As part of our SOX compliancy rollout I need to invoke screen savers on all servers that have a console attached to them . My ESX servers have consoles attached. Is there a screen saver built into the ESX server OS?
How do I invoke one? I dont have the option of removing the consoles and using putty...
I've never run across this and we've passed several SOX and PCI audits. ESX runs in a text based non-graphical mode so there is no way to have a screen saver on it. Do you routinely leave users logged in to the ESX console?
You might try something like vlock...
You can (at the cost of Service Console Overhead) configure and launch an Xserver and still invoke a screen saver. But you should not need it launch a screen saver to be SOX compliant.
I can also say that you don't need it for an ISO27001 audit or a SAS70 declaration/audit.
Your access control policy should limit physical access to the console so anybody who is able to view the console will be authorized to do so anyway.
SOX Compliance does not require a screen saver to be invoked. It does however require that your security policy be followed and if your security policy dictates that password protected or autologout features be enabled on servers then there are only a few options. Installing X just to get xscreensaver to work is really anathema to ESX as X is a HUGE, repeat HUGE memory hog.
The statements in http://www.cyberciti.biz/tips/increase-security-by-locking-admin-screenconsole.html concerning TMOUT are the best options for non-graphical consoles. Another tool out there is http://rpmfind.net/linux/rpm2html/search.php?query=idled. While idled does not require any modifications to the VMkernel or SC kernel to use, you must be careful with its usage as it is not a stock part of ESX.
The combination of TMOUT and IDLED should solve your Security Policy issues. I do not like vlock as it requires the user to remember to type it in. You need something automatic like TMOUT and IDLED. Combining the two gives good coverage.
what about getting them off the console and use a remote access card like iLO/RSA
If the server in question has those cards, then you may also need IDLED/TMOUT solution depending on the timeout capabilities of the cards. They may be set to high. Unfortunately not every server comes with an RILOE/RSA card. I know just about every vendor has something for remote management but am not familiar with them all.
However, implementing RILOE/Remote Management cards can be expensive and have their own security concerns. Specifically it is now possible to access the console from outside the locked data center room. Which depending on the security policy could be disallowed. YOu also have to run more network cable. Many people I talk to who have these devices do not use them even when they are built in.
IDLED/TMOUT is very much like a password protected screen saver, they just log you off. Instead of presenting a screen saver password prompt.
Absolutely, the ILO/RSA should be on its own VLAN. It really depends on the Security Policy what is allowed and not allowed, unfortunately we do not have that information. I use the ILO for even my non-HP hardware where it will fit in the box and I am pretty happy with it. Yet, as I stated, I know many people who just will not use it, even when it is built in.
But yes, use a separate firewalled network and most security concerns should be addressed.
However, IDLED/TMOUT addresses the initial question. Vlock will as well, but you need to remember to type vlock when you leave the console.