VMware Cloud Community
JOeNg201110141
Contributor
Contributor
‎07-17-2011 08:00 PM

Security hardening for ESXi 4.1 update 1

Hi All,

Due to the security issue, I need to harden the ESXi 4.1 update 1 server.

One of the item need to change the folder permission for /var/log/vmware (the command is "chmod -R go-rwx /var/log/vmware/) and the change is successful.

However, after reboot the esxi server, the /var/log/vmware folder permission is changed back to normal (drwxr-xr-x).

Anyone have the idea for this? Is it ok to change the permission and without side effect?

Thanks so much.

Reply
0 Kudos
4 Replies
logiboy123
Expert
Expert
‎07-17-2011 08:14 PM

I do not think changing permissions on system directories within ESXi 4.1 would be a supported configuration.

Would you consider simply using Lockdown mode instead to harden your ESXi box?

See;

http://blogs.vmware.com/esxi/2010/09/the-new-lockdown-mode-in-esxi-41.html

Regards,

Paul

Reply
0 Kudos
AndreTheGiant
Immortal
Immortal
‎07-17-2011 09:19 PM

Note that ESXi works on RAM... so permission changes will be changes to the default on next reboot.

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
Reply
0 Kudos
NickEvans
Enthusiast
Enthusiast
‎07-17-2011 10:03 PM

For ESXi the files that survive a restart are the files located under /etc that are flagged as 'sticky'.

These files are backed up every hour.

You could do a hack and add the permission change commands to /etc/rc.local, this will run the command after the init scripts have completed when the ESXi host boots.

But I wouldn't recommend this approach.

Nick.

Reply
0 Kudos
JOeNg201110141
Contributor
Contributor
‎07-18-2011 02:23 AM

Thanks all.

Since our environment does not have the vCenter, the lockdown mode cannot enable.

Is there any document / article related to this issue which is not recommend for this kind of changes?

Reply
0 Kudos