Tomorrow, November 6th, I’ll be hosting the VMware Communities Roundtable Podcast! We’ll be talking about the recently released vSphere 5.5 Hardening Guide and the massive amount of work that’s been done to secure VMware virtual appliances!
Joining me will be Simon Mijolovic (we just call him “Simon”), the Staff Program Manager for virtual appliance security and Greg Murray, Product Manager for, among many things, virtual appliances at VMware.
Simon will be going over the changes that were made to make our virtual appliances secure out of the box (91-95% DISA STIG compliant!).
Greg will be there to gather feedback on what YOU want to see out of our virtual appliances. Do NOT miss this opportunity to be heard by the folks that can do something about it!
I’m not sure what John Troyer @jtroyer was thinking when he handed me the keys to his baby for the day but I’m sure it will be fun and interesting! I hope you can join us whether it’s live on Talkshoe or later as a downloaded podcast!
A wrap-up of the podcast will be located on the podcast archives within a few days.
I’m looking forward to talking with many of you tomorrow!
I’m happy to report that the vSphere 5.5 Hardening Guide has been released for General Availability. My thanks to all that contributed their feedback to make this happen. The guide has been given a full makeover with regard to documentation references. I’m in Renate’s debt for those stellar contributions. Additionally, some guidelines have been removed and some new ones added.
Along with the guide, similar to the 5.1 release, I’m releasing a change log worksheet.
One thing to note, the “Profiles” column has been renamed “Risk Profiles”. This was done to bring to light the function of the column. I am frequently quizzed by IT administrators that have been told to “Implement the Hardening Guide”. As written, the Hardening Guide is a list of guidelines, not mandates. Please note that some guidelines in the Risk Profile 1 category can break functionality!
As with any security measures, they should not be applied in a blanket fashion. I would encourage IT administrations and security folks to work together and assess each guideline for applicability, risk management and impact to the business and operations. The Risk Profiles help to categorize the guidelines that could be applicable to your environment.
The release of the guide is current available in the Communities.
I’m working with the VMware web team to have the guide and the change log officially moved over to the Hardening Guide page on VMware.com. I will update the discussion in the Communities and post a reply to this blog article when that has been completed.
As always, your input is very valuable to me and VMware as a whole. If you have questions that can’t be asked in a public forum, reach out to me via email, mfoley-at-vmware.com. For more frequent updates to vSphere security news and facts, follow me on Twitter at @vSphereSecurity
Thanks for reading!
Hardening Guide 5.5
I’m happy to announce the availability of the vSphere 5.5 Hardening Guide Release Candidate. A SIGNIFICANT amount of documentation updates have been incorporated into the guide to really round it out. There have been some new additions and some deletions to the guide. All changes are documented in the changelog spreadsheet.
You can download the guide and the changelog here. All changes are color-coded in the changelog and within the RC release spreadsheet. The colors will be removed from the final GA document but will remain in the changelog.
I would encourage you to review the document and provide feedback ASAP. The goal is to release this for General Availability in the next week unless significant changes come in. You can reply to the discussion with your updates or contact me directly at mfoley @ vmware.com.
When the guide is released for GA, it will up uploaded to the normal location
Thanks for reading,
Have you ever wondered how Roles and Permissions work using the vSphere Web Client? Here’s a great video brought to you by VMware Tech Pubs. Peter Shepherd does a great job in introducing you to Roles and Permissions and how to get the most out of them. He will lead you through the steps to create an administrator role for a specific virtual machine in four and a half minutes!
Meeting Objectives with VMware Hardened Virtual Appliances
In this final part, we’ll go over setting up logging (both system and audit logs) and Grub hardening and NFS/NIS management and wrap it all up in the Conclusion.
Making DISA compliance easy
In Parts 1 and 2 we introduced the VMware Hardened Virtual Appliances and went over password management. In Part 3, we’ll focus on a new tool, dodscript.sh, to make configuring your VMware Hardened Virtual Appliances comply with enhanced security requirements like DISA and go over access control and time management.
One of the coolest thing that I think many in the Federal space will jump for joy over is the new inclusion of a script for modifying many DISA required settings. These settings are:
Hopefully by now you’ve read Part 1. In there we discussed the new security features of many new VMware virtual appliances, including some that are being released with vSphere 5.5. In this post and the two following, we’ll start the discussion on how to enable your virtual appliances to be compliant with site-specific requirements. If you’re falling under DISA STIG requirements, the next few posts are for you! It’s time to get your geek on with Parts 2, 3 & 4!
Meeting Site-Specific Security Compliance Goals
With VMworld San Francisco in our rear view mirror, the flow of information coming in from many sources is staggering! Well, in that spirit, here’s some more!
At VMware we take security very seriously. We are working very hard to deliver products that are more secure out of the box. The direction we have taken is to ship hardened systems where you have to make a conscious decision to loosen controls. An outcome of this effort is some great changes to virtual appliances!
This blog posting, like many others, was prompted by a field request from a customer. The customer wanted to understand two things:
- When/How admins were logging into ESXi (DCUI or SSH)
- What were they doing when they were logged in
Every fellow geek who first saw Jurassic Park twenty years ago (Has it really been that long??) cringed when Lex Murphy sat down at a Silicon Graphics workstation and exclaimed the line above. I’m reminded of this line all the time when I talk to some customers who I find treat their ESXi systems like they would a Unix or Linux system. I’m here to tell you, it’s not.
A shell does not an OS make
Did you know you can run a Unix bash shell on Windows? Heck, you can even run a Unix bash shell on OpenVMS! Neither of them are Unix systems, obviously! And neither is ESXi.
Logging into an ESXi shell, whether via SSH or via the local console using ALT-F1, brings you into a Unix-like shell.