Zenid
Contributor
Contributor

Most critical files that must be monitoring on ESXi in terms of security

Hi all,

I mean any critical points of ESXi, any files, or directory that must be monitored to detect any suspicious activity.

i.e (files that should stay static and change only when te system is deliberately updated):

  • /etc/vmware/hostd/config.xml
  • /etc/vmware/hostd/vmInventory.xml
  • /etc/vmware/hostd/vmAutoStart.xml
  • /etc/vmware/passthru.map
  • /etc/vmware/esx.conf
  • /etc/ntp.conf
  • /etc/resolv.conf
  • /etc/ssh/sshd_config
  • /etc/security/access.conf
  • /etc/vmsyslog.conf

I'll be very grateful for any guidance. Best regards,

JP Sáez

3 Replies
NathanosBlightc
Commander
Commander

Note this point: if you encounter a modification on your mentioned files in shell / SSH access, any commands from any user will be logged in the /var/log/shell.log file. If you are interested to check any suspicious CLI activities, check each of ESXi log files with a Syslog server that can be very useful.

Please mark my comment as the Correct Answer if this solution resolved your problem
scott28tt
VMware Employee
VMware Employee

This page is worth a look: Security Hardening Guides - VMware Security | UK


-------------------------------------------------------------------------------------------------------------------------------------------------------------
VMware Training & Certification blog
Zenid
Contributor
Contributor

Thanks you both for your reply !

0 Kudos