Edward,

I'm reading that new ESX security guide from DISA and hopefully to learn something new as well. I've read your book too and those helps as well. I've contacted Nessus and Catbird on pricing but man those costs around $3200+ per ESX host and seems like to have full comprehensive virtualization security protection overall. I wish there is cheaper product that does the job of scanning ports for vulnerabilities, standardize lockdown procedures templates and apply it on the fly, and monitor virtual network traffic and antivirus plus vmdk encryption would be awesome.

When are you going to release your ESX security tools in public so we can look at licensing or still in the developing phase? I'm hoping there will be new products in the market to streamline and standardize ESX security lockdown and validation A-Z.

Have you hard of Configuresoft EMC server? This has ESX module as well and they do compliancy and lockdown as well but we're using Qualys right now so using Catbird is kinda wasted.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

This was just released yesterday and I haven't had a chance to load it, but it sounds like a good (free) start for an audit and compliance tool.

http://www.tripwire.com/configcheck/

Gary,

Thanks for the tools that I'm unaware as far as the capabilities are awesome! I'm going to use it and see how it works and best thing it is FREE. You're the best CHIEF!

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

NP Stefan. Do me a favor and post your thoughts on the Tripwire tool. I'm not going to have a chance to look at it soon so I would be greatly interested in your feedback.

My first thought for now is lack of manual, basically it comes with EUA.txt file, .cmd and .jar file. Launched the .cmd file doesn't do anything. I don't even get any details how to configured this. I thought it would be some sort of script run on the eSX host or .exe install on a XP client or something to query and analyze the systems but I could be wrong and will surf more details but that's it for now You should check it out to see how it works too and let me know.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

I managed to get it working now so trying to test it out and post results.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Nice, no docs... I guess I can't throw out the standard RTFM line without docs!

I looked at the FAQ page and the key seems to be JRE 1.5. I got it to launch, but I didn't attach it to any 3.5 hosts. See the attached...

Hello,

ConfigCheck is one of the tools I mentioned I could not talk about. It is a very good sanity check and follows pretty much the VMware Hardening Guideline. As you know I have some problems with some parts of that guide. It will not hardening the system, but will provide pointers to some basic instruction. As a starting point it is very good. You will still need to know how to harden the system however..... Yet there is much more that needs to be done than what the VMware Hardening Guides present.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Thanks, trying to get a standardize lockdown procedures and guidelines for ESX farms and using combination of tools, scripts and documents from DISA certainly helps alot and reading this forum also interesting. I'm curious if you know other products wouldn't it be helpful if you can name them so we can all take a look and benefit from it. Tripwire ConfigCheck seems to be really good tools to start.

Is there a particular reason why you can't mentioned Tripwire CheckConfig tool? Unless it against your moderator regulations from promoting.

ConfigCheck is one of the tools I mentioned I could not talk about.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Hello,

Nothing to do with being a moderator, but I did not know it was made publically available. Now that it is, I can talk about it. The tool is a good start, but as I stated in the DISA STIG discussions, you can not treat ESX like a *NIX box, it is not one and has some caveats there. Ignoring Posix security in ESXi is also an issue with the STIG. As for ConfigCheck, it has a few issues that I reported already but all in all a very good place to start. Not 100% complete per my own guidelines but it is complete per VMware's Hardening Guidelines.

My main point is that there is plenty to help harden the SC. But that is not all there is to virtualization. CISsecurity and Bastille-Linux will also do a very good job in this, but they are Linux based tools with no virtualization concepts in there. All of these miss some critical items IMHO.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Hello,

ConfigCheck is one of the tools I mentioned I could not talk about. It is a very good sanity check and follows pretty much the VMware Hardening Guideline.

Where can I find this VMware Hardening Guide?

Never mind, I found it.

As for ConfigCheck, it has a few issues that I reported already but all in all a very good place to start. Not 100% complete per my own guidelines but it is complete per VMware's Hardening Guidelines.

Is your own guidelines is going to make available to neither license or free anytime soon or still in the works? I would be really interested in your product once made public.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Is this the latest version for CIS guide October 2007? Do you have anything for Bastille as Edward's mentioned as well? I'm reading it now to get precise lockdown procedures overall. Thanks Bill.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Hello,

There is a script that is an appendix to VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers that contains all the necessary changes to make VMware ESX pass the Linux CISsecurity and Bastille-Linux.org assessments with flying colors. Granted it is based on Linux but also includes several other items in it to cover VMware ESX specific files. I am working on one for VMware's Hardening guidelines as well. Note that neither are perfect.

BTW, I use my scripts on my customer's and my own systems. The ones in the book may need an upgrade or two but nothing major.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Hello,

There is a script that is an appendix to VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers that contains all the necessary changes to make VMware ESX pass the Linux CISsecurity and Bastille-Linux.org assessments with flying colors. Granted it is based on Linux but also includes several other items in it to cover VMware ESX specific files. I am working on one for VMware's Hardening guidelines as well. Note that neither are perfect.

VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers

I'm guessing I have to buy the book in order to get a copy of that script.

The lack of installation instructions were a bit of an oversight. It's being corrected now and should be bundled in with the download some time this week.

To get ConfigCheck up and running ensure that you have Java 1.5 or above installed and then click on the cmd file or copy the files to your java\bin directory and run it from there.

Let us know how you get on with the tool.

Gavin, you seem to be in the know about ConfigCheck. Do you happen to know if future releases will support other ESX revs?