Here is an extensive list of documents/best practices and tools to help secure your VM environment, I'm sure Edward will have more to say.

http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

There are some tools like tripwire that can be used to monitor/track changes on your hosts along with others on that page.

Not all configurations on the host are trackable using the VI API, but there are good amount of host configs that you can extract and perhaps store and compare later. Perhaps the this health check report could help http://communities.vmware.com/docs/DOC-9420 and looking at the option detail-hosts. If you're looking for detail configurations that is not exposed through the VI API, you could take a look at this shell script health check that is executed on the Service Console and only available for classic ESX: http://esxhealthscript.svn.sourceforge.net/viewvc/esxhealthscript/

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

If you find this information useful, please award points for "correct" or "helpful".

Hello,

Is there a way I can monitor the configuration changes made to ESX by VC or by CLI ?

Yes and no. You can use Tripwire to monitor files on ESX but not who made them. Just that they changed.

If yes is it can be datewised and userwise audited/tracked?

You would need to A) Hook into vCenter to read the logfiles/actions database table to determine who did what, plus ensure you use 'sudo' on your ESX host to track who made what changes within the environment. Also track /var/log/hostd.log. This is actually a very difficult problem as there are many ways to change data on the system. vCenter, VIC, VI SDK, CLI, by hand.

How can we secure an ESX and VC or rather a VI3 environment?

This is what my new book covers, there is more involved than just hardening your ESX hosts. However, hardening your ESX hosts is a good start. Adding change management into the picture is even better, but that is more a process than a tool.

Is it possible to integrate ESX to an ADS/RSA environment? If yes an documentation on the same available?

AD, yes. RSA you could if you speak either LDAP or kerberos. THere are many ways to hook into AD, some are more secure than others.

'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment' is now available on Rough Cuts, this book looks at the entire Virtual Environment and not just ESX and the VMs residing within it. Rough Cuts is an early version pre-copy edit of the book. Yes it is missing SOME things but not much. The book is due out in June I have been told.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Just a thought, if you are going to upgrade to vSphere soon, then you might want to look at Host profiles as it might do what you are just looking for.

If you still have a valid VMware support, then it might be worth it for you to upgrade as its free :).

I hope this help someone, if it did please reward points.

Enjoy,

Eiad Al-Aqqad

System X & Storage Technical Specialist

http://www.virtualizationTeam.com

Fixing HyTrust search in VMware communities.

You may want to look at Tripwire on configuration changes. Catbird does change management controls/alerts.

www.tripwire.com

www.catbird.com