Flest
Contributor
Contributor

Guest OS integrity monitoring

HI,

Are the any Guest OS integrity monitoring mechanisms or, may be not VMware solutions exists?

Thank you,

Sergey.

0 Kudos
10 Replies
AntonVZhbankov
Immortal
Immortal

Virtual and physical machines don't differ here. It can be and it should be done by exactly the same software.

I'm pretty sure there are a lot of OS security solutions but not free.


---

VMware vExpert '2009

http://blog.vadmin.ru

EMCCAe, MCITP: SA+VA, VCP 3/4/5, VMware vExpert http://blog.vadmin.ru
0 Kudos
Flest
Contributor
Contributor

Virtual and physical machines don't differ here. It can be and it should be done by exactly the same software.

I'm pretty sure there are a lot of OS security solutions but not free.

---

VMware vExpert '2009

http://blog.vadmin.ru

Software solutions that allow to monitor the integrity of OS are useless, they even can not be sertified(e.g. in Russia).

While we speaking about physical machines, only the usage of hardware controllers that have their own memory and processor allows us to be sure that we have a reliable OS integrity monitoring.

As for virtual machines, VMSafe in Infrastructure 4.0 allows to solve the problem correctly, not from the level of OS.

Is there any correct solution for Infrastructure 3.5?

0 Kudos
Texiwill
Leadership
Leadership

Hello,

What do you mean by Integrity monitoring? Are you talking about Virus Scans? Security Scanners? Port scanners? Network monitoring? Configuration management? Or are you talking about Trusted Platform Modules? By the comment, it sounds like TPM.

As an aside, what is inside VMsafe is still under embargo except for the fact that Virus Scanning companies are involved as are several virtualization security companies.

For all but TPM there are options available.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Flest
Contributor
Contributor

What do you mean by Integrity monitoring? Are you talking about Virus Scans? Security Scanners? Port scanners? Network monitoring? Configuration management? Or are you talking about Trusted Platform Modules? By the comment, it sounds like TPM.

[

|http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]

I am talking about TPM, you are right, but I am talking about TPM that ensures that OS has not been modified: it should store the checksum of all system files and calculates it each time user turns on the PC.

Here is an example of such device:

While using virtual machines we can not use such devices, but this problem can be solved from the level between hypervisor and guest OS, and I am searching for such a solutions.

0 Kudos
AntonVZhbankov
Immortal
Immortal

TPM is not certified in Russia, so even the notebooks with TPM are not certified for use.


---

VMware vExpert '2009

http://blog.vadmin.ru

EMCCAe, MCITP: SA+VA, VCP 3/4/5, VMware vExpert http://blog.vadmin.ru
0 Kudos
Flest
Contributor
Contributor

TPM is not certified in Russia, so even the notebooks with TPM are not certified for use.

TPM IS sertified in Russia. Here is the sertificate for 1D security class: http://accord.ru/sert22.html

And there are models for notebooks that sertified too.

0 Kudos
AntonVZhbankov
Immortal
Immortal

Microsoft guys don't know about it, and on each conference they say: TPM is not certified, so Bitlocker is not certified to use in Russia.

I should tell them about this next time.


---

VMware vExpert '2009

http://blog.vadmin.ru

EMCCAe, MCITP: SA+VA, VCP 3/4/5, VMware vExpert http://blog.vadmin.ru
0 Kudos
Texiwill
Leadership
Leadership

Hello,

I see what you want to do, and there are ways to make this work within the Guest OS using read-only media. Specifically this is the way you should use such tools even on a physical host. One such tool is from Tripwire and it runs within the Guest or on a Guest VMDK but does not run within the hypervisor. THere are NO tools that will run within the hypervisor at this time.

In addition, no TPM device that I know about does a FULL chksum calculation for every file within the OS it may do some, it may offer 'disk' encryption, and it may offer other items, but not chksums for EVERY file.

The problem that is raised by what you want to do is: WHEN and how often do you want to do it? and WHERE do you want to do it? The HOW to do file level integrity checks is pretty straight forward and well understood.

If you wanted to do this within the VM using tools that sit on read-only CDROM/ISO images then you can do this now anytime you want within a VM, but you have perf issues if you do it on boot, on shutdown, or even during the day.

If you want the ESX host to do this, then you also have perf issues, but the ESX host must also understand every file system within the VM.

You could use the VCB proxy server to do this, which offloads the work from ESX but your VM runs in snapshot mode while the integrity check is completed. So how often you do this is a question.

You could use a daemon within the OS, but if the OS is hacked the daemon will most likely be hacked as well..... but if the DB is on a safe location that is the first thing checked unless it is hacked to read a different hacker supplied file.

This is a very good question..... with no really good answers.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
virtualsec
Contributor
Contributor

Further to this: Is there any way to monitor the integrity of Guest OS kernel data structures from outside the Guest OS? Is this a current or future capability of VMSafe?

0 Kudos
Texiwill
Leadership
Leadership

Hello,

Further to this: Is there any way to monitor the integrity of Guest OS kernel data structures from outside the Guest OS?

There is a Debugger you can use when using VMware Workstation but other than 'kernel' level debugging no there is nothing I know about for outside the VM. Also, from within the VM unless you happen to be running within the kernel, it is very hard to integrity check your kernel data structures as well.

Is this a current or future capability of VMSafe?

Not something answerable until VMsafe is actually available. NDA covers most of this.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos