from my understanding of the applicable legislative requirements for my particular industry I need to be able to log every single logon event to the administrative console and track what is done during that session. For example, I can't allow someone to log on and clone a machine and take the image "away" with them.
What is your experience with VMware and compliance related issues including SOX and hippa with lots of financial data?
What are the recommended best practices for securing a virtual infrastructure?
What are companies like KPMG and BDO looking for in the audit process that I should bear in mind while designing a very large virtual corporate network?
Specifically audit related information only, please.
I don't want to read 1000 pages of documentation 😛
oh and ESX 3.0.1 btw
The host operating system (VMware ESX) is mostly used for administrative and operational management of the underlying virtual infrastructure. SOX, HIPPA etc are mostly related to the applications that run on the guest operating systems and the compliance measures are the same as if the environment is in physical boxes. As a best practice, I recommend to avoid installing any application on ESX server.
Snare agent: an open-sourced event logs to syslog converter. Works like a charm.
http://www.intersectalliance.com/projects/SnareWindows/
That way, you'll be able to monitor user login in/outs, login failures, etc.
As for user monitoring,
Ghost Keylogger
This will make complete reports of user activity.
Hope this helps.
Hello,
Many people find it convenient to impose SOX logging restrictions on the ESX Server as well as the guests. While some people comment on the guests in this thread, the ESX Server requires some attention as well.
If you have a SOX Linux Team available in your company, contact them, as they have already determined what is necessary. If you do not, at the very least I would to the following:
Restrict Root access.
Give each 'ADMIN' a separate user account in the wheel group
Use SUDO to record everything an ADMIN does. Do not allow anyone
to login directly as root. SUDO records commands in /var/log/messages
by default.
Backup the logfiles to tape or send them to your syslog server.
Best regards,
Edward