A great question crossed my desk today from a customer. “Can a VI Admin who has root access to ESXi “abuse” their privileges and “peek” inside the guests of VM’s hosted on the server?”
The short answer? If your ESXi admin has root or full administrator privileges, they can do anything. Nobody should be surprised by this! HOWEVER, you can mitigate, limit and monitor what is being done.
But first, let’s quickly review what is meant by “peek inside the guest”. In the human world, Continue reading
I’m happy to announce the availability of a whitepaper that I had been working on much of the past year. Since I joined VMware back in January of 2013, an almost weekly request was for a whitepaper that help IT team explain the security of the VMware vSphere hypervisor, a.k.a. ESXi, to a security professional.
Now that 5.5 has been out a while and many of you have been making the move to the VMware vCenter Virtual Appliance (VCVA a.k.a. VCSA), here’s a friendly reminder to check the password expiration of the root account on the virtual appliance! If you’ve been following my blogs, you’ll remember in Part 2 of the “Virtual Appliances getting more secure with vSphere 5.5” series, I HIGHLY recommended that you check root password expiration ASAP!
The VCVA/VCSA root password is set to expire 90 days from deployment time. Go to Part 2 of the series to find out how to set your expiration to a longer date. Note that from the VAMI interface, you can supply an email address to notify 7 days prior to expiration of the password. Don’t miss updating this step! Log into the VAMI web interface via https://<vcsa FQDN or IP>:5480. Go to the Admin tab and update whether the password expires, for how long and what email address to notify. Make sure your SMTP configuration works correctly.
[Update] There has been a KB released on 10-Jan-2014 for those that may be locked out of their appliance or want to disable the forced lockout. I urge you to review KB2069041
Tomorrow, November 6th, I’ll be hosting the VMware Communities Roundtable Podcast! We’ll be talking about the recently released vSphere 5.5 Hardening Guide and the massive amount of work that’s been done to secure VMware virtual appliances!
Joining me will be Simon Mijolovic (we just call him “Simon”), the Staff Program Manager for virtual appliance security and Greg Murray, Product Manager for, among many things, virtual appliances at VMware.
Simon will be going over the changes that were made to make our virtual appliances secure out of the box (91-95% DISA STIG compliant!).
Greg will be there to gather feedback on what YOU want to see out of our virtual appliances. Do NOT miss this opportunity to be heard by the folks that can do something about it!
I’m not sure what John Troyer @jtroyer was thinking when he handed me the keys to his baby for the day but I’m sure it will be fun and interesting! I hope you can join us whether it’s live on Talkshoe or later as a downloaded podcast!
A wrap-up of the podcast will be located on the podcast archives within a few days.
I’m looking forward to talking with many of you tomorrow!
I’m happy to report that the vSphere 5.5 Hardening Guide has been released for General Availability. My thanks to all that contributed their feedback to make this happen. The guide has been given a full makeover with regard to documentation references. I’m in Renate’s debt for those stellar contributions. Additionally, some guidelines have been removed and some new ones added.
Along with the guide, similar to the 5.1 release, I’m releasing a change log worksheet.
One thing to note, the “Profiles” column has been renamed “Risk Profiles”. This was done to bring to light the function of the column. I am frequently quizzed by IT administrators that have been told to “Implement the Hardening Guide”. As written, the Hardening Guide is a list of guidelines, not mandates. Please note that some guidelines in the Risk Profile 1 category can break functionality!
As with any security measures, they should not be applied in a blanket fashion. I would encourage IT administrations and security folks to work together and assess each guideline for applicability, risk management and impact to the business and operations. The Risk Profiles help to categorize the guidelines that could be applicable to your environment.
The release of the guide is current available in the Communities.
I’m working with the VMware web team to have the guide and the change log officially moved over to the Hardening Guide page on VMware.com. I will update the discussion in the Communities and post a reply to this blog article when that has been completed.
As always, your input is very valuable to me and VMware as a whole. If you have questions that can’t be asked in a public forum, reach out to me via email, mfoley-at-vmware.com. For more frequent updates to vSphere security news and facts, follow me on Twitter at @vSphereSecurity
Thanks for reading!
Hardening Guide 5.5
I’m happy to announce the availability of the vSphere 5.5 Hardening Guide Release Candidate. A SIGNIFICANT amount of documentation updates have been incorporated into the guide to really round it out. There have been some new additions and some deletions to the guide. All changes are documented in the changelog spreadsheet.
You can download the guide and the changelog here. All changes are color-coded in the changelog and within the RC release spreadsheet. The colors will be removed from the final GA document but will remain in the changelog.
I would encourage you to review the document and provide feedback ASAP. The goal is to release this for General Availability in the next week unless significant changes come in. You can reply to the discussion with your updates or contact me directly at mfoley @ vmware.com.
When the guide is released for GA, it will up uploaded to the normal location
Thanks for reading,
Have you ever wondered how Roles and Permissions work using the vSphere Web Client? Here’s a great video brought to you by VMware Tech Pubs. Peter Shepherd does a great job in introducing you to Roles and Permissions and how to get the most out of them. He will lead you through the steps to create an administrator role for a specific virtual machine in four and a half minutes!
Meeting Objectives with VMware Hardened Virtual Appliances
In this final part, we’ll go over setting up logging (both system and audit logs) and Grub hardening and NFS/NIS management and wrap it all up in the Conclusion.
Making DISA compliance easy
In Parts 1 and 2 we introduced the VMware Hardened Virtual Appliances and went over password management. In Part 3, we’ll focus on a new tool, dodscript.sh, to make configuring your VMware Hardened Virtual Appliances comply with enhanced security requirements like DISA and go over access control and time management.
One of the coolest thing that I think many in the Federal space will jump for joy over is the new inclusion of a script for modifying many DISA required settings. These settings are:
Hopefully by now you’ve read Part 1. In there we discussed the new security features of many new VMware virtual appliances, including some that are being released with vSphere 5.5. In this post and the two following, we’ll start the discussion on how to enable your virtual appliances to be compliant with site-specific requirements. If you’re falling under DISA STIG requirements, the next few posts are for you! It’s time to get your geek on with Parts 2, 3 & 4!
Meeting Site-Specific Security Compliance Goals