VMware Cloud Community
olivier_druard
Contributor
Contributor
‎02-17-2011 01:14 AM
Jump to solution

VMware ESX patches vs RedHat patches

Hello world,

Each time a security issue appears on RedHat or additional components, our security team challenge use to install the corresponding patch on our ESX servers. The last requests are about OpenSSH and Sudo.
Each time we reply that we only install VMware Updates and patches on ESX servers, as ESX are built using a "heavily modified" RedHat kernel.
However it is more and more difficult to convince them.

Is there somewhere an official document from VMware saying that we MUST not install patches not furnished by VMware ? The best is even a document saying that VMware won't support ESX servers on which any external patch have been installed.

I searched, but as english is not my native langage (I'm french), I probably didn't use the correct key words.

 
Thanks for your help.

0 Kudos
1 Solution

Accepted Solutions
Dave_Mishchenko
Immortal
Immortal
‎02-17-2011 02:42 AM
Jump to solution

In the vSphere hardening guide the instruction is to never use Red Hat or 3rd party patches.  The hardening guide is a security - best practices guide. http://communities.vmware.com/docs/DOC-14548

View solution in original post

0 Kudos
9 Replies
Dave_Mishchenko
Immortal
Immortal
‎02-17-2011 01:34 AM
Jump to solution

Welcome to the VMware Communites forums.  This document recommends only using VMware patches http://www.vmware.com/pdf/vsphere4/r41/vsp_41_esxupdate.pdf When an RPM on my ESX host has a Linux equivalent, can I use the Linux RPM to update my system? No. VMware recommends that you update your ESX 4.1 host with RPMs supplied by VMware. Perhaps it's time to switch to ESXi 🙂 - no more Red Hat patches.

olivier_druard
Contributor
Contributor
‎02-17-2011 01:43 AM
Jump to solution

Thanks for your quick reply.

This is an important part of the answer.

However, I guess that our security team will request us to install Linux RPM if VMware didn't (yet) publish a equivalent.

Any idea about this point ?

I agree that the best way is to install only ESXi versions, but we still manage a lot of ESX servers that we cannot migrate easily to ESXi.

Thanks.

0 Kudos
Dave_Mishchenko
Immortal
Immortal
‎02-17-2011 02:42 AM
Jump to solution

In the vSphere hardening guide the instruction is to never use Red Hat or 3rd party patches.  The hardening guide is a security - best practices guide. http://communities.vmware.com/docs/DOC-14548

0 Kudos
olivier_druard
Contributor
Contributor
‎02-17-2011 04:41 AM
Jump to solution

That's what I was looking for, even if this document is still in draft.

Thanks a lot.

0 Kudos
Dave_Mishchenko
Immortal
Immortal
‎02-17-2011 08:28 AM
Jump to solution

The vSphere 4.0 guide ( http://communities.vmware.com/docs/DOC-12306) is not in draft status and carries the same recommendation.

olivier_druard
Contributor
Contributor
‎02-17-2011 08:50 AM
Jump to solution

Thanks

I transmitted the document to security team.

0 Kudos
petedr
Virtuoso
Virtuoso
‎02-17-2011 01:25 PM
Jump to solution

Thats definitely a good document to refer to. The Vmware service console is not the same as Red Hat linux and it is not correct to assume patches for Red hat apply to Vmware.

www.thevirtualheadline.com www.liquidwarelabs.com
0 Kudos
Texiwill
Leadership
Leadership
‎02-22-2011 05:37 AM
Jump to solution

Hello,

I just had this same discussion at RSA Conference 2011. Security teams consider ESX to be RedHat, the education process must continue. I breakdown for everyone in my books how ESX boots with a clear definition of WHY this is not LInux. I would take that section of my VMware ESX and ESXi in the Enterprise book and give it to your security guys. Then follow it up with the Guidance that comes from DISA, VMware, CIS, and others that ESX cannot make use of RedHat patches because of this.

Education of the Security team must continue.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
JDLangdon
Expert
Expert
‎02-26-2011 02:14 PM
Jump to solution

Edward Haletky wrote:

I just had this same discussion at RSA Conference 2011. Security teams consider ESX to be RedHat, the education process must continue. I breakdown for everyone in my books how ESX boots with a clear definition of WHY this is not LInux. I would take that section of my VMware ESX and ESXi in the Enterprise book and give it to your security guys. Then follow it up with the Guidance that comes from DISA, VMware, CIS, and others that ESX cannot make use of RedHat patches because of this.

What a way to sneak in a sales pitch for your books, which by the way, I have several.  Including an autographed one. Smiley Happy

All jokes aside, Edward's books are a great source for information concerning securing VMware products.  These books come highly recommended and should give you enough ammunition to debunk your security team with regards to installing Red Hat patches on ESX.

hope this helps,

jd

0 Kudos