RUG201110141
Enthusiast
Enthusiast

auditing remote console access with VI Client

We are going through a PCI audit and one of the requirements is to be able to audit users accessing the console of virtual machines through either the VI client or the VI Web interface. I need to be able to query and retain this data for a year. We would like to centralize this data for auditing purposes in a security appliance that we have. I can see this information within VirtualCenter by just selecting Hosts & Clusters > Tasks & Events > Events and I can see what user is accessing the console of each machine. How can I get that info out of VirtualCenter and into our Security appliance. I tried setting up SNMP but it doesn't appear to be working in VirtualCenter. I don't see any traps coming into our snmp trap daemon from VirtualCenter. The version of VirtualCenter that I have is 2.5.0 build 64192. Does anybody have any experience in setting something like this up or have any suggestions.

0 Kudos
6 Replies
mcowger
Immortal
Immortal

I'm pretty sure that VC doesn't record the access to a console - you may be out of luck.

I would argue the better method would be to audit console logins on the guests themselves.

--Matt

--Matt VCDX #52 blog.cowger.us
0 Kudos
RUG201110141
Enthusiast
Enthusiast

VirtualCenter does log remote console access. Just auditing login to the machine from within the OS does not satisfy the requirements of the auditors. Unfortunately we have some lame applications that require being logged in 100% of the time with a service account to operate appropriately. So there are users that log into the console of these machines with service account credentials and not there own credentials. The auditor would like a centralized record of who may be accessing the console of these machines so that if something is changed on the machine it could be tracked down to an individual user.

0 Kudos
Dave_Mishchenko
Immortal
Immortal

If you look at the vpx_event table and for the event_type of "vim.event.VmAcquiredMksTicketEvent" that will show you the user and the VM that was accessed with a remote console session. That's the the case for the VI client - not sure about the web interface but it would probably be the same event.

0 Kudos
mcowger
Immortal
Immortal

I stand corrected. Thanks Dave.

--Matt

--Matt VCDX #52 blog.cowger.us
0 Kudos
RUG201110141
Enthusiast
Enthusiast

Thanks for the info. I appreciate the assistance since VMware refused to help. I opened a case with VMware to see if they could provide info and they pretty much refused because everything is proprietary.

0 Kudos
danbda
Contributor
Contributor

have a look at observeit... they have the best audit software solution

Dan.

0 Kudos