This seems to be working now, but when I reboot my root account reverts back to a password maximum of -1 (password aging disabled). I am working on running a compliance checker (configuresoft) against my ESX servers and one of the checks fails if password aging is not enabled for root. Is this a bug or is there some other configuration that keeps disabling password aging for the root account?

Also, there is another check that fails due to vpxuser not having password aging enabled. As I understand it the vpxuser password is used for communication between VC and ESX and cannot change unless a host is removed and re-added to VC.

Hello,

This seems to be working now, but when I reboot my root account reverts back to a password maximum of -1 (password aging disabled). I am working on running a compliance checker (configuresoft) against my ESX servers and one of the checks fails if password aging is not enabled for root. Is this a bug or is there some other configuration that keeps disabling password aging for the root account?

You need to understand how it is doing the test. But the 'root' user never changes and is there before you setup password aging so you must run 'chage' on it.

Also, there is another check that fails due to vpxuser not having password aging enabled. As I understand it the vpxuser password is used for communication between VC and ESX and cannot change unless a host is removed and re-added to VC.

The same is true for vpxuser, you need to use chage on it.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

I have used the "chage" command to set password aging for the root account, but when the ESX server reboots the root account reverts to its default settings.

Also, has anyone had luck getting the compliance checking tools (Configuresoft or Tripwire) to give you a 100% compliance. When we run theConfiguresoft checks we get a bunch of ESX logging failed checks and some other failures. We verified logging is working properly and even have a remote syslog server setup. Could these tools be for an older version of ESX (we are using 3.5 U3)?

Hello,

I have used the "chage" command to set password aging for the root account, but when the ESX server reboots the root account reverts to its default settings.

That should never happen. At least it has not for me. You sure this is NOT ESXi which would do this.

Also, has anyone had luck getting the compliance checking tools (Configuresoft or Tripwire) to give you a 100% compliance. When we run theConfiguresoft checks we get a bunch of ESX logging failed checks and some other failures. We verified logging is working properly and even have a remote syslog server setup. Could these tools be for an older version of ESX (we are using 3.5 U3)?

Yes it is possible to get ConfigCheck to give 100% but you need to know exactly how the tools are checking for security issues. In general, they are looking for one method and you may be using a different method to verify security. Spacing is often an issue as well.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

Nope, it is definitely ESX 3.5 U3 with all of the critical patches.

It appears that the compliance check utilities are giving me some incrorrect results. All of the syslog checks are failing, but I have verified that both local and remote syslog is working fine.

Hello,

Nope, it is definitely ESX 3.5 U3 with all of the critical patches.

That is VERY odd.... I will do some digging.

It appears that the compliance check utilities are giving me some incrorrect results. All of the syslog checks are failing, but I have verified that both local and remote syslog is working fine.

The reason is the 'string' they are looking for is not formatted according to their rules. You need to contact the vendor of the utility for the exact string you require. For example:

CISecurity requires 4 settings to be made to syslog.conf while VMware Hardening Guide requires only 1. So you need to know what the exact test is looking at else it will never pass. There are many ways to redirect logs and each tool is basically looking for only 1.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast