Home > Blogs > VMware Security & Compliance Blog


VMware CP&C releases VMware vSphere 6.0 Hardening Guide Compliance toolkit in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of VMware vSphere 6.0 Hardening Guide Compliance toolkit in VMware vCenter Configuration Manager (VCM). The toolkit consists of automated compliance rules to assess your VMware vSphere 6 based virtualized environments against the hardening guide. It covers 100% of the hardening guide recommendations.

The hardening guide has three risk profiles that group the recommendations based on the sensitivity of your environment. You can pick the compliance toolkits for respective risk profile or get all the rules at once and then make modifications to suit your sensitivity category.

Once you have identified the toolkit that you would want, straight away head to Compliance Content Wizard (CCW) and import the content on your VCM instance and begin using it.

image1

Start from the dashboard and drill down to detailed results.

image2

 image3

Not only this, you can remediate the infringements, all at once, right from VCM at an effort of a click. Most of the hardening guide recommendations for Guest Configuration Parameters and Hosts Advanced settings are remediable from VCM.

Say for example, for the hardening item for ESXi Host – “ESXi.set-account-auto-unlock-time”, the recommended value is 900 seconds. On my system it is currently set to 120 and has been flagged as non-compliant by VCM.

image4

 All I need to do is to select the rule and right click on it and say enforce.

image5

 VCM would then automatically go and fix that on the host. Cool, isn’t it?

image6

Take another example of Guest Configuration Parameters. There are 25+ security configuration parameters that you need to set on EACH VM. Fixing each VM is next to impossible and working with scripts might be clumsy, require scripting knowledge and resources to maintain the scripts. With VCM at work, You can choose all the non-compliant VMs at ONCE and with an effort of a right click fix them ALL AT ONCE. Simple and fastest, isn’t it?

image7

Another capability to highlight here is that you can collect any property from your vSphere environment using simple PowerCLI or Python scripts. You are not dependent on product development team for the data that you needed the most. You can do it yourself and you can do it today.

image8

There are a bunch of vSphere 6 hardening guide compliance rules that use this feature and fetches additional data out of the box to do compliance. Let us talk about “ESXi.apply-patches” recommendation. The hardening guide requires you to check image profile name. But, if you wanted to go a level deeper and inspect all the installed VIBs for their versions, you can do it right away:

image9

VMware vRealize Configuration Manager is not limited to just vSphere hardening. This solution supports configuration and compliance assessment of your Docker containers, *NIX, Windows and Virtualized environments along with patching, change management and various other asset management and reporting capabilities. If you have any questions about this solution, please post them here.

Looking forward to hear from you!

Thanks and regards,
Pravin Goyal,
CISSP | TOGAF | CCSK | CWSP
RHCE | HP-UX CSA | VCP4-DCV | MBA | GISP | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | Mobility+ | VSP 2015

This entry was posted in Uncategorized and tagged , , , , , , on by .
Pravin Goyal

About Pravin Goyal

Pravin Goyal is an information security and regulatory compliance expert in CMBU. He delivers and also leads various security projects such as security and compliance policies for PCI DSS 3.1, HIPAA, IRS, DISA, CIS, vSphere hardening guides and NSX hardening guides He loves to keep abreast of latest developments in the field and find compelling ideas to bring some additional business and profitability to VMware. Additionally, he believes in collaborating across BUs and Companies to deliver customer-facing solutions. Off late, he has authored CIS Docker 1.6 and CIS Docker 1.11.0 Security Configuration Benchmark, NSX-v 6.1 hardening guide and is a co-author of vSphere hardening guide. He is leading the STIG compliance project from CMBU. https://www.linkedin.com/in/pravin-goyal-b7299b33

2 thoughts on “VMware CP&C releases VMware vSphere 6.0 Hardening Guide Compliance toolkit in VCM!

  1. Pingback: vSphere 6 Hardening Guide GA now Available | VMware vSphere Blog - VMware Blogs

  2. Pingback: vSphere 6 Hardening Guide « Erkal Aslankara

Comments are closed.