With VMworld San Francisco in our rear view mirror, the flow of information coming in from many sources is staggering! Well, in that spirit, here’s some more!
At VMware we take security very seriously. We are working very hard to deliver products that are more secure out of the box. The direction we have taken is to ship hardened systems where you have to make a conscious decision to loosen controls. An outcome of this effort is some great changes to virtual appliances!
Virtual Appliance Security
As you may know, virtual appliance deployments for VMware products provide customers with the ability to rapidly deploy and configure infrastructure components. But some of the feedback we have received is “How do I secure the appliance operating system?” We’ve taken that feedback seriously and I’d like to take the opportunity to say that as of vSphere 5.5, many of our virtual appliances will ship with the ability to meet or exceed current high-governance compliance requirements.
The most common reference for implementing these security requirements are the NIST 800.53 and US Department of Defense Information Systems Agency (DISA) Security Technical Information Guides (STIG). The latest iteration of the STIG, called the Security Requirements Guide (SRG), is an effort by DISA to merge both the NIST 800.53 and the STIG guidance into a single security guide that cross-references both sets of technical requirements.
The end result of all of this work is 14 hardened virtual appliances across 9 products all leveraging a common virtual appliance platform operating system. This effort closes 91-95% of the identified platform vulnerabilities in shipping code! These are the products that now meet this hardened standard.
• vCenter Server Virtual Appliance 5.5 (VCSA)
• vCenter Orchestrator 5.5 (vCOva)
• vCenter Operations Manager 5.7.1 (vCOPs)
• vCenter Infrastructure Navigator 5.7 (VIN)
• vCloud Automation Center Virtual Appliance 6.0 (vCACva)
• vCenter Management Assistant (vMA)
• VMware Log Insight 1.0
• Horizon Workspace Manager 1.5
• vCloud Connector 2.5.1 (vCC)
VMware security teams are leading the effort to address all related patch requirements to the appliance OS platform. We will have more information on that when it is available.
As part of the hardening effort of the virtual appliances, all unnecessary accounts have been removed.
Just Enough Operating System
When you remove unnecessary code/packages from an OS, you are removing opportunities for attack. This is called “limiting the attack surface”. The virtual appliance OS has undergone extensive review of what is needed in order run the applications it was designed for. VMware security teams have removed packages deemed unnecessary for the operations of the virtual appliance.
Out of the box, the virtual appliance OS firewalls rules are set to limit network access to just those things that are needed to do its job.
Password Complexity Rules
Out of the box the VMware Hardened Virtual Appliances ship with strong password complexity rules. Running the DOD script called out in Part 2 changes those rules to match the requirements of the DISA STIG.
Caveat: The passwd command in SLES-based virtual appliance OS still does not support "enforce_for_root" for the root user. This means that password changes should be executed as the account owner, not root, once you create new accounts. If you run passwd as root (to change the password of the root account), then you must manually ensure the password complexity requirements are met. When creating a new user account, it is wise to create the user and set a temp password as root, then force the user to login and re-run the passwd command as that user to ensure the complexity requirements are met.
Security is a journey, not a destination. VMware is committed to further securing virtual appliances. This is a GREAT first step on that journey!
The Part 2 of this blog post will contain information on Site-Specific updates you may make for further compliance needs. Pay close attention to the section on password expiration!
Thanks for reading and DO get in touch if you want to see a blog post on something that concerns you around vSphere security. I’m always looking for new topics!