Rule ID
SV-279486r1192542_rule
Version
V1R1
CCIs
VMM management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access VMM management functionality capabilities increases the risk that nonprivileged users may obtain elevated privileges. VMM management functionality includes functions necessary to administer console, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from VMM management functionality is either physical or logical and is accomplished by using different guest VMs, different computers, different central processing units, different instances of the VMM, different network addresses, different TCP/UDP ports, other virtualization techniques, combinations of these methods, or other methods, as appropriate.
Management information flow can be isolated to a separate VLAN from the guest VMs. Verify a management LAN is configured. 1. Log in to Prism Element. 2. Click the gear icon in the upper right-corner. 3. Under the "Settings" menu, click "Network Configuration", then select the "Internal Interfaces" tab. 4. Click "Management LAN". If "VLAN ID" is "0" or blank, this is a finding.
Configure management information flow to isolate to a separate VLAN from the guest VMs. 1. Log in to Prism Element. 2. Click the gear icon in the upper-right corner. 3. Under the "Settings" menu, click "Network Configuration", then select the "Internal Interfaces" tab. 4. Click "Management LAN". 5. Set the VLAN to the VLAN used for management functions. a. SSH into each CVM host as user "Nutanix" and issue the following command: change_cvm_vlan vlan_id. b. SSH into each AHV host as root and issue the following command: ovs-vsctl set port br0 tag=vlan_id Note: All network switches connected to Nutanix nodes must be appropriately configured with the same VLAN ID.