1 2 Previous Next 15 Replies Latest reply on Jan 17, 2012 5:02 AM by mtcstle

    False Positives HCM02 and HCM05

    mtcstle Novice

      I have taken steps to disable these two elements as described in teh VMware Security  Hardening Guide (April 2011). Still these two items fail whenI run the script. Any ideas?

       

      Regards

      mtcstle

        • 1. Re: False Positives HCM02 and HCM05
          MaxBeard Novice

          Did you check that you really can't open these URLs in browser: https://hostname/ and https://hostname/mob ?

           

          Script works correctly for me with these rules.

           

          Did you use this KB 1016039?

          • 2. Re: False Positives HCM02 and HCM05
            mtcstle Novice

            That’s a very good KB, I had most of the information already and had disabled the MOB and the Welcome page, as per the instructions. I have tried to access both and had no success, still the script returns “Fail” for these two elements. I had not been instructed to disable the Web Login Page. Do you know which element of the hardening guide covers this?

            • 3. Re: False Positives HCM02 and HCM05
              MaxBeard Novice

              What results do you get in resolution field?

              May be something like "Manual verification required since remote URL path has been disabled"? - usually I get this result after checking because URLs are really disabled and script can't verify settings.

               

              Interesting that script doesn't check /etc/vmware/hostd/proxy.xml file in this case also. I hope that William Lam (aka lamw) can help with it.

               

              About "Web Access Login Page" - hmm, as far I know there are no rules about these settings in Security Hardening.

              • 4. Re: False Positives HCM02 and HCM05
                mtcstle Novice

                On a related point, Does anyone know where to edit the file vpxd.cfg as indicated for VSC07. I cannot locate that file anywhere. Is it, as I've asumed, to be found on the vCenter server? By the way, we're dealing with ESXi and vCenter 4.1.

                Regards

                • 5. Re: False Positives HCM02 and HCM05
                  monderick Enthusiast

                  mtcstle wrote:

                   

                  On a related point, Does anyone know where to edit the file vpxd.cfg as indicated for VSC07. I cannot locate that file anywhere. Is it, as I've asumed, to be found on the vCenter server? By the way, we're dealing with ESXi and vCenter 4.1.

                  Regards

                  located in 'c:\ProgramData\VMware\Vmware VirtualCenter\' on Win2k8 vCenter server

                  'C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\vpxd.cfg' on 2003

                   

                  put the line anwhere between:

                  <vpxd>

                  ...

                  </vpxd>

                   

                  *note that this can break other minor funcationality that have to be weighed against the security risks.

                  • 6. Re: False Positives HCM02 and HCM05
                    mtcstle Novice

                    Yes, you’d think, from the documentation that that is where it’d’ be found. Unfortunately, not so.

                     

                    First, there is no “'c:\ProgramData\VMware\Vmware VirtualCenter”, there is “C:\Program Files\VMware\Infrastructure\VirtualCenter Server”. Second, there is a vpxd.exe but no vpxd.cfg.

                     

                    I’m baffled.

                    • 7. Re: False Positives HCM02 and HCM05
                      monderick Enthusiast

                      mtcstle wrote:

                       

                      Yes, you’d think, from the documentation that that is where it’d’ be found. Unfortunately, not so.

                       

                      First, there is no “'c:\ProgramData\VMware\Vmware VirtualCenter”, there is “C:\Program Files\VMware\Infrastructure\VirtualCenter Server”. Second, there is a vpxd.exe but no vpxd.cfg.

                       

                      I’m baffled.

                      are you running 2003 or 2008?

                      was vCenter installed to a non-default location?

                      'c:\ProgramData' is a hidden folder in case you don't have that option configured.

                      • 8. Re: False Positives HCM02 and HCM05
                        mtcstle Novice

                        There’s the magic bullet, I was looking in C:\program files instead of C:\program data. When I change the view to show hidden files, it became obvious. Thanks so much

                        • 9. Re: False Positives HCM02 and HCM05
                          mtcstle Novice

                          I'm still hunting for a way to make the script stop reporting MOB and web welcome page faults. Also, The MOB setting for vCenter checking seems to generate false positives. Any gudance is appreciated.

                           

                          Regards

                           

                          mtcstle

                          • 10. Re: False Positives HCM02 and HCM05
                            lamw Guru
                            Community WarriorsVMware Employees

                            Let me look into this when I get a chance, I'm guessing the false positive is because the script can not verify whether it can't reach it becauase it's been propertly disabled or something else is going on. There are no APIs to verify if the MOB is running since it's just another interface to the API. If it helps, I could basically try to see if I can perform a wget on those URLs, if it's valid, throw an error that it's enabled (which the script does today). If it can not reach it, it'll ask that the administrator still manually verify this since OR see if there's a way to verify for you, I believe there might be but I'll need to look into it again.

                             

                            Thanks for your patience

                            • 11. Re: False Positives HCM02 and HCM05
                              mtcstle Novice

                              I surely appreciate you looking into it. Thanks

                               

                              mtcstle

                              • 12. Re: False Positives HCM02 and HCM05
                                lamw Guru
                                Community WarriorsVMware Employees

                                @mtcstle,

                                 

                                I looked at the HCM02 and HCM05 code again and it looks like I already had an optmized way of verifying the MOB and Welcome Page, but in additon, I was checking the proxy.xml as a way to confirm the change. The problem with the latter case is if you disable the end point "/" which is documented by the VMware KB mentioned in the hardening guide, you will not be able to download proxy.xml which the script does. I realize this was probably an overkill, since I'm already performing an HTTP get which should either return 200 (end point enable, check fail), 404 (end point disabled, check pass) or anything else should throw a  "MANUAL" status as I was not able to perform the GET operation on that specified URL.

                                 

                                I've gone ahead and fixed these two checks and verified on an ESXi 4.1 host and it should now return a PASS if you in fact have these end points disabled. Please find the latest version of the script here

                                 

                                Let me know if you're still having any issues.

                                 

                                Thanks for your patience and feedback

                                • 13. Re: False Positives HCM02 and HCM05
                                  mtcstle Novice

                                  lamw,

                                  I can’t say what is wrong but I still get “FAIL” on HCM02, HCM05 and VSC07. I also notice HMT03 reports that “/host” is available, when it’s not. I’m sure I followed the steps recommended in the Hardening Guide but apparently, my configuration is presenting something unexpected.

                                   

                                  On a related note, do you happen to know if disabling “/host’ defeats “Tripwire’s” ability to monitor the files?

                                   

                                  mtcstle

                                  • 14. Re: False Positives HCM02 and HCM05
                                    lamw Guru
                                    VMware EmployeesCommunity Warriors

                                    I don't recall /hosts needs to be disabled per hardening guide. It may have been updated, but last I look it did not.

                                     

                                    I can't speak to tripwire's tool as I've not used it before, but I assume they're doing something along the lines of downloading the files via this mechenism (unless it's over SSH) to check for file integrity. If so, then yes, it would preven that tool from working. I would advise you contact Tripwire and ask them

                                    1 2 Previous Next