The system must zero out VMDK files prior to deletion.

From VMware ESXi Server 5.0 Security Technical Implementation Guide

Part of SRG-OS-99999-ESXI5

Associated with: CCI-000366

SV-51211r2_rule The system must zero out VMDK files prior to deletion.

Vulnerability discussion

The virtual disk must be zeroed out prior to deletion in order to prevent sensitive data in VMDK files from being recovered.

Check content

Ask the SA if a documented procedure is used to overwrite sensitive data in VMDK flat files prior to deletion. The procedure must include a command to zero out data and the file must then be deleted. See some examples directly below. vmkfstools --writezeroes or dd if=/dev/zero of= If a documented procedure to overwrite sensitive data in VMDK flat files prior to deletion does not exist, this is a finding.

Fix text

Create and document a procedure to zero out sensitive data prior to removal of the VMDK file. Command line interface commands such as vmkfstools, dd, and rm must be used, per the examples below. vmkfstools --writezeroes or dd if=/dev/zero of= Note: The vSphere Client does not automatically zero out a VMDK file when it is destroyed.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer