vSphere 4.0 Security Hardening Guide

vSphere 4.0 Security Hardening Guide

This document is the official release of the vSphere 4.0 Security Hardening Guide. This version is based on feedback collected during the public draft comment period. We will still be collecting feedback on this document -- if there are any typos, errors, or changes, please add them to the comments below.


NOTE:

an updated version of this guide may be found here: http://www.vmware.com/resources/techresources/10109 . Updated versions of the vSphere 4.0 guide will continue to be posted at that URL. Please check the cover page for version information.

Attachments
Comments

We need to implement the centralized syslog server for all of the ESXi host that we will be deploying. Some of our sites have high latency and poor bandwidth. As such we need to do a network impact analysis prior to implementing. Can you please help me find the following information in preparation for this deployment? Once the deployment is complete there will be approximately 750 ESXi hosts. These hosts will be in a very widely dispersed interconnected network.

Frequency of the logs being sent

How to configure the frequency or time of day they are sent

Size of data sent and can this be limited or throttled

How to ensure the date is encrypted

Ok so I just looked at the guide again and it states that the log data is not encrypted. Is there a way to do this forcing it to use an ssl connection? This is all in reference to HGL01

pto

Charu,

Thanks for putting this together! Do you know if a similar spreadsheet view exists for audit purposes?

For a similar setup we've build small (embedded) linux-based syslog-boxes which store and forward all local ESX-logs to a central Web/SQL-based syslog-server. For the connection between the boxes we use a secure VPN with a good compression.

On the central syslog-server there is also a simple logbased IDS which alert not-whitelisted log-entries.

Hi Chamon, Splunk will do what you want. Plus, it will prune and compress the logs and send that over encrypted channels to central server if desired.

I b e n

pto - did you ever receive feedback regarding a spreadsheet for audit purposes? I am looking for the same thing!

Yes, I am planning to include a spreadsheet which contains the guidelines condensed into a table checklist format. I'll probably do that next week. I'll update everyone when I do.

pto

Awesome! Thanks Charu!

There's your answer mnrjr23.

Thanks Charu! I will check back next week.

Charu, This is a great document. One area that seems to be missing is to harden or secure the vMA when using it to manage ESXi environments. The main issue I see missing is a guideline on how to add user accounts to the vMA to allow proper auditing of commands using sudo or other methods. We are looking at going to an all ESXi implementation but would like better auditing of actions done on the vMA to track who is changing what on the systems.

In February I created a spreadsheet based on the draft of the vSphere Hardening Guidelines. I am about to update it with the official release now being available. The spreadsheet is divided it to a number of pages including, Hosts, VMs, COS, vCenter, and vNetwork. On each page the first column lists all of VMware's recommendations and the second column has a drop box with options for "unknown, pass, fail, partially meets, planned, N/A, and exception" A box at the top would tally up all of the answers to each of the recommendations. To the right of this column I have a section for SA comments and to the right of that a column for a security officers comments. The first two pages of the spreadsheet are an introduction and a summary of all the findings of the other 5 pages.

Unfortunately this document is on a secure network and I can't get it out. If Charu doesn't have time to get a spreadsheet created and other folk are interested I can try and recreate the spreadsheet at home over this coming weekend.

Auscop

Hi Auscop,

It sounds like your enhancements would be useful to everyone. How about I send you my spreadsheet, and then you send it back with your additions so that I can post it here?

Hi Charu, I have sent you a PM.

Regards

Auscop

Hey folks-

One question - in the guide there seems to be a missing section between COH01 (Disk partition to prevent root file system filling up) and COH03 (File System Integrity). There's a list of /etc/* config files between these two sections with no formatting...ideas? Maybe something around file permissions or protection of config files?

Cheers,

Dave

Hi Charu, I have sent you another PM. I have a draft copy of the spreadsheet ready for you to check out.

Regards

Austin (Auscop)

Charu, I have published a copy of the document. Please review and tell me what you think. I have not yet completely proof read it, will do during the week.

Auscop

I have noticed a few cut and past errors, and a pretty good list (20+) of formatting errors throughout the document. Most of these I guess are caused by using Office for Mac and saving it as a PC based Excel file. I will get an updated copy out during the week. Feedback on the draft would be greatly welcome....

Austin

I have uploaded an updated copy of my certification spreadsheet. There are no major changes, just fixes of a few cut and paste errors, but mostly formatting lots of fixes due to me writing it in Excel on a Mac. If you open in on a Windows box it messes with it just enough to be annoying. I HIGHLY am encouraging any feedback at all in regard to the spreadsheet.

PTO and mnrjr23 is this the type of thing you where looking for?

Also if anyone knows how I can make all the Web references within the document real Hyperlinks that would be great to know. On a PC when I highlight the URL the hyperlink option is grayed out, and on my Mac it will make the entire cell a hyperlink...

pto

Taking a look right now. I like what I see so far. Nice work!

Just reviewed it. Looks great! Thanks!

I am trying to run through the vSphere hardening guide and I'm trying to implement step HCM04 in the ESX/ESXi section. When I implement the changes by adding in the parameters then when the host is added into the vCenter inventory the proxy.xml file gets replaced or reformatted to its previous configuration. If I replace the proxy.xml while the host is in the vCenter inventory and reboot the host then proxy.xml is also replaced.

Does anyone have a verified copy of the file with the amendments they could send to me where this behaviour does not occur?

The spreadsheet is a nice add on for the guide. But, I have some questions.

We are working on a contract supporting DoD sites that are classified. The sites are considering moving to virtualization with vSphere. However, there are many questions coming in to us from the sites with regard to the DAA s granting ATOs and using STIGS with the DIACAP process.

The DoD sites currently use something called GOLD DISKS and STIGS to secure their systems. As part of the DIACAP process, the DAAs are familiar with this.

As a concern in the vSphere hardening guide, there is no mention of MAC Levels (I, II, III) or at what level the MAC Levels are supported (sensitive, secret, unclass).

So, is the vSphere hardening guide and the spread sheet being proposed as a suppliment to a vSphere STIG (when and if it ever is released) or is it going to replace the FSO DISA ESX STIG?

Does anyone know what process is currently being used in DoD to grant ATOs to virtualized vSphere environments at the the classifed level?

thanks

Stan

Stan, I have sent you a PM. Since sending you the PM I have done a Google on STIGs I found one

"ESX SERVER SECURITY TECHNICAL IMPLEMENTATION GUIDE Version 1, Release 1"

it slightly new than the one I mentioned in my PM, however it is still 2 years old.

Auscop

Stan - I know there has been recent work for DISA to consider supplementing the current security process of ESX environments with guidance from the vSphere Hardening Guide.

IF the DISA preforms to standard expectation do not expect a formal document until such time as vSphere has completed the common criteria process

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert

VMware Communities User Moderator

Blog: www.planetvm.net

Contributing author on "[VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment|http://www.amazon.co.uk/VMware-VSphere-Virtual-Infrastructure-Security/dp/0137158009/ref=sr_1_1?ie=UTF8&s=books&qid=1256146240&sr=1-1]”.

Contributing author on "[VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410|http://www.amazon.co.uk/VMware-Certified-Professional-VSphere-Study/dp/0470569611]”.

Tom, Excuse the ignorance but what the heck is "common criteria process"

Auscop

@eluster I honestly think the vSphere hardening guide took MUCH from the ESX DISA STIG documentation that was written a while ago. The guy that wrote it was on one of my previously contracts.

Also, it has been approved on the classified level as of ESX 3.5 - No idea for vSphere though but we all know how fast the DoD works.

I just wonder if we will see the hardening guide updated to include vSphere 4.1

Thank you !

Version history
Revision #:
1 of 1
Last update:
‎04-13-2010 03:52 PM
Updated by: