You’re the virtualization admin. Your security guy comes up to you, looking for information. You really don’t want to give him an account on vCenter, do you? (according to a group discussion session I did at VMworld, the answer was clearly “No” with some being a little more colorful by using the term “NFW”!)
But lets face it, the IT Security folks do have a job to do and they really could use information on a regular basis to do their job. Let’s see if we help them by helping you, shall we?
Give us questions, we’ll give you answers
I’m looking for examples of the types of questions IT Security needs regular answers to. Alan Renouf and I are mulling some ways to help both of you out. No details yet but having Alan involved should give you a hint! :) Give us the questions, let us surprise you.
I’ll start this off with some examples:
Security Guy: “I need to see….
- all the virtual machines that have a CD drive attached
- what virtual machines are on what network/switch/portgroup
- what virtual machines are on what storage device
- what roles are assigned to what users
- ESXi server SSL certificate details like when they expire
- What vSwitches are in promiscuous mode
- any vDS port mirroring details
- the ESXi shell interactive timeout values
- what the syslog IP address is set to on the ESXi servers
Based on that, start posting the questions! We’ll try to get as many included in this little project we are working on. We hope you like it!
mike
3 comments
My security officer wants to check some vmx entries to see if they exist on VMs as part of the hardening guide.
I would rather he didnt have to search through the vCenter Client to get this information and the other info which you listed most of above.
I had a nice post typed up and twitter ate it, so here’s the short version – correlate and filter. I want to see a VM reboot event, be able to look and see that user X rebooted it through the OS (using Tools maybe?), and see What VC rights that user has if any, all in vCenter. Show me manual processes that skip automation, like a manual VM decommission rather than using the vCO workflows. I can get this stuff now, but there’s a lot of looking in 2-5 places or sifting through results. This would bring true Single Pane of Glass management to vCenter.
– Do hosts have lockdown mode enabled?
– Are hosts joined to AD?
– Are hosts using NTP and are they in sync?
– Which VMs are using VMware Tools time sync?