Now that 5.5 has been out a while and many of you have been making the move to the VMware vCenter Virtual Appliance (a.k.a. VCSA), here’s a friendly reminder to check the password expiration of the root account on the virtual appliance! If you’ve been following my blogs, you’ll remember in Part 2 of the “Virtual Appliances getting more secure with vSphere 5.5” series, I HIGHLY recommended that you check root password expiration ASAP!
The VCSA root password is set to expire 90 days from deployment time. Go to Part 2 of the series to find out how to set your expiration to a longer date. Note that from the VAMI interface, you can supply an email address to notify 7 days prior to expiration of the password. Don’t miss updating this step! Log into the VAMI web interface via https://<vcsa FQDN or IP>:5480. Go to the Admin tab and update whether the password expires, for how long and what email address to notify. Make sure your SMTP configuration works correctly.
[Update] There has been a KB released on 10-Jan-2014 for those that may be locked out of their appliance or want to disable the forced lockout. I urge you to review KB2069041
Tomorrow, November 6th, I’ll be hosting the VMware Communities Roundtable Podcast! We’ll be talking about the recently released vSphere 5.5 Hardening Guide and the massive amount of work that’s been done to secure VMware virtual appliances!
Joining me will be Simon Mijolovic (we just call him “Simon”), the Staff Program Manager for virtual appliance security and Greg Murray, Product Manager for, among many things, virtual appliances at VMware.
Simon will be going over the changes that were made to make our virtual appliances secure out of the box (91-95% DISA STIG compliant!).
Greg will be there to gather feedback on what YOU want to see out of our virtual appliances. Do NOT miss this opportunity to be heard by the folks that can do something about it!
I’m not sure what John Troyer @jtroyer was thinking when he handed me the keys to his baby for the day but I’m sure it will be fun and interesting! I hope you can join us whether it’s live on Talkshoe or later as a downloaded podcast!
A wrap-up of the podcast will be located on the podcast archives within a few days.
I’m looking forward to talking with many of you tomorrow!
Meeting Objectives with VMware Hardened Virtual Appliances
In this final part, we’ll go over setting up logging (both system and audit logs) and Grub hardening and NFS/NIS management and wrap it all up in the Conclusion.
Making DISA compliance easy
In Parts 1 and 2 we introduced the VMware Hardened Virtual Appliances and went over password management. In Part 3, we’ll focus on a new tool, dodscript.sh, to make configuring your VMware Hardened Virtual Appliances comply with enhanced security requirements like DISA and go over access control and time management.
One of the coolest thing that I think many in the Federal space will jump for joy over is the new inclusion of a script for modifying many DISA required settings. These settings are:
Hopefully by now you’ve read Part 1. In there we discussed the new security features of many new VMware virtual appliances, including some that are being released with vSphere 5.5. In this post and the two following, we’ll start the discussion on how to enable your virtual appliances to be compliant with site-specific requirements. If you’re falling under DISA STIG requirements, the next few posts are for you! It’s time to get your geek on with Parts 2, 3 & 4!
Meeting Site-Specific Security Compliance Goals
With VMworld San Francisco in our rear view mirror, the flow of information coming in from many sources is staggering! Well, in that spirit, here’s some more!
At VMware we take security very seriously. We are working very hard to deliver products that are more secure out of the box. The direction we have taken is to ship hardened systems where you have to make a conscious decision to loosen controls. An outcome of this effort is some great changes to virtual appliances!
by Tom Stephens,
Senior Technical Marketing Architect, VMware
The easiest way of getting vCloud Director 5.1 up and running quickly for a evaluation is to leverage the virtual appliance. Unlike past versions of the appliance, the version for 5.1 is based off of SLES 11 SP2.
Although the vCloud Director Appliance supports the use of an external Microsoft SQL Server or Oracle database for use as the vCloud Director database, it also includes an internal Oracle XE database that can be used.
There have been a number of changes to the installation of the vCloud Director virtual appliance. One of these is that the default password for the root user is now vmware. This falls in line with other products, such as the vCenter Server Virtual Appliance. Of course, it’s always a good idea to change this password as soon as possible after deploying it for security purposes.
Remember if you use the vCloud Director Virtual Appliance that when installing it, you will be asked for two IP addresses. These are used for the console proxy and the http access. It’s important to note that the lower of the two IP addresses that you give it will automatically be used for http traffic or in other words the IP address that you would use to access the vCloud Director UI.
Although the vCloud Director Virtual Appliance is not supported for production environments, it’s a great way to play with the product and test it out. You can download it by requesting a evaluation at the vCloud Director product page.