OpenControls Logo

STIG Viewer

Nutanix VMM must separate user functionality (including user interface services) from VMM management functionality.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-279486NXAC-AS-000089SV-279486r1192542_ruleCCI-001082medium
Description
VMM management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access VMM management functionality capabilities increases the risk that nonprivileged users may obtain elevated privileges. VMM management functionality includes functions necessary to administer console, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from VMM management functionality is either physical or logical and is accomplished by using different guest VMs, different computers, different central processing units, different instances of the VMM, different network addresses, different TCP/UDP ports, other virtualization techniques, combinations of these methods, or other methods, as appropriate.
STIGDate
Nutanix Acropolis Application Server Security Technical Implementation Guide2026-02-24

Details

Check Text (C-279486r1192542_chk)

Management information flow can be isolated to a separate VLAN from the guest VMs. Verify a management LAN is configured. 1. Log in to Prism Element. 2. Click the gear icon in the upper right-corner. 3. Under the "Settings" menu, click "Network Configuration", then select the "Internal Interfaces" tab. 4. Click "Management LAN". If "VLAN ID" is "0" or blank, this is a finding.

Fix Text (F-83944r1192541_fix)

Configure management information flow to isolate to a separate VLAN from the guest VMs. 1. Log in to Prism Element. 2. Click the gear icon in the upper-right corner. 3. Under the "Settings" menu, click "Network Configuration", then select the "Internal Interfaces" tab. 4. Click "Management LAN". 5. Set the VLAN to the VLAN used for management functions. a. SSH into each CVM host as user "Nutanix" and issue the following command: change_cvm_vlan vlan_id. b. SSH into each AHV host as root and issue the following command: ovs-vsctl set port br0 tag=vlan_id Note: All network switches connected to Nutanix nodes must be appropriately configured with the same VLAN ID.