Hi All,
Is there a way I can monitor the configuration changes made to ESX by VC or by CLI ?
If yes is it can be datewised and userwise audited/tracked?
How can we secure an ESX and VC or rather a VI3 environment?
Is it possible to integrate ESX to an ADS/RSA environment? If yes an documentation on the same available?
Thanks and Regards,
Raul
Here is an extensive list of documents/best practices and tools to help secure your VM environment, I'm sure Edward will have more to say.
http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
There are some tools like tripwire that can be used to monitor/track changes on your hosts along with others on that page.
Not all configurations on the host are trackable using the VI API, but there are good amount of host configs that you can extract and perhaps store and compare later. Perhaps the this health check report could help http://communities.vmware.com/docs/DOC-9420 and looking at the option detail-hosts. If you're looking for detail configurations that is not exposed through the VI API, you could take a look at this shell script health check that is executed on the Service Console and only available for classic ESX: http://esxhealthscript.svn.sourceforge.net/viewvc/esxhealthscript/
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
If you find this information useful, please award points for "correct" or "helpful".
All of the above are great resources to start. I've found that to get a complete picture of any administrative transaction can lead to a review of 3 or more logs. I'm investigating a new appliance from Hytrust the provides a single point of control between the VIC, vCenter, and the ESX hosts. I'm intrigued by this approach. Has anyone in community reviewed/implemented this product?
Hello,
Moved to the Security forum.
Hytrust has an interesting approach to solving this problem and it is useful. I have seen demos of it and will be playing with it myself, I just wish it had better vCenter integration, etc. I am not sure how well it handles VI-SDK tools however.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast
Hello,
Is there a way I can monitor the configuration changes made to ESX by VC or by CLI ?
Yes and no. You can use Tripwire to monitor files on ESX but not who made them. Just that they changed.
If yes is it can be datewised and userwise audited/tracked?
You would need to A) Hook into vCenter to read the logfiles/actions database table to determine who did what, plus ensure you use 'sudo' on your ESX host to track who made what changes within the environment. Also track /var/log/hostd.log. This is actually a very difficult problem as there are many ways to change data on the system. vCenter, VIC, VI SDK, CLI, by hand.
How can we secure an ESX and VC or rather a VI3 environment?
This is what my new book covers, there is more involved than just hardening your ESX hosts. However, hardening your ESX hosts is a good start. Adding change management into the picture is even better, but that is more a process than a tool.
Is it possible to integrate ESX to an ADS/RSA environment? If yes an documentation on the same available?
AD, yes. RSA you could if you speak either LDAP or kerberos. THere are many ways to hook into AD, some are more secure than others.
'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment' is now available on Rough Cuts, this book looks at the entire Virtual Environment and not just ESX and the VMs residing within it. Rough Cuts is an early version pre-copy edit of the book. Yes it is missing SOME things but not much. The book is due out in June I have been told.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast
I have had good luck with the HyTrust appliance
FYI HyTrust is working on implementing 2-factor authentication for ESX and vCenter as part of HyTrust Appliance's access management capabilities for their upcoming 1.1 release. This is for both vCenter and direct-to-host management connections using Virtual Infrastructure Client or ssh. They are currently looking at implementing support for RSA SecureID, smart card, Radius and kerberos.
Just a thought, if you are going to upgrade to vSphere soon, then you might want to look at Host profiles as it might do what you are just looking for.
If you still have a valid VMware support, then it might be worth it for you to upgrade as its free :).
I hope this help someone, if it did please reward points.
Enjoy,
Eiad Al-Aqqad
System X & Storage Technical Specialist
http://www.virtualizationTeam.com
Fixing HyTrust search in VMware communities.
You may want to look at Tripwire on configuration changes. Catbird does change management controls/alerts.
Sorry for posting in the old topic but as an alternative to tripwire take a look at Netwrix Auditor for VMware solution it has 20 days free trial, it can report you about all critical VMware configuration changes, including host system settings, cluster resources and individual virtual machines with all the detail about who changed what, when and where, including before and after values for all changes.