c7320
Contributor
Contributor

SOX Compliency - How can I invoke a screen saver on an ESX server?

As part of our SOX compliancy rollout I need to invoke screen savers on all servers that have a console attached to them . My ESX servers have consoles attached. Is there a screen saver built into the ESX server OS?

How do I invoke one? I dont have the option of removing the consoles and using putty...

Thanks

Michael Mouncey

0 Kudos
10 Replies
jayolsen
Expert
Expert

0 Kudos
esiebert7625
Immortal
Immortal

I've never run across this and we've passed several SOX and PCI audits. ESX runs in a text based non-graphical mode so there is no way to have a screen saver on it. Do you routinely leave users logged in to the ESX console?

You might try something like vlock...

http://www.cyberciti.biz/tips/increase-security-by-locking-admin-screenconsole.html

http://www.die.net/doc/linux/man/man1/vlock.1.html

http://linux.maruhn.com/sec/vlock.html

0 Kudos
siglert
Enthusiast
Enthusiast

You can (at the cost of Service Console Overhead) configure and launch an Xserver and still invoke a screen saver. But you should not need it launch a screen saver to be SOX compliant.

0 Kudos
MartijnLo
Enthusiast
Enthusiast

I can also say that you don't need it for an ISO27001 audit or a SAS70 declaration/audit.

Your access control policy should limit physical access to the console so anybody who is able to view the console will be authorized to do so anyway.

0 Kudos
petedr
Virtuoso
Virtuoso

We also have never had that requirement and we have gone through a number of ISO audits and also SOX compliency

www.thevirtualheadline.com www.liquidwarelabs.com
0 Kudos
Texiwill
Leadership
Leadership

Hello,

SOX Compliance does not require a screen saver to be invoked. It does however require that your security policy be followed and if your security policy dictates that password protected or autologout features be enabled on servers then there are only a few options. Installing X just to get xscreensaver to work is really anathema to ESX as X is a HUGE, repeat HUGE memory hog.

The statements in http://www.cyberciti.biz/tips/increase-security-by-locking-admin-screenconsole.html concerning TMOUT are the best options for non-graphical consoles. Another tool out there is http://rpmfind.net/linux/rpm2html/search.php?query=idled. While idled does not require any modifications to the VMkernel or SC kernel to use, you must be careful with its usage as it is not a stock part of ESX.

The combination of TMOUT and IDLED should solve your Security Policy issues. I do not like vlock as it requires the user to remember to type it in. You need something automatic like TMOUT and IDLED. Combining the two gives good coverage.

Best regards,

Edward

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
doubleH
Expert
Expert

what about getting them off the console and use a remote access card like iLO/RSA

If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points
0 Kudos
Texiwill
Leadership
Leadership

Hello,

If the server in question has those cards, then you may also need IDLED/TMOUT solution depending on the timeout capabilities of the cards. They may be set to high. Unfortunately not every server comes with an RILOE/RSA card. I know just about every vendor has something for remote management but am not familiar with them all.

However, implementing RILOE/Remote Management cards can be expensive and have their own security concerns. Specifically it is now possible to access the console from outside the locked data center room. Which depending on the security policy could be disallowed. YOu also have to run more network cable. Many people I talk to who have these devices do not use them even when they are built in.

IDLED/TMOUT is very much like a password protected screen saver, they just log you off. Instead of presenting a screen saver password prompt.

Best regards,

Edward

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
doubleH
Expert
Expert

stick the iLO/RSA card on a VLAN that only authorized people/stations have access to address "possible to access the console from outside the locked data center room"[/i]

If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Absolutely, the ILO/RSA should be on its own VLAN. It really depends on the Security Policy what is allowed and not allowed, unfortunately we do not have that information. I use the ILO for even my non-HP hardware where it will fit in the box and I am pretty happy with it. Yet, as I stated, I know many people who just will not use it, even when it is built in.

But yes, use a separate firewalled network and most security concerns should be addressed.

However, IDLED/TMOUT addresses the initial question. Vlock will as well, but you need to remember to type vlock when you leave the console.

Best regards,

Edward

--
Edward L. Haletky
vExpert XII: 2009-2020,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos