The ESXi host must not be configured to override virtual machine (VM) logger settings.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256445 | ESXI-70-000093 | SV-256445r959010_rule | CCI-000366 | medium |
| Description | ||||
| Each VM on an ESXi host runs in its own "vmx" process. Upon creation, a vmx process will look in two locations for configuration items, the ESXi host itself and the per-vm *.vmx file in the VM storage path on the datastore. The settings on the ESXi host are read first and take precedence over settings in the *.vmx file. This can be a convenient way to set a setting in one place and have it apply to all VMs running on that host. The difficulty is in managing those settings and determining the effective state. Since managing per-VM vmx settings can be fully automated and customized while the ESXi setting cannot be easily queried, the ESXi configuration must not be used. | ||||
| STIG | Date | |||
| VMware vSphere 7.0 ESXi Security Technical Implementation Guide | 2025-02-11 | |||
Details
Check Text (C-256445r959010_chk)
From an ESXi shell, run the following command:
# grep "^vmx\.log" /etc/vmware/config
If the command produces any output, this is a finding.
Fix Text (F-60063r918926_fix)
From an ESXi shell, run the following commands:
# cp /etc/vmware/config /etc/vmware/config.bak
# grep -v "^vmx\.log" /etc/vmware/config.bak>/etc/vmware/config