I can also say that you don't need it for an ISO27001 audit or a SAS70 declaration/audit.

Your access control policy should limit physical access to the console so anybody who is able to view the console will be authorized to do so anyway.

We also have never had that requirement and we have gone through a number of ISO audits and also SOX compliency

Hello,

SOX Compliance does not require a screen saver to be invoked. It does however require that your security policy be followed and if your security policy dictates that password protected or autologout features be enabled on servers then there are only a few options. Installing X just to get xscreensaver to work is really anathema to ESX as X is a HUGE, repeat HUGE memory hog.

The statements in http://www.cyberciti.biz/tips/increase-security-by-locking-admin-screenconsole.html concerning TMOUT are the best options for non-graphical consoles. Another tool out there is http://rpmfind.net/linux/rpm2html/search.php?query=idled. While idled does not require any modifications to the VMkernel or SC kernel to use, you must be careful with its usage as it is not a stock part of ESX.

The combination of TMOUT and IDLED should solve your Security Policy issues. I do not like vlock as it requires the user to remember to type it in. You need something automatic like TMOUT and IDLED. Combining the two gives good coverage.

Best regards,

Edward

Hello,

If the server in question has those cards, then you may also need IDLED/TMOUT solution depending on the timeout capabilities of the cards. They may be set to high. Unfortunately not every server comes with an RILOE/RSA card. I know just about every vendor has something for remote management but am not familiar with them all.

However, implementing RILOE/Remote Management cards can be expensive and have their own security concerns. Specifically it is now possible to access the console from outside the locked data center room. Which depending on the security policy could be disallowed. YOu also have to run more network cable. Many people I talk to who have these devices do not use them even when they are built in.

IDLED/TMOUT is very much like a password protected screen saver, they just log you off. Instead of presenting a screen saver password prompt.

Best regards,

Edward

stick the iLO/RSA card on a VLAN that only authorized people/stations have access to address "possible to access the console from outside the locked data center room"[/i]

Hello,

Absolutely, the ILO/RSA should be on its own VLAN. It really depends on the Security Policy what is allowed and not allowed, unfortunately we do not have that information. I use the ILO for even my non-HP hardware where it will fit in the box and I am pretty happy with it. Yet, as I stated, I know many people who just will not use it, even when it is built in.

But yes, use a separate firewalled network and most security concerns should be addressed.

However, IDLED/TMOUT addresses the initial question. Vlock will as well, but you need to remember to type vlock when you leave the console.

Best regards,

Edward