savagea
Enthusiast
Enthusiast

ESXi Compliance - Custom Template - Rules vs Template

Jump to solution

I've asked a similar question in the past, but concerning creating a custom compliance template for our company...

It was recommended that upon running a compliance check with the default ESXi template, I should create "exceptions" for the checks that failed. 

My question is, couldn't I actually modify the specific rules so that they match what we're looking for within our company?  That way those checks will still be done, and wouldn't have to create an 'exception' for them.

Thanks

0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal

Virtual Environment Compliance is for vCenter properties, Host properties, Guest container properties (e.g. resource allocations and reservations, copy and paste enabled, etc), and a variety of data from vCloud Director and vCloud Network and Security (formerly vShield).

Machine Compliance is for OS internal data from guests or physical machines, like file versions, service configuration, software installed, security policy data, registry data, patch status, and so on.

P.S. The main place these come together is when using VCM to report Compliance rollup information to vCenter Operations Manager. This is where a guest will have compliance data for it container properties and its OS internals aggregated into one Compliance Risk top level score.

View solution in original post

0 Kudos
7 Replies
admin
Immortal
Immortal

You can do either, and should probably be doing both. You should edit rules to reflect the actual standards that exist in your environment. You should then create exceptions for settings and systems that you know are out of compliance, but for which you have a good reason for allowing them to be out of compliance. Exceptions document the OOC state and allow you to provide reasons, sponsors, and deadlines for these non-compliant conditions.

An example is a standard where no account is ever allowed to have "Password Never Expires" set to true. This might be used in conjunction with other rules to ensure password expiration is every three months, for example. However, you may have some service accounts that you don't want to be getting disabled every three months, so you set these to never expire and they come up as non-compliant. Then you create one or more Exceptions to override the non-compliant status for these known accounts; and maybe you also make those exceptions expire once a year to allow for a review of the accounts granted the exception.

savagea
Enthusiast
Enthusiast

Thanks, but as I'm noticing, I'm not able to "enforce" compliance when running a template from the "Virtual Environment Compliance" group, as opposed to the "Machine Group Compliance" group.  Is this correct?

admin
Immortal
Immortal

Yes, this is correct. Not all configuration items for Machines are enforceable, but under AD and Virtual Infrastructure compliance, none of results are enforceable.

0 Kudos
savagea
Enthusiast
Enthusiast

Wow, so just to be clear, there is no way to 'enforce' compliance on my ESXi hosts?

0 Kudos
admin
Immortal
Immortal

In current VCM, Virtual Infrastructure Compliance is for validation of configuration only.

Some configuration properties, like vCenter Settings and Host Advanced Settings can be configured from their respective nodes in the VCM console. VCM also provides some other actions like VM snapshot management and VM power management.

Also, the VCM API could be used to run compliance from vCenter Orchestrator and then react to the results in an automated fashion, calling vSphere plug-ins to either directly change settings or to apply remediation Host Profiles.

0 Kudos
savagea
Enthusiast
Enthusiast

So if running compliance on ESXi hosts, as well as VMware Windows Guests, would I do all that from the "Virtual Environment Compliance" group, and if so, what would I use the "Machine Group Compliance" group for?

Thank you very much for all your help.

0 Kudos
admin
Immortal
Immortal

Virtual Environment Compliance is for vCenter properties, Host properties, Guest container properties (e.g. resource allocations and reservations, copy and paste enabled, etc), and a variety of data from vCloud Director and vCloud Network and Security (formerly vShield).

Machine Compliance is for OS internal data from guests or physical machines, like file versions, service configuration, software installed, security policy data, registry data, patch status, and so on.

P.S. The main place these come together is when using VCM to report Compliance rollup information to vCenter Operations Manager. This is where a guest will have compliance data for it container properties and its OS internals aggregated into one Compliance Risk top level score.

0 Kudos