Hardening and Compliance for vSphere
For some time now vRealize Operations has been able to check the vSphere environment against VMware’s vSphere Hardening Guidelines – vRealize Operations vSphere Hardening.
More and more organizations have the need to meet certain regulatory requirements, namely PCI-DSS, HIPAA, and others. With the recent release of vRealize Operations 6.6 VMware has also introduced PCI-DSS and HIPAA compliance for vSphere. This is available to clients with vRealize Operations Advanced edition and higher.
Download and Install the Management Packs for PCI-DSS and HIPAA
Lets start by where you need to go to get this content. Simply go to VMware’s MarketPlace (also known as VMware Solution Exchange) https://marketplace.vmware.com. A simple search on PCI-DSS or HIPAA will get you to the vRealize Operations Management Packs.
Install the Management Pack(s) you desire. This is done in the ADMINISTRATION page under SOLUTIONS
Enable PCI-DSS and HIPAA compliance for vSphere
Now that the solution management packs are installed simply make sure they are turned on. This is done in the policy by enabling the alerts. Go to step 6 in the policy, and do two searches, the first for PCI DSS and the second for HIPAA
Change the STATE column from “Inherited Blocked” to “Local Enabled” to enable the alerts (essentially enabling the compliance checking)
Leveraging the vSphere Hardening Compliance dashboard you will now be able to see any alerts related to PCI DSS and HIPAA in addition to the already available (if turned on) vSphere compliance alerts.
Object Level View
From here you can also drill into an object check on it’s compliance posture!
Reports
After installing these solutions Management Packs you will notice that each has installed a compliance report. One for PCI-DSS and the second for HIPAA. This is a great way to check on your compliance posture and make sure that you are trending upwards with time (getting to PCI and HIPAA compliance doesn’t happen over night). Here’s a report snippet below.
vRealize Operations Current Standards Coverage
- vSphere Hardening Guidelines for 5.5
- vSphere Hardening Guidelines for 6.0
- PCI DSS 3.2 for vSphere (as of July 2017 – download the management pack)
- HIPAA for vSphere (as of July 2017 – download the management pack)
- vSphere Hardening Guidelines for 6.5 (Management Pack is Planned, but I can’t provide any dates – sorry)
Summary
Want to harden your vSphere environment? Do you need to adhere to PCI-DSS or HIPAA regulatory requirements for your vSphere environment? Visit the VMware market place today! https://marketplace.vmware.com
hi,
is it possible to change what is checked for compliance ?
f.e. remove some of the checks from the hardening guide and add some checks you need for yourself ?
thanks in advance, chris
Hi Christian. Sure. The ideal way to do this is to clone the compliance alerts; give them a name that is meaningful for your and your organization, and then simply modify the symptoms (add / remove / modify symptoms). This way you have created your own, and left the ones that came with the Solution Management Pack(s) in tact as they could get modified by an update of that solution in the future. Best of luck!
Hi, I have installed the current Management Pack for PCI-DSS. vROPs 6.6.1 is installed on ESXi 6.5 U1 and vCSA 6.5 U1b.
The problem is that the compliance checks are working but the report shows no data, even after days of it being installed. vROPs has also been restarted. The default policy Alerts/Symptoms changed the 5 PCI DSS entries to Local and select all and Enabled and saved.
Any ideas why there is no information in the reports?
regards
Ross
Hi Ross.
The default policy has the PCI-DSS alerts set to (Local/Enabled), however is that the active policy for the ESXi hosts and VM’s in your environment? Or is there another policy that has a custom group with the Hosts / VM’s and that’s the policy that’s the effective policy.
Also one other thing is that the report will only show compliance violations. Please make sure the affective policy for the Hosts / vCenters / VM’s has the compliance alerts set to local/enabled. It should very quickly (within 5 minutes) come back with compliance alerts, and when you run the report, you will see all the violations. Thanks!