Security Assessment of ESX Host

catchmeifucan · ‎11-14-2008

I am trying to secure an ESX host using Compliance Checker as the Security Baseline tool. I am not able to achieve compliancy for a few compliance rules mentioned below. I am referring to Compliance checker remediation guide for making that rule compliant. Could anyone provide some solution.

7 Minimize boot services: S91httpd.vmware

7 Minimize boot services: S98mgmt-vmware - vmware-hostd 8085 port

7 Minimize boot services: S98mgmt-vmware - vmware-hostd 8087 port

7 Minimize boot services: S98mgmt-vmware - vmware-hostd 9080 port

7 Minimize boot services: S99pegasus - cimserver 32770 port

If you see the first compliance rule it says httpd.vmware service is a part of minimum recommended service running on ESX host. The list of services running on my ESX host are as follows.

/etc/rc3.d/S00microcode_ctl

/etc/rc3.d/S00vmkstart

/etc/rc3.d/S01vmware

/etc/rc3.d/S02megaraid_sas_ioctl

/etc/rc3.d/S02mptctlnode

/etc/rc3.d/S08iptables

/etc/rc3.d/S09firewall

/etc/rc3.d/S10network

/etc/rc3.d/S12syslog

/etc/rc3.d/S13irqbalance

/etc/rc3.d/S14ipmi

/etc/rc3.d/S20random

/etc/rc3.d/S32vmware-aam

/etc/rc3.d/S55sshd

/etc/rc3.d/S55vmware-late

/etc/rc3.d/S56rawdevices

/etc/rc3.d/S56xinetd

/etc/rc3.d/S58ntpd

/etc/rc3.d/S85gpm

/etc/rc3.d/S85vmware-webAccess

/etc/rc3.d/S90crond

/etc/rc3.d/S97vmware-vmkauthd

/etc/rc3.d/S98mgmt-vmware

/etc/rc3.d/S99local

/etc/rc3.d/S99pegasus

/etc/rc3.d/S99vmware-autostart

/etc/rc3.d/S99vmware-vpxa

/etc/rc3.d/S99wsman

Also i have checked the default location of the service httpd.vmware but i am not able to find it there ( Default Location - /etc/rc3.d/ ).

The second rule says that vmhostd port 8085 should be open on localhost for mgmt-vmware service. How could i do that. Its same for the rest of the 3 compliance rules.

RDPetruska · ‎11-14-2008

Thread moved to Security and Compliance forum.

Texiwill · ‎11-14-2008

Hello,

I think you need to talk directly with Configuresoft about how to remediate this. Just for the record, you do no not need port 8085 open to the world, only 443 as everything is done through reverse proxy. So Personally I am not sure what they are thinking on this one. Yes the ports are available but perhaps they should only be locked to localhost?

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

azn2kew · ‎11-18-2008

Have you look at Tripwire ConfigCheck remediation .pdf? That might give you a clue on what needs to lockdown as far as ports too. These are same tools to CIS & Configuresoft.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

Texiwill · ‎11-18-2008