Securing and auditing a computing environments for compliance with the many security regulations that exist today
like Payment Card Industry (PCI), SOX (Sarbanes-Oxley) and the Health Insurance Portability and Accountability Act (HIPAA) can be difficult. Adding virtualization into the mix further complicates the task because there's an additional layer that needs to be secured and is also subject to auditing.
Properly securing virtual machines if you're not going to do the same with host servers is a waste of time, because if a host server is compromised then all the virtual machines on that host can also easily be compromised. There are, however, a few free tools that can help you audit your host servers. In the following tip we will cover two of them: Tripwire's ConfigCheck and Configuresoft's Compliance Checker for ESX, both of which are lite versions of each company's enterprise-level product.
Let's first take a look at ConfigCheck. It's a Java-based Windows application that can be run against individual ESX servers to check their compliance against the security guidelines that VMware has published as a best practice for securing ESX hosts. These guidelines are a good starting point towards further securing ESX hosts, but are by no means a complete guide to completely hardening an ESX host. There are other published guidelines also available if you wish to further harden your host servers.
There are some limitations to ConfigCheck because it is a free tool. Tripwire is looking for you to buy their Enterprise product, which has more features. Currently, ConfigCheck only supports ESX 3.0.x and 3.5.x, not ESXi; results can only be viewed, not printed nor saved; and ESX hosts can only be scanned individually, i.e. you can't scan a group of hosts at once.
Obtaining and installing Tripwire ConfigCheck for VMware ESX
Before you begin, make sure you have a JRE 1.5 + installed on your PC, if you do not you can download a copy from the Java website.
- Go to Tripwire's website and download the zip file that contains the .jar file (it's a Java application) and a .cmd file that launches Java and loads the .jar file. Decompress the file to a directory on your PC.
- Run the configcheck.cmd file, accept the License Agreement that displays and you will be at the main screen as shown below.
- Enter the IP address or hostname of the ESX server you wish to check, followed by a username (must be a local ESX username), password, and the root password. If you enter "root" for your username, you still need to enter the root password in both password fields. If you do use the root user as your username then you must change the default setting on your ESX host to enable root SSH logins, (but of course, this is not a good security practice).
If you enter an alternate username/password the root password is still required because it needs to elevate your privileges to root using "sudo" to complete the scan. Once you are done entering this information click the Check Configuration button to begin the scan. Once the scan completes you will see the results of the scan in the window.
- A total of 77 items are checked as part of the ConfigCheck scan, as you can see from the scan of a default ESX 3.5 server (above) there is a lot of room for improvement from a security standpoint. You may not want to change everything on the list that has failed, but you should look to implement as many suggestions as possible to increase the activity of your ESX hosts. At the bottom of the screen is a link to the VI3 Security Hardening Guide that VMware published for more information on each item. If you click on the Failed or Passed link for each item, it will display more information on that item in a browser including the remediation steps (as shown below).
All things considered, ConfigCheck is a useful simple tool for quickly scanning individual ESX hosts and for scanning new hosts, or periodically checking existing hosts. If you have a large number of ESX hosts then this tool will probably not be a good fit for you. Instead, I would recommend Tripwire's Enterprise product, which is much more robust and powerful.
Configuresoft's Compliance Checker
Configuresoft's Compliance Checker is a Windows-based application that provides a real-time compliance check for multiple (up to 5) ESX servers at a time. Unlike ConfigCheck which only uses VMware's hardening guide, this application also uses the Center for Internet Security (CIS) Benchmarks for securing VMs and ESX hosts. Before you begin you should download and install the Microsoft .NET Framework version 2.0 SP1.
- Next go to Configuresoft's website and download the .msi file to your PC.
- Run the installer and answer the prompts. When the installation completes, launch the application. This will display the main screen as shown below. Note in the More Information section that there are links to both security guidelines that are used if you want to view the whole documents.
- Enter your ESX IP address/hostnames along with the User ID and password that you want to use. If you enter "root" for the username and its password you do not need to specify anything in the root password field. If you enter a non-root user then you do need to enter the password for root in the root password field. When you have entered the information into the form click the Assess Compliance button to begin. Once the scan completes a HTML report will be displayed comparing the hosts to both the VMware VI3 Security Hardening guidelines and also the CIS ESX 3.x benchmarks.
- Clicking on an item will display more information on it and the remediation steps as shown below.
Compliance Checker is a bit more robust then ConfigCheck as it allows for scanning multiple ESX hosts at once, scans against two different benchmarks and also allows you to print or save the results. Again it might not be a good fit for larger environments and you might instead check out Configuresoft's more robust and featured version of their product called ECM for Virtualization.
Both applications are good additions to every systems administrator's toolkit and provide good basic security scanning for ESX hosts (althought neither currently work with ESXi hosts). If security is a concern in your environment, (and if it's not then it should be,) I encourage you to check out both of these products.
ABOUT THE AUTHOR: Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forums and maintains VMware-land.com, a VI3 information site.