When you use independent nonpersistent disks, successful attackers can remove any evidence that the machine was compromised by shutting down or rebooting the system. Without a persistent record of activity on a virtual machine, administrators might be unaware of an attack. Therefore, you should avoid using independent nonpersistent disks.

Procedure

  • Ensure that virtual machine activity is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector.
    If remote logging of events and activity is not configured for the guest, scsiX:Y.mode should be one of the following settings:
    • Not present
    • Not set to independent nonpersistent

Results

When nonpersistent mode is not enabled, you cannot roll a virtual machine back to a known state when you reboot the system.