The VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of VMware vSphere 6.0 Hardening Guide Compliance toolkit in VMware vCenter Configuration Manager (VCM). The toolkit consists of automated compliance rules to assess your VMware vSphere 6 based virtualized environments against the hardening guide. It covers 100% of the hardening guide recommendations.
The hardening guide has three risk profiles that group the recommendations based on the sensitivity of your environment. You can pick the compliance toolkits for respective risk profile or get all the rules at once and then make modifications to suit your sensitivity category.
Once you have identified the toolkit that you would want, straight away head to Compliance Content Wizard (CCW) and import the content on your VCM instance and begin using it.
Start from the dashboard and drill down to detailed results.
Not only this, you can remediate the infringements, all at once, right from VCM at an effort of a click. Most of the hardening guide recommendations for Guest Configuration Parameters and Hosts Advanced settings are remediable from VCM.
Say for example, for the hardening item for ESXi Host – “ESXi.set-account-auto-unlock-time”, the recommended value is 900 seconds. On my system it is currently set to 120 and has been flagged as non-compliant by VCM.
All I need to do is to select the rule and right click on it and say enforce.
VCM would then automatically go and fix that on the host. Cool, isn’t it?
Take another example of Guest Configuration Parameters. There are 25+ security configuration parameters that you need to set on EACH VM. Fixing each VM is next to impossible and working with scripts might be clumsy, require scripting knowledge and resources to maintain the scripts. With VCM at work, You can choose all the non-compliant VMs at ONCE and with an effort of a right click fix them ALL AT ONCE. Simple and fastest, isn’t it?
Another capability to highlight here is that you can collect any property from your vSphere environment using simple PowerCLI or Python scripts. You are not dependent on product development team for the data that you needed the most. You can do it yourself and you can do it today.
There are a bunch of vSphere 6 hardening guide compliance rules that use this feature and fetches additional data out of the box to do compliance. Let us talk about “ESXi.apply-patches” recommendation. The hardening guide requires you to check image profile name. But, if you wanted to go a level deeper and inspect all the installed VIBs for their versions, you can do it right away:
VMware vRealize Configuration Manager is not limited to just vSphere hardening. This solution supports configuration and compliance assessment of your Docker containers, *NIX, Windows and Virtualized environments along with patching, change management and various other asset management and reporting capabilities. If you have any questions about this solution, please post them here.
Looking forward to hear from you!
Thanks and regards,
CISSP | TOGAF | CCSK | CWSP
RHCE | HP-UX CSA | VCP4-DCV | MBA | GISP | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | Mobility+ | VSP 2015