Two free tools to help ensure virtual machine compliance

Properly securing virtual machines if you're not going to do the same with host servers is a waste of time, because if a host server is compromised then all the virtual machines on that host can also easily be compromised. There are, however, a few free tools that can help you audit your host servers. In the following tip we will cover two of them: Tripwire's ConfigCheck and Configuresoft's Compliance Checker for ESX, both of which are lite versions of each company's enterprise-level product.

Let's first take a look at ConfigCheck. It's a Java-based Windows application that can be run against individual ESX servers to check their compliance against the security guidelines that VMware has published as a best practice for securing ESX hosts. These guidelines are a good starting point towards further securing ESX hosts, but are by no means a complete guide to completely hardening an ESX host. There are other published guidelines also available if you wish to further harden your host servers.

There are some limitations to ConfigCheck because it is a free tool. Tripwire is looking for you to buy their Enterprise product, which has more features. Currently, ConfigCheck only supports ESX 3.0.x and 3.5.x, not ESXi; results can only be viewed, not printed nor saved; and ESX hosts can only be scanned individually, i.e. you can't scan a group of hosts at once.

Obtaining and installing Tripwire ConfigCheck for VMware ESX
Before you begin, make sure you have a JRE 1.5 + instal

Digg This!     StumbleUpon     Del.icio.us

All things considered, ConfigCheck is a useful simple tool for quickly scanning individual ESX hosts and for scanning new hosts, or periodically checking existing hosts. If you have a large number of ESX hosts then this tool will probably not be a good fit for you. Instead, I would recommend Tripwire's Enterprise product, which is much more robust and powerful.

Configuresoft's Compliance Checker
Configuresoft's Compliance Checker is a Windows-based application that provides a real-time compliance check for multiple (up to 5) ESX servers at a time. Unlike ConfigCheck which only uses VMware's hardening guide, this application also uses the Center for Internet Security (CIS) Benchmarks for securing VMs and ESX hosts. Before you begin you should download and install the Microsoft .NET Framework version 2.0 SP1.

Conclusions
Compliance Checker is a bit more robust then ConfigCheck as it allows for scanning multiple ESX hosts at once, scans against two different benchmarks and also allows you to print or save the results. Again it might not be a good fit for larger environments and you might instead check out Configuresoft's more robust and featured version of their product called ECM for Virtualization.

Both applications are good additions to every systems administrator's toolkit and provide good basic security scanning for ESX hosts (althought neither currently work with ESXi hosts). If security is a concern in your environment, (and if it's not then it should be,) I encourage you to check out both of these products.

ABOUT THE AUTHOR: Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forums and maintains VMware-land.com, a VI3 information site.

Rate this Tip To rate tips, you must be a member of SearchVMware.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.