3 Replies Latest reply on Aug 2, 2014 7:07 AM by mthelander

    Tripwire with vSphere 5.0

    vmproteau Expert

      Our security/compliance team is looking to scan our ESXi 5.0 Hosts with Tripwire. I think earlier Tripwire builds for ESX would log directly into the Host but with the advent of ESXi, I assume that access methodology has changed. I'm trying to minimize access to vCenter (or ESXi Hosts) to exactly what is needed for Tripwire. The compliance guys don't really know. I'll probvably set something up with the vendor but, I wanted to check here first. Does anyone here utilize tripwire and familiar with the specific requirements for functionality?

        • 1. Re: Tripwire with vSphere 5.0
          RubyIvy Enthusiast

          Their had been a known issue with VMware where :

           

          After running a security hardening tool  "Tripwire configcheck" /etc/pam.d/su is inadvertently gets modified with uncommented lines as below which causes the issue :

           

          #auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
          #auth       required     /lib/security/$ISA/pam_wheel.so use_uid

           

          To resolve this issue, edit /etc/pam.d/su so that the lines above appear as:


          # Uncomment the following line to implicitly trust users in the "wheel" group.
          #auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
          # Uncomment the following line to require a user to be in the "wheel" group.
          #auth       required     /lib/security/$ISA/pam_wheel.so use_uid

          • 2. Re: Tripwire with vSphere 5.0
            vmproteau Expert

            I appreciate the information but my question is more general than that. I was wanting to hear from anyone who happened to have experience deploying Tripwire in a VMWare virtual environment but specifically about the authentication requirements. I prefer to avoid providing direct Host level access to any tools. With ESXi many vendors have shifted from direct Host access to vCenter access. I'm wondering if Tripwire is the same and looking for the minimum permissions for Tripwire to scan ESXi 5.0 or 5.5. I'll be contacting the vendor but just posting here to see if anyone was fmailiar with the tool.

            • 3. Re: Tripwire with vSphere 5.0
              mthelander Lurker

              The Tripwire Customer Center (https://tripwireinc.force.com/customers/home/home.jsp) has some articles that ought to be helpful for you.  Look up "Adding and configuring the VMware VirtualCenter node" or "VMWare Virtual Center Nodes", or just search on "ESXi 5". There are one-page docs that can give you port and connection requirements.