VMware Cloud Community
Guardian1234
Contributor
Contributor
‎02-01-2013 08:36 AM
Jump to solution

/etc/vmware/config file on ESXi 5.0

Hi. Just need a quick point cleared up. My workplace just hired a contractor to install some additional infrastructure (ESXi). Currently, we edit the VMabc.vmx files to incorporate the required keywords, per the hardening guide.

I spoke w/the contractor and he mentioned that the /etc/vmware/config could instead be modified and then we wouldn't have to perform the individual modifications. I've not heard of this before, so I'm simply wondering if this is valid and what, if any, are the PROs and CONs?

It would seem to me that one CON would be that all machines would pick up all of the same keywords and settings (not necessarily a bad thing), but in someinstances, that may not necessarily be the desired action.

Any/all viewpoints welcome.

Thanks.

Tags (4)
0 Kudos
1 Solution

Accepted Solutions
lamw
Community Manager
Community Manager
‎02-01-2013 03:25 PM
Jump to solution

Though it's possible to use that as a sort of "global" configuration file, it's not really recommended for several reasons:

1) You would need to make sure all ESXi hosts have the same configuration, since the configuration is no longer tied to the VM. The VM could move to a host that does not have it configured.

2) No granular VM control, the configs would apply to all VMs

3) No audiblity from the VM perspective, when you add the entries to the VMX, you can use the APIs to query for compliance. The way the configuration file works is that it'll be applied during runtime, so you will not see this in the VMX file nor using the APIs. You would have to audit each host and there are no APIs for looking at this configuration file

4) If a VM is exported into another environment you would lose the settings, simliar to #1

It's definitely recommend that you take a look at the configurations and see which ones are really applicable and apply to individual VMs. You can easily automate this, which you should definitely be leveraging and here are few sample scripts/solutions to help:

http://blogs.vmware.com/vsphere/2012/06/automate-the-hardening-of-your-virtual-machine-vmx-configura...

http://blogs.vmware.com/vsphere/2012/07/automatically-securing-virtual-machines-using-vcenter-orches...

http://blogs.vmware.com/vsphere/2012/07/automatically-securing-virtual-machines-using-a-vcenter-alar...

View solution in original post

0 Kudos
4 Replies
lamw
Community Manager
Community Manager
‎02-01-2013 03:25 PM
Jump to solution

Though it's possible to use that as a sort of "global" configuration file, it's not really recommended for several reasons:

1) You would need to make sure all ESXi hosts have the same configuration, since the configuration is no longer tied to the VM. The VM could move to a host that does not have it configured.

2) No granular VM control, the configs would apply to all VMs

3) No audiblity from the VM perspective, when you add the entries to the VMX, you can use the APIs to query for compliance. The way the configuration file works is that it'll be applied during runtime, so you will not see this in the VMX file nor using the APIs. You would have to audit each host and there are no APIs for looking at this configuration file

4) If a VM is exported into another environment you would lose the settings, simliar to #1

It's definitely recommend that you take a look at the configurations and see which ones are really applicable and apply to individual VMs. You can easily automate this, which you should definitely be leveraging and here are few sample scripts/solutions to help:

http://blogs.vmware.com/vsphere/2012/06/automate-the-hardening-of-your-virtual-machine-vmx-configura...

http://blogs.vmware.com/vsphere/2012/07/automatically-securing-virtual-machines-using-vcenter-orches...

http://blogs.vmware.com/vsphere/2012/07/automatically-securing-virtual-machines-using-a-vcenter-alar...

0 Kudos
Guardian1234
Contributor
Contributor
‎02-02-2013 04:18 AM
Jump to solution

Thanks, lamw.

I'd never heard of using this file to secure VMs. This explains why.

I appreciate the answer, especially since there were so many views of this question and only one reply... the correct one!

0 Kudos
ramkrishna1
Enthusiast
Enthusiast
‎02-02-2013 12:17 PM
Jump to solution

HiGuardian

Welcome to the communites.

As its not recommended by vmware I will not suggest to go with that.

But practically have seen some programmer using their own script gettgin good resault .

If you are going with that you may need to test that properly .

"concentrate the mind on the present moment."
Guardian1234
Contributor
Contributor
‎02-03-2013 09:33 AM
Jump to solution

Hi, ramkrishna1.

What part is not supported by VMware?

Basically, from my own perspective, the feedback to management was to "not" mod the /etc/vmware/config file. The approach I recommended was to mod the .vmx file via manual editing.

As to the approach used to modify the .vmx file, that's a TBD based on the individual SA's preference. There may be a PRO to scripting, but the PRO (fast, easy) is also a CON, if the mod(s) are faulty. So, with that said, my recommendation: the target is the .vmx file, while the method of "payload" delivery is left to the SA, with a recommended Best Practice of manual edit.

Is this what you were referring to?

Thx.

0 Kudos