Why assess VMware ESX security?
Some of you have to keep VMware ESX machines secure because your network and servers, including VMware ESX Servers are subject to Payment Card Industry (PCI), SOX (Sarbanes-Oxley), or the Health Insurance Portability and Accountability Act (HIPAA) legislative requirements. Others may simply want to know that their ESX hosts are secure.
Every server and network administrator, at minimum, should want to know that both their servers and network are fundamentally secure. To get that kind of assurance, many of us have configured our servers from scratch and installed the OS ourselves. But it's still a good idea to make sure the OS is protecting itself as designed.
What is Tripwire ConfigCheck?
Tripwire is well known for its auditing and assessment products that monitor server or network devices for configuration changes. With the popularity of virtualization, Tripwire has moved into auditing virtualized environments by adding VMware virtualization auditing products to its lineup. It offers two products, the free Tripwire ConfigCheck (which we will demonstrate in this article) and Tripwire Enterprise for VMware ESX.
According to Tripwire, ConfigCheck can audit and assess VMware ESX hosts and offers remediation assistance in the form of instructions on how to resolve the issue. Tripwire Enterprise for VMware ESX is able to assess and audit ESX for compliance, can audit the guest OSes, and provides reports, notifications and reconciliation.
How do I download, install and run Tripwire ConfigCheck?
To download ConfigCheck, go to the ConfigCheck download site and fill out a short registration form. Download the 10 MB application and unzip the application.
ConfigCheck is a Java application. This means that installing ConfigCheck involves running the Windows command file called ConfigCheck and that runs a Java Archive (JAR) file. Thus, the install prerequisite is Java Runtime. Upon running the application, you'll see the window shown below.
ConfigCheck is a simple application. The screen you see above is the only ConfigCheck screen.
To use ConfigCheck, enter your ESX hostname, username, password and root password and click Check Configuration. The application immediately runs through 77 potential security vulnerabilities and completes in about 10 seconds.
I ran Configcheck on a VMware ESX 3.5 server. The server passed 32 checks and failed 45 checks. The items that are checked are based on VMware's VMware Infrastructure 3 Security Hardening Guide. As ConfigCheck's checks are based on VMware's guide, you know that these are official security best practices from VMware.
If you click on each of the failed tests, you will be taken to a Tripwire website that gives you instructions on remediating the security issue. Tripwire also offers a complete 129 page virtualization security remediation guide. You'll see an example of the type of remediation instructions you might receive below.
There are a lot of great how-to style security tips in the remediation instructions. For example, the instructions above advise the administrator to:
- Run esxcfg-firewall –q to list open firewall ports and evaluate custom ports.
- Run esxcfg-firewall –c <port,tcp|udp,in|out> to close custom ports.
- Then, run service mgmt-vmware restart to restart the vmware-hostd process.
I was surprised when I received the above instructions because I thought I had a default ESX install. The ConfigCheck application has pointed out that I have some custom ports open in the ESX firewall. After thinking about it, I vaguely recalled opening up some custom ports for an application I was testing a couple of months prior.
A default VMware ESX server isn't as secure as I once gave it credit for. Considering that there is a 31-page security hardening guide and a 129-page Tripwire security remediation guide, the fact that my default version VMware ESX Server failed 45 of the 77 security checks was a wake-up call.
ABOUT THE AUTHOR: David Davis (CCIE #9369, VCP, CWNA, MCSE, CISSP, Linux+, CEH) is the Director of Infrastructure at Train Signal, Inc. He has written hundreds of articles and six video training courses – including the Train Signal VMware ESX Server video training series.
This was first published in January 2009