Rule ID
SV-258727r933242_rule
Version
V1R1
CCIs
CCI-000366
VMDirectPath I/O (PCI passthrough) enables direct assignment of hardware PCI functions to VMs. This gives the VM access to the PCI functions with minimal intervention from the ESXi host. This is a powerful feature for legitimate applications such as virtualized storage appliances, backup appliances, dedicated graphics, etc., but it also allows a potential attacker highly privileged access to underlying hardware and the PCI bus.
For each virtual machine do the following: From the vSphere Client, view the Summary tab. Review the PCI devices section and verify none exist. or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-PassthroughDevice If the virtual machine has passthrough devices present, and the specific device returned is not approved, this is a finding.
From the vSphere Client, select the Virtual Machine, right-click and go to Edit Settings >> Virtual Hardware tab. Find the unexpected PCI device returned from the check. Hover the mouse over the device and click the circled "X" to remove the device. Click "OK". or From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command: Get-VM "VM Name" | Get-PassthroughDevice | Remove-PassthroughDevice