When you use independent nonpersistent disks with virtual machines, successful attackers can remove any evidence that the machine was compromised by shutting down or rebooting the system. Without a persistent record of activity on a virtual machine, administrators might be unaware of an attack. Therefore, avoid using independent nonpersistent disks.
- ♦ Ensure that virtual machine activity is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector.
If remote logging of events and activity is not configured for the guest, scsiX:Y.mode should be one of the following settings:
- Not present
- Not set to independent nonpersistent
When nonpersistent mode is not enabled, you cannot roll a virtual machine back to a known state when you reboot the system.