Here is another alternative to my previous blog post, which provides an automated way of hardening newly created Virtual Machines by leveraging an SNMP trap sent from vCenter Server to vCenter Orchestrator to execute a “Secure VM” workflow.
The video below demonstrates the necessary configurations for both your vCenter Server and vCenter Orchestrator Server and the import of the custom “Secure VM” vCO package. Before getting started, please ensure you have installed the SNMP vCO plugin on your vCO Server. You do not need to configure the plugin, as that is covered in the video.
You can download the Secure VM vCO package here which contains the following:
- Secure VM.workflow – This is a workflow that accepts a VirtualMachine as input and applies a set of advanced settings to the virtual machines from a text file
- SecureVM SNMP Trap.policy – This is an SNMP policy template for securing a Virtual Machine which is triggered based on a particular OID which is the “VM Created” event from a vCenter Server
- vphere-5-security-hardening.txt – This is a text file stored as a resource element that contains the list of advanced settings to be applied to a virtual machine
Note: The Secure VM workflow has been created so it can be executed independently of the vCenter Server SNMP trap trigger and you can easily integrate that workflow with your existing provisioning process or workflows.
If you want to get more details about the vCO workflow and the SNMP trap policy template, I highly encourage you to take a look at the scripting sections to see how it all works. Both the workflow and SNMP policy provides additional logs when executed, below are screenshots after they have been executed:
As you can see, you now have another option of automatically securing newly created Virtual Machines and apply the latest security hardening parameters by leveraging both vCenter Server and vCenter Orchestrator.
- Automatically Securing Virtual Machines Using a vCenter Alarm
- Automate the Hardening of Your Virtual Machine VMX Configurations
Get notification of new blog postings and more by following lamw on Twitter: @lamw