Hi, I've just installed the PCI Compliance report solutions pack for vROPS and seeing some odd results. Any advice or views on this would be appreciated.
First, the hardening guide report comes out with a long list of suggestions for pretty much everything, which isn't unexpected and we're going to be reviewing these and make changes where we feel it's appropriate.
However, when we run the PCI check only the VMs come out with any warnings/errors. The hosts, are green on everything. Where this is strange is with items such as AD Integration for the hosts. The report states:
My understanding was that 2.2.4 actually said the opposite, that configuring the hosts to use Active Directory was a requirement. When I view the VMware VCM Product Sheet PCI-DSS-3.1 spreadsheet I see this on line 3706:
|Payment Card Industry DSS 3.1 - vSphere 6 ESXi||* 2.2.4 Configure system security parameters - Use Active Directory for local user authentication||vCenter Hosts||* User Intervention Required: User should enter the value for domain name to which host must be joined as appropriate. This rule verifies that active directory is used for authentication as appropriate.|
The hosts themselves are not joined to the domain (which I was going to do), but I'm puzzled which report is correct. Should I take note of the PCI Compliance check in vROPS (Saying the hosts are fine as they are), or do I take note of the PCI product sheet which states AD should be used for local authentication?
I'm pretty sure the report in vROPS isn't accurate on this particular point. Surely using centralised account management is far superior than local accounts.
Any thoughts would be appreciated here.