I am trying to secure an ESX host using Compliance Checker as the Security Baseline tool. I am not able to achieve compliancy for a few compliance rules mentioned below. I am referring to Compliance checker remediation guide for making that rule compliant. Could anyone provide some solution.
7 Minimize boot services: S91httpd.vmware |
7 Minimize boot services: S98mgmt-vmware - vmware-hostd 8085 port |
7 Minimize boot services: S98mgmt-vmware - vmware-hostd 8087 port |
7 Minimize boot services: S98mgmt-vmware - vmware-hostd 9080 port |
7 Minimize boot services: S99pegasus - cimserver 32770 port |
If you see the first compliance rule it says httpd.vmware service is a part of minimum recommended service running on ESX host. The list of services running on my ESX host are as follows.
/etc/rc3.d/S00microcode_ctl
/etc/rc3.d/S00vmkstart
/etc/rc3.d/S01vmware
/etc/rc3.d/S02megaraid_sas_ioctl
/etc/rc3.d/S02mptctlnode
/etc/rc3.d/S08iptables
/etc/rc3.d/S09firewall
/etc/rc3.d/S10network
/etc/rc3.d/S12syslog
/etc/rc3.d/S13irqbalance
/etc/rc3.d/S14ipmi
/etc/rc3.d/S20random
/etc/rc3.d/S32vmware-aam
/etc/rc3.d/S55sshd
/etc/rc3.d/S55vmware-late
/etc/rc3.d/S56rawdevices
/etc/rc3.d/S56xinetd
/etc/rc3.d/S58ntpd
/etc/rc3.d/S85gpm
/etc/rc3.d/S85vmware-webAccess
/etc/rc3.d/S90crond
/etc/rc3.d/S97vmware-vmkauthd
/etc/rc3.d/S98mgmt-vmware
/etc/rc3.d/S99local
/etc/rc3.d/S99pegasus
/etc/rc3.d/S99vmware-autostart
/etc/rc3.d/S99vmware-vpxa
/etc/rc3.d/S99wsman
Also i have checked the default location of the service httpd.vmware but i am not able to find it there ( Default Location - /etc/rc3.d/ ).
The second rule says that vmhostd port 8085 should be open on localhost for mgmt-vmware service. How could i do that. Its same for the rest of the 3 compliance rules.
Thread moved to Security and Compliance forum.
Hello,
I think you need to talk directly with Configuresoft about how to remediate this. Just for the record, you do no not need port 8085 open to the world, only 443 as everything is done through reverse proxy. So Personally I am not sure what they are thinking on this one. Yes the ports are available but perhaps they should only be locked to localhost?
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/
Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Have you look at Tripwire ConfigCheck remediation .pdf? That might give you a clue on what needs to lockdown as far as ports too. These are same tools to CIS & Configuresoft.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
Hello,
There are similar tools but not the same. Tripwire's approach is to go by the VMware Hardening Guidelines. CIS's Benchmark does not have a script for it that is publicly available, but that will change. ConfigureSoft I believe follows the DISA STIG. All these tools handle the ports differently. I think you really want to discuss that output with ConfigureSoft as Tripwire's is entirely different.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/
Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization