nishus's Posts

You can extend the password expiration time manually to number of days required for the AppDefense Appliance. If needed, you can also disable the password expiration permanently. Default setting is to expire both ‘admin’ & ‘root’ account password after every 90 days as per VMware’s security policy. To change the password expiration to X days as per your organizations security policy below commands can be run on the appliance via SSH session – sudo chage -I -1 -m 0 -M <X days> -E -1 admin sudo chage -I -1 -m 0 -M <X days> -E -1 root Replace the <X days> with the integer value which should be set as password expiration days Also, you can disable the password expiration permanently for the AppDefense Appliance. To disable password expiration permanently run the below commands on the appliance sudo chage -I -1 -m 0 -M 99999 -E -1 admin sudo chage -I -1 -m 0 -M 99999 -E -1 root Happy AppDefending!

This feature delivers full suite of capabilities around vulnerability assessment. AppDefense enumerates vulnerabilities on vSphere components, Operating Systems, as well as the applications running on top. As processes execute, AppDefense determines the vulnerabilities associated with that software. This feature requires outbound internet access. In addition to enumerating the vulnerabilities in your environment, AppDefense prioritizes every vulnerability using real-time threat information collected from sensors around the world. AppDefense ingests this feed from Kenna Security, the leader in vulnerability prioritization, to determine the overall risk for your environment. As a vCenter Server administrator, you always want to minimize the emergency downtime. You can now monitor all data center vulnerabilities from the AppDefense plug-in. To enable the vulnerability assessment feature, you should make sure that AppDefense Service (SaaS) subscription and the AppDefense Appliance are connected to AppDefense Service (SaaS). AppDefense provides risk score to each vulnerability. The Risk Score combines publicly available CVSS information with proprietary threat data and advanced modeling to produce a metric that accurately represents the risk of a given vulnerability in your data center. https://docs.vmware.com/en/VMware-AppDefense/2.3/install-appdefense-plugin/GUID-E8FD1FBB-1167-434B-89A1-BDE0751D0328.html​ Hosts affected by the vulnerability are listed in the Affected Hosts panel. Click the host and go to the Host > Monitor > AppDefense > Vulnerabilities tab. The AppDefense > Vulnerabilities tab lists all the vulnerabilities affecting that host. Similarly for OS & applications running inside VM vulnerabilities can be found under Windows & Linux OS tab. Happy AppDefending!

This article describes the locations where AppDefense stores the logs and can help customer to monitor and troubleshoot the AppDefense by using the AppDefense Appliance, vSphere Client, vCenter Server, AppDefense Manager, and other AppDefense components, as needed. You can collect log files using Export logs option from the appliance that can help to troubleshoot any issues with AppDefense. If you would like to investigate any particular components logs or have them forwarded to a centralized syslog server below logs directories could be useful. AppDefense Appliance – /var/log/appdefense/ AppDefense host module – Most recent logs - /var/log/glx.log Rolled over logs - /var/run/log/glx.X.gz AppDefense guest module – Most recent logs - /vmfs/volumes/[datastore]/[vm_name]/vmware.log Rolled over logs - /vmfs/volumes/[vm_name]/ vmware-X.log Happy AppDefending!

AppDefense now defines two user roles for the operation of the SaaS Manager i.e. “Admin” and “Analyst”. Admins have full privileges, including user configuration and remediation settings (block, suspend, kill, etc). Analyst is the default user role and cannot change remediation settings. Users in the ‘Administrator’ role have overall responsibility of the organization, so are assigned with additional permissions. There can be more than one administrator in the organization. By default, when administrator invites a user, the user is assigned with the ‘Analyst’ role. An ‘Analyst’ role assigned user cannot perform below tasks in the SaaS manager console – Analyst is the default user role. Analyst cannot access user management or remediation action settings. Analyst cannot view the advanced remediation audit log. Only when provided by administrator, the user with an analyst role can perform advanced remediation actions such as Quarantine, Suspend, or Power Off. Administrator is a user who has an administrative responsibility of the organization. Administrator has the following privileges. Advanced Remediation Settings: Control the setting to provide access to perform manual and automatic remediation action for all users within the organization. Administrator can enable or disable the advanced remediation action from the Settings tab. User Management: Administrator can perform following actions from the Users tab: Assign a user role. Invite users to the organization. Invite an existing user again, when needed. Block or unblock users. Advanced: Administrator can take the remediation action on a virtual machine for any triggered alert or set the automatic remediation rules to take advanced remediation action in individual services. Remediation action includes Quarantine, Suspend, or Power Off the virtual machine. Audit Log: Administrator can view the advanced remediation log from the settings -> Audit Logs tab. These new roles are now available in every AppDefense SaaS manager org. Let us know if you have questions! Happy AppDefending! The AppDefense Architects Team.

VMware AppDefense provides a RESTful HTTP API for reading and modifying data via the cloud management console. The AppDefense API uses JSON for all requests and replies and uses the GET, PUT, POST, and DELETE HTTP verbs. All requests are over TLS / HTTPS and the AppDefense server presents a CA-signed TLS certificate. All API requests require an authorized client. Clients obtain an API key for AppDefense in the AppDefense UI at https://appdefense.vmware.com/app/console/integrations. The API key is currently a JSON Web Token (JWT), however, clients should treat API keys as opaque tokens that might be changed to a non-JWT token at some future date without notice. To authenticate, the client should include their API token in the Authorization HTTP header as a "Bearer" token. API tokens do not currently expire, but they can be manually revoked by the customer via the AppDefense UI. If an API token is incorrect or expired, the AppDefense API will return a 403 Forbidden response. Now let’s try to query the alarms in an Org using Postman – Step 1 - Navigate to the "Integrations" tab under settings and select “Provision new API Key” Step 2 – Copy the endpoint URL & API Key Step 3 – Open Postman client and under ‘Authorization’ tab select type ‘Bearer Token’ and paste API key in the Token field. Step 4 – Use the endpoint URL and the method specified for an API to query the cloud management console. In the below screenshot I have used the API to pull all the active alarms in my Org. Similarly, if you want to list the scopes in your org you execute “GET: https://appdefense.vmware.com/partnerapi/v1/orgs/{org-id}/scopes” Hope this quick how to use Partner API helps you in your day to day administration of AppDefense! How to locate the Partner REST API Documentation : https://communities.vmware.com/docs/DOC-40563 Happy AppDefending! The AppDefense Architect Team.

VMware AppDefense has five components – AppDefense Appliance AppDefense Appliance is installed on-premises typically in the management cluster. It is registered with the vCenter to get the inventory and make necessary API calls for triggering rules action defined within AppDefense. It acts as a control point for exchanging data from and to the AppDefense Manager. The mapping between AppDefense appliance and vCenter is 1:1 which means for every vCenter a dedicated AppDefense appliance must be installed and registered. AppDefense Manager It is a SaaS service which runs on the cloud and provides complete feature set for the customers to protect their datacenter endpoints. It is a multi-tenant cloud service available as a subscription. You can use the AppDefense Manager to define the intended behavior and protection rules of your applications and then monitor security events and alerts in real time. In addition to management capabilities, the AppDefense Manager provides process reputation services, machine learning capabilities, and other additional visibility features for your environment. AppDefense Plug-in AppDefense plug-in is available with vSphere Platinum i.e. vSphere 6.7U1 and onwards. When AppDefense is installed with the plug-in customers can access AppDefense from vSphere client. The AppDefense Plug-in provides improved life cycle management and real-time visibility directly in the vCenter Server. The plug-in provides direct visibility into processes and network connections running on a given virtual machine. It also provides reputation information to ensure that those behaviors are trusted. The AppDefense Plug-in works in concert with the AppDefense Service to provide visibility and control for the entire security team. AppDefense Host Module Host modules are the vibs which gets deployed on the ESXi host. The Host Module enables virtual machines (VMs) on that host to deploy and run AppDefense. For Windows environments, the Host Module also monitors and ensures the integrity of the Guest Module installed on the VM. AppDefense Guest Module Guest module is installed on every VM which must be protected by AppDefense whether Windows or Linux system. It is delivered with VMware Tools or an MSI as well. The Guest Module collects guest process and network connection information from the VM and communicates directly with the AppDefense Host Module. Happy AppDefending!! Please comment below with any questions or further comments. VMware AppDefense is a hypervisor-native workload protection platform for virtual infrastructure and security teams that delivers secure virtualization by providing deep application visibility and control. To learn more, visit  www.vmware.com/appdefense .

VMware AppDefense provide security to your datacenter endpoints. In order to secure your datacenter applications AppDefense requires guest module installation to start getting network & process attestation information from the servers. We have separate guest modules for Windows & Linux systems and the way they are delivered for installation. However, for Linux systems it is super easy to start getting the visibility inside your Linux systems using AppDefense for your Infrastructure & Security administrators. For Linux systems AppDefense guest module package can be installed on the fly without requiring any reboot of the servers. A problem what we have seen is how to scale the deployment for the large Linux environment which do not have any provisioning tools like Puppet, etc. in their environment. To overcome this, I have written a script which fetches the Linux OS flavor information and accordingly configures the repository on them to get the package installed on multiple systems. Prerequisites You must verify the following components on the virtual machine before the actual installation. The AppDefense solution works with Guest Introspection for VMwareNSX (VMware open-source product) to provide a network attestation service. Ensure that the guest virtual machine (VM) has: A supported version of Linux is installed. See System Requirements For AppDefense iptables Verify glib 2 Internet access on the servers to connect to VMware package repository to download the packages You must have Administrator credentials to connect to your vCenter You must have ‘root’ account credentials to the Guest OS of all the Virtual Machines you will define. A csv/txt file with the list of VMs on which module has to be installed Execution This script will prompt for vCenter name where VMs reside followed by administrator credentials. Post that it asks for input file location and root credential of the Linux servers. Once script has been successfully executed you can notice AppDefense vCenter plugin will start showing the process & network attestation information providing instant visibility in to your Linux systems. *Disclaimer* This project is open source and can be edited to your desire. Thus, VMware and its employees are not responsible for any modifications made to this script or any unexpected behavior that should result from the running of this script. Please ensure you completely understand the functions this script performs and run against test machines first to ensure proper functionality.

AppDefense has automatic responses using vSphere and VMware NSX, including the ability to block process communication, alert, suspend, shut down the endpoint, and snapshot an endpoint for forensic analysis. These remediation actions can be enforced automatically or manually as well. With AppDefense it is possible to create NSX distributed firewall rules based on the discovered behavior. This configures the necessary micro-segmentation security policies, which are in line with the expected behavior of the application/virtual machine. Remediation action can be set at individual service level within the application scopes. NSX integration with AppDefnese avoids the process of manually retrieving Application Dependency Mappings for each application in the datacenter, as it gives greater visibility in to every protected VM in the datacenter including the processes running within the OS but also all the in/out bound connection which are made by each process. When an attacker tries to start a new process, which is not “known good” behavior process, AppDefense can block this (within the virtual machines). This means that AppDefense not only offers security at the network level it also provides security at the process level (within the virtual machine). How is NSX manager integrated with AppDefense? As part of AppDefense appliance registration process, customers are required to register it with AppDefense manager, vCenter server and it discovers the NSX managers details integrated with the vCenter automatically. Once NSX manager is registered with the AppDefense appliance you can notice it automatically creates few objects in the NSX manager which are used to perform the remediation action. NSX Security tag – AppDefense.AnomalyFound Security Group – AppDefense Quarantine Group Security Policy – AppDefense Quarantine Policy Firewall Rules – To block all In/Out bound traffic from the VM which is quarantined via security policy How are remediation actions configured to use NSX? Within AppDefense manager customers get the ability to set the remediation action at the individual service level within the scopes created. This allows the security team to set the remediation actions at a more granular level for each service within an application running in datacenter. Customers can enforce remediation action for all In/Out bound connections, Guest OS integrity, AppDefense module integrity. Currently Linux OS only support In/Out bound connection remediation actions. What happens when remediation action is triggered? Whenever AppDefense notices a new behavior post moving the scope in to protected state it triggers the action which is configured for the service which the VM is member. As part of remediation action NSX security tag is assigned to the VM and Appdefense Quarantine policy gets applied to VM to block all the In/Out bound connections from the VM hence, isolating it. Conclusion AppDefense takes security from fishing for problems to providing customers with assurance about their security. Knowing the processes needed for applications and how they communicate over the network. Also, the known good state of an application. And if there is an anomaly, we can inform users about what is changing, sniff out the changes, and be very proactive so that the app owner can see the security footprint of the app at any time. The close tie to NSX is key to understanding the known good state of an application and taking remediation actions in case of any deviation from their known-good state.