The ESXi host must not be configured to override virtual machine (VM) configurations.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-258791	SRG-OS-000480-VMM-002000	ESXI-80-000236	SV-258791r933434_rule	2023-10-11	1

Description
Each VM on an ESXi host runs in its own "vmx" process. Upon creation, a vmx process will look in two locations for configuration items, the ESXi host itself and the per-vm .vmx file in the VM storage path on the datastore. The settings on the ESXi host are read first and take precedence over settings in the .vmx file. This can be a convenient way to set a setting in one place and have it apply to all VMs running on that host. The difficulty is in managing those settings and determining the effective state. Since managing per-VM vmx settings can be fully automated and customized while the ESXi setting cannot be easily queried, the ESXi configuration must not be used.

Description

Each VM on an ESXi host runs in its own "vmx" process. Upon creation, a vmx process will look in two locations for configuration items, the ESXi host itself and the per-vm *.vmx file in the VM storage path on the datastore. The settings on the ESXi host are read first and take precedence over settings in the *.vmx file. This can be a convenient way to set a setting in one place and have it apply to all VMs running on that host. The difficulty is in managing those settings and determining the effective state. Since managing per-VM vmx settings can be fully automated and customized while the ESXi setting cannot be easily queried, the ESXi configuration must not be used.

ℹ️ Check
From an ESXi shell, run the following command: # stat -c "%s" /etc/vmware/settings Expected result: 0 If the output does not match the expected result, this is a finding.

✔️ Fix
From an ESXi shell, run the following command: # echo -n >/etc/vmware/settings