As usual, most of my blog posts come from customer or field questions. Here’s a new one crossed my path recently.
A customer, running vSphere 5.1, was finding some anomalies within their VM’s. Their belief was that some of the vSphere Hardening Guide settings were causing it. When this was assigned to me, I noticed that they were referencing the vSphere 4.1 hardening guide!
The customer was applying guidelines from the 4.1 guide against a 5.1 system. They believed that the guideline was still relevant because it was referenced in a KB. (I’m going to try and get that fixed!)
The guideline setting is “guest.commands.enabled”. The 4.1 guide said to set this to False. The 4.1 guide AND the KB both state that setting this to False would disable the operation of VMware Consolidated Backup (VCB) and VMware Update Manager (VUM), both of which call the VIX API for guest operations.
Cue the old Henny Youngman “Doc, it hurts when I do this!” so the Doctor says “Don’t do that!” Thanks, I’ll be here all week. Try the veal! <rimshot>
This guideline was removed in a 5.x Hardening Guide. Why? Well, it broke stuff. But more importantly, the functionality could be replaced with the use of Roles and Permissions. If the goal is to limit Administrators from running scripts within the virtual machines, there’s a permission that you can remove from a Role and assign the Role to those administrators.
Here’s a screenshot from the vSphere Web Client where I’ll create the Role.
Now, the guy we don’t want able to run scripts on a VM is Bob Smith, username AdminBob. So, we’ll assign his account the GuestCommandsDisable Role that has the permission of “Guest Operation Program Execution” disabled. He can still query the VM for information but he can’t run programs or scripts on the guest.
Screenshot where we assign the new role to AdminBob at the appropriate level in the virtual datacenter.
Use of Roles and Permissions can bring a finer granularity of control to what your administrators and applications can do in your vCenter environment.
Removing guidelines from the Hardening Guide
Removing guidelines has happened before. In the 5.1 Hardening Guide I created a guideline called “restrict-datastore-web”. It outlined how to use Roles and Permissions as an alternative to the brute force guideline disable-datastore-web which broke things like backups. In the 5.5 Update 1 refresh of the Hardening Guide I’m currently working on, I’m looking at removing the disable-datastore-web guideline. (You are forewarned! Email me now if this is an issue!) .
Using Roles and Permissions instead of the 4.1 guideline of guest.commands.enabled will allow you to remove the ability of administrators to run scripts on a VM. Additionally, you can still retain the ability for VUM or VCB to be assigned a custom Role to a service account whose only function is to perform a specific task.
The three takeaways
Always use the Hardening Guide that matches the release you are running on. Things change. Settings get removed when a better way is found to mitigate a problem or when they are found to cause more things to break than they protect.
Roles and Permissions can be used to limit the scope of damage an administrator or service account can do. If someone only needs to do specific things or you DON’T want them to do specific things, use Roles and Permissions.
The Hardening Guide is a set of guidelines, not mandates. When the auditor tosses it on the desk and says “implement or die”, push back if you think something is going to break. Take note of Risk Profiles and what they mean. If there’s an alternative way to mitigate the threat, explore it (and write me about it!).
Hopefully this was helpful. Let me know what other topics you’d like to see by sending me an email at mfoley at VMware dot com or replying to me on Twitter using the account @vSphereSecurity.
