machine Security Technical Implementation Guide :: Release: 6 Benchmark Date: 22 Jan 2016

Vuln ID: V-39442

Discussion: By default, all virtual machines on an ESXi host share the resources equally. By using the resource management capabilities of ESXi, such as shares and limits, you can control the server resources that a virtual machine consumes. You can use this mechanism to prevent a denial of service that causes one virtual machine to consume so much of the host's resources that other virtual machines on the same host cannot perform their intended functions.

Check Content: Virtual machines (VMs) that have a greater risk of being exploited or attacked, or that run applications known to potentially consume resources must be constrained. From the vSphere Client/vCenter, select the Datacenter/host. Right-click the VM, select Edit Settings to check the virtual machine's memory and/or CPU shares, limits, and/or reservation(s). Appropriate values must be set for memory, CPU, advanced CPU, and disk variables. Care must be taken to ensure that the settings do not hamper dynamic resource allocation and management proper to virtualization systems.

Fix Text: From the vCenter client, select the Datacenter/host. Right-click the VM select Edit Settings to configure the virtual machine's memory and/or CPU limits, shares, and/or reservation(s). Appropriate values must be set for memory, CPU, advanced CPU, and disk variables. With the appropriate (site-specific) level selected for the VM, select the OK button to save any change(s).

If any host VMs do not have share, limit, and/or reservation setpoints initialized, as appropriate to their respective levels of the risk of exploit or attack, this is a finding.

So I have to set these values or it's a finding (bad thing CAT 1), so I'm trying to find an easy way to set them based on the current VM settings, with a powercli script or something. 

I have about 100 VM to set these on across 12 ESXi Hosts, not a large qty, but a pain if I have to do it individually.  The environment is not that taxed, so based on the performance of the system, so I have to set something, so I was thinking base something on the amount of CPU the VM has and share the same way. 

Looking for someone else who has done this and if they have any pointers on accomplishing it.

Thanks

Tags (3)
0 Kudos
2 Replies
gracman
Contributor
Contributor

Hm. Unless I am not understanding this I am not sure why you would need limits if your VMs are already limited by CPU and MEM configured sizes. T

0 Kudos
Texiwill
Leadership
Leadership

Hello,

All VMs are initially limited by a set # of shares, etc. There are default values. What you need to find are the ones that are either above those default values or ones that are unlimited. Which is also possible. Yes you can use PowerShell, Perl, Ruby, etc. to interact with the MoB to find those values and report upon them.  What is the version of vSphere you are monitoring?

Check out https://deangrant.wordpress.com/2014/04/24/powercli-retrieve-vms-where-cpu-or-memory-reservation-has... is a good starting point.

Best regards,
Edward L. Haletky aka Texiwill
V
Mware Communities User Moderator, VMware vExpert 2009-2017

Virtualization and Cloud Security Analyst: TVP Strategy

Blue Gears Blog: vSphere Upgrade Saga
Podcast: Virtualization and Cloud Security Round Table Podcast
GitHub: https://github.com/Texiwill

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos