How to Configure your ESX Hosts to How to Configure your ESX Hosts to Successfully Pass an Audit… Successfully Pass an Audit… GUARANTEED! GUARANTEED! Greg Shields, MVP, Greg Shields, MVP, vExpert vExpert Head Geek, Concentrated Technology www.ConcentratedTech.com
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
How to Configure your ESX Hosts to How to Configure your ESX Hosts to Successfully Pass an Audit… Successfully Pass an Audit… GUARANTEED! GUARANTEED!
Prevent Log Overflow– VM logs to VI datastore can overflow log space.
– Set rotation size and count of logs to keep.log.rotatesize = 100000log.keepOld = 10
Guidance for VMX File Guidance for VMX File CustomizationCustomization
Do not permit use of nonpersistent disks.– These disks revert back to snapshot when VM is
rebooted.
– Can be used by would-be attacker to cover tracks.
– Verify in VM settings.
Verify that unauthorized devices are not connected.– Unnecessary peripherals should not be connected.
– Prevent user from connecting devices from within the guest OS.floppy<x>.presentserial<x>.presentparallel<x>.presentisolation.tools.connectable.disable = TRUE
Guidance for VMX File Guidance for VMX File CustomizationCustomization
Verify correct assignment of guest OS– While not necessarily a security risk, improper guest OS
assignment will have an impact on system performance.
Verify proper permissions on disk files.– .VMX files should be 755 (o+rwx, g+rx)
– .VMDK files should be 600 (o+rw)
– User and group should be root.
Guidance for ESX Service Guidance for ESX Service ConsoleConsole
Configure Service Console with default firewall settings.– Add additional settings as necessary for approved
services.
Suggested Firewall Suggested Firewall ExclusionsExclusionsPort # Purpose Traffic Type 5989/TCP CIM Secure Server Incoming
22/TCP SSH Server Incoming
5988/TCP CIM Server Incoming
427/TCP & 427/UDP CIM SLP Incoming & Outgoing
80,443/TCP vSphere Web Access Incoming
443,902/TCP VMware Consolidated Backup Outgoing
902/UDP VMware vCenter Agent Outgoing
3260/TCP Software iSCSI Client (If Used) Outgoing
123/UDP NTP Client Outgoing
80,9000-9100/TCP VMware Update Manager Outgoing
Add exclusions as necessary. Remember that many “odd” faults are Firewall-based.
Guidance for ESX Service Guidance for ESX Service ConsoleConsole
Minimize use of VI Console– Console access can be substantial impact on VM
performance.
– Remote access protocols slightly better, but…
– Stop managing infrastructure from any consoles! Use remote tools!
Limit use of Service Console for administration– VI Client and VirtualCenter leverage well-defined APIs for
management.
– Service Console leverages Linux-based administration.
– More opportunity for mistakes with Linux-based administration.
– If scripting/automation is necessary, leverage Remote CLI, VI Perl Toolkit, or PowerShell Toolkit for scripting rather than shell scripting. Well-defined interfaces.
Guidance for ESX Service Guidance for ESX Service ConsoleConsole
Authenticate via a Directory Service– Centralization of authentication via directory service
reduces chance of mistake or malicious (hidden) account creation./usr/sbin/esxcfg-auth --enablead --addomain mydomain.com --addc mydc.mydomain.com --krb5realm=mydomain.com --krb5kdc mydc.mydomain.com --krb5adminserver mydc.mydomain.com
Control root privileges– Disallow root logins to Service Console. Enforce
sudo.cat /dev/null > /etc/securityNote: This may impact iLO and DRAC functionality.
– Limit sudo to users in wheel group only.auth required /lib/security/$ISA/pam_wheel.so use_uid
Guidance for ESX Service Guidance for ESX Service ConsoleConsole
Disable accounts after three failed logins– Common requirement in many compliance regs.
Add the line @<loghost.company.com> after each message type.Kill –SIGHUP `cat /var/run/syslogd.pid`
Create and store key file hashes (/etc, /etc/vmware)– sha1sum <fileName>– This process can be eased through Tripwire /
ConfigureSoft
Guidance for Logging / Guidance for Logging / AlertingAlerting
Configure SNMP. Use SNMP v3 where Possible.– Modify /etc/snmp/snmpd.conf– (Details of this configuration are out of scope for today’s class)– If SNMP v3 not possible, use isolated network for SNMP traffic.
Guidance for NetworksGuidance for Networks
Guidance for NetworksGuidance for Networks
Mask and Zone FC SAN resources correctly.– Ensure that LUNs are only presented to interfaces which need
them.
Leverage iSCSI Authentication– iSCSI CHAP authentication is per HBA/NIC, not per-target.– No Kerberos available. No encryption available.– Ensure that iSCSI traffic is always isolated (security + DoS
Limit administrator access. Ensure separation of duties.– vCenter includes high-level administrator access, but also
discrete task assignment. Ensure that tasks are assigned as needed.
Limit database access after installation.– vCenter database creation at installation requires DB
Owner rights.
– Database operations only requires Invoke/execute stored procedures, select, update, insert, and delete.
Segregate VMware Update Manager and VMware Converter Enterprise roles to isolated computers.– This maintains the security position of the vCenter server.
Consider AutomationConsider Automation
Tripwire ConfigureSoft
Sample Audit ProgramSample Audit Program
Stop by www.ConcentratedTech.com to download an actual ESX 3.5 audit program.
This audit program includes the exact steps an auditor (from this particular group) must use to verify settings on an ESX sever.
Follow this document, and pass that audit…GUARANTEED!