Warning for CDROM Attached

[stfconsulting]

Is there anyway to trigger a warning in Veeam One Alarms when a CDROM is attached to a VMWare Virtual Machine?

[Vitaliy S.]

I think it is possible to do with a custom alarm based on the events coming from the vCenter Server. To configure it, please add a CDROM to the VM and check out Tasks&Events tab in Veeam ONE Client to review the event and then add its name to the custom alarm (created manually). Here is how you can add an event as a trigger during alarm creation > Adding Event-Based Rules

[RomanK]

Hi Stfconsulting,

Could you please clarify your use case for our better understanding? Do you want to do that because of the latest news about the vulnerability mentioned in the weekly forum digest?

Thanks

[stfconsulting]

Yes, I want to know when we leave a CDROM attached to a VM similar to how when we forget to remove a snapshot. Does that make sense?

[Gostev]

@RomanK the use case here is current VM escape vulnerability with the virtual CD-ROM device. In light of this, customers want to know if they have any VMs with a virtual CD-ROM device attached, and monitor this continuously (get warned when someone attaches such device to a VM).

[wishr]

Hi Everyone,

We are looking into this topic and will provide an update as soon as we have all the pieces of the puzzle built together.

Thanks

[RomanK]

Hi all,

We've done some digging and can now confirm that the suggestion by Vitaliy works.

When someone or something changes "Connected" or "Connect at power on" settings of a virtual machine's CD/DVD drive, vCenter generates a VmReconfiguredEvent event (which is a common event for any VM configuration changes). This event is captured by VONE and appears on the Task & Events tab. In that case, indeed you may create an Event-Based alarm in VONE. The rule for the alarm should look like below to narrow the alarm down to the CD/DVD drive configuration:
Rule type: Event
Event name: VmReconfiguredEvent
Event text: Here it becomes tricky because in my lab CD/DVD drives have device IDs 16000, 16001, and so on. Therefore, the use of a wildcard is required: *config.hardware.device(16*).connectable.connected: false*
We cannot say whether the device IDs differ from ours in your particular situation.
The rest of the alarm settings could remain default.



Once configured, you will start receiving alarms with the following event description: Reconfigured <VMNAME> on <HOSTNAME>. Modified: config.hardware.device(16000).connectable.startConnected: false -> true. Where "startConnected: false -> true" represent enabling "Connected" and/or "Connect at power on" checkmarks.



Reference: official VMware KB article 87249 (which also includes an alternative way of doing that).

Hope this helps.

[stfconsulting]

So when this alert occurs how does it present itself in the UI? Definitely a good temporary workaround however a great feature request to have a more "defined" alarm for the presence of connected ISOs.

[RomanK]

Custom alarms are shown in the UI in the same way as predefined alarms. In this particular example, the alarm will trigger on a specific VM when the CD/DVD configuration becomes insecure. Once VMware patches this vulnerability and you'll have the fixes applied to the entire infrastructure, you may simply delete this alarm.