Thursday, December 1, 2011

Run vSphere Security Hardening report in Windows

As you probably know VMware has interesting guideline: vSphere 4.1 Security Hardening Guide. This document provides instructions on how to securely deploy VMware vSphere™ 4.1 (“vSphere”) in a production environment. Also you can find very useful Perl script vmwarevSphereSecurityHardeningReportCheck.pl that can be ran on your environment and allows you to check your current state in according to the Security Hardening Guide.
Despite the fact that script does not check all requirements, it can help a lot.
To use this script you need to download and run vSphere Management Assistant in your environment. It is distributed as OVF template and can be installed very quickly. Virtual machine already has all necessary SDKs installed and you need just to copy vmwarevSphereSecurityHardeningReportCheck.pl script on your vMA. Note: to enable SSH connections on your vMA you need to read this article where you can find instructions “Issue with vMA5 & ssh” (check comments also, because I had some issues with file editing)
The main issue with vMA is its 64-bit OS, so if you want to run vMA on the virtual ESX(i) server you need to have hardware that supports VT-x/EPT instructions. I have Intel Core 2 Duo on my workstation and it doesn’t support this feature.
Actually script does not need vMA, it uses vSphere SDK for Perl so I have decided to try to run it in Windows host. I installed vSphere SDK for Perl and ran script. And it works, but with some issues that I have fixed: I replaced ‘grep’ with ’findstr ‘ and changed folder creation method. Also you need to have openSSL on your host. I use binary files from this package:http://gnuwin32.sourceforge.net/packages/openssl.htm).
These are step by step instructions:
1. Download and install vSphere SDK for Perl on the your Windows host (I use Win7 but I think that it should work on XP, 2003 and 2008 also)
2. Download openSSL binary package and copy openssl.exe, and libssl32.dll to the directory with Perl binaries.
3. Add path to the Perl binaries to your PATH environment variable
4. Download this script and enjoy. It supports ESX(i) 4.X and 5.0. Check RN in the script.
ALL COPYRIGHTS for script pertain to William Lam http://www.virtuallyghetto.com | @lamw
During the script checking I have fixed 2 bugs in the setting analysis. I posted these bugs (1 & 2) to VMwarevSphereSecuriyHardening Group forum and I as far I know William fixed it in the original script also.
Command line example:
perl.exe "PATH_TO_SCRIPT\vmwarevSphereSecurityHardeningReportCheck_win.pl" --recommend_check_level enterprise --server YOUR_SERVER --password PSWD --username USER --reportname "esx41_enter.html"
Check original script page to get details about command line parameters.
I will update this post and script as soon as it will be changed. I'm planning to extend its functionality so stay tuned.
Now we're planing to use this script for automatic testing. Our product vGate helps you ensure that your virtual infrastructure is compliant to popular security standarts: VMware Security Hardening Guide, CIS Benchmarks for vSphere 4.0 and PCI DSS 2.0
Thanks to William who was very responsive and answered all my questions.

Thursday, June 30, 2011

How to install ESX updates from the console

Steps:
1. Copy "update.zip" to the "/tmp" folder on ESX host (you can use WinSCP).
2. Enable ESX maintenance mode "vimsh -n -e /hostsvc/maintenance_mode_enter" from the console.
3. Install the update "esxupdate update --bundle=/tmp/update.zip --loglevel=INFO"
4. Exit from ESX maintenance mode "vimsh -n -e /hostsvc/maintenance_mode_exit"
5. Reboot host with "reboot" after the installation completes

Update: Full instruction for any versions "Quickest Way to Patch an ESX/ESXi Using the Command-line"
Update2: If you use esxupdate to install third-part package, you need to add --nosigcheck to disable module signature checking during the installation.

Tuesday, June 28, 2011

Reload Virtual Machine settings from vmx file in vSphere Client

If you have edited vmx file manually (or changed it in the another vSphere Client), you may need to refresh Virtual Machine settings in already opened Client window.

Method 1:
you can to re-add this virtual machine.

Method 2:
open server console and type the following:

vmware-vim-cmd vmsvc/getallvms |grep "Your Virtual Machine Name"
Note: use vim-cmd command to run in ESXi server.

It outputs next result:

16 Max Virtual Machine [datastore1] Max Virtual Machine/Max Virtual Machine.vmx winXPProGuest vmx-07

"16" is inventory ID that can be used to reload configuration:
vmware-vim-cmd vmsvc/reload 16
Note: use vim-cmd command to run in ESXi server.

Now you have virtual machine settings "up to date" in all your vSphere Clients.

Friday, June 3, 2011

All ESXi host config files in webAccessibleConfigFiles.xml

ESXi 4.1 server has interesting file '/etc/vmware/hostd/webAccessibleConfigFiles.xml' where is all configuration files are listed. You can find its names and paths there.

Actually it's list of all config files those are available with web access:
...

<configfileinfo>
<urireference>/host/vmware.lic</urireference>
<path>/etc/vmware/vmware.lic</path>
<displayname>vmware.lic</displayname>
<mimetype>text/plain</mimetype>
<method>GET</method>
<method>HEAD</method>
<method>PUT</method>
</configfileinfo>
<configfileinfo>
<urireference>/host/vmware_config</urireference>
<path>/etc/vmware/config</path>
<displayname>vmware_config</displayname>
<mimetype>text/plain</mimetype>
<method>GET</method>
<method>HEAD</method>
<method>PUT</method>
</configfileinfo>
<configfileinfo>
<urireference>/host/vmware_configrules</urireference>
<path>/etc/vmware/configrules</path>
<displayname>vmware_configrules</displayname>
<mimetype>text/plain</mimetype>
<method>GET</method>
<method>HEAD</method>
<method>PUT</method>
</configfileinfo>

...

Configure persistent logging (syslog) on ESXi host

ESXi 4.1 maintains a log of activity in log files, using a syslog facility. The
following logs are available:
• hostd.log
• messages
• vpxa.log (only if the host has been joined to a VirtualCenter instance)

By default, the messages log on ESXi are stored only in the in-memory file system. The logs are lost upon reboot, and only 1 day’s worth of logs are stored.
According to VMware Security Hardening Guide you can configure persistent logging to a datastore and a dedicated records of server activity are available for that host always.

VMware kb has recommendations about how to make it possible. But manual changes in 07.logger file work only for current session. After restart all changes reverted (kb has note about this). David note in this thread explains this issue. But how to resolve it and make possible persistent logging? Well, yes, vSphere Client works perfect and you can change syslog settings there. But I need to change it from TSM.

I have tried to edit '/etc/syslog.conf' file and it works! Between vSphere Client stores its changes for syslog settings in this file also.
So you need to:
- set your path to log file with 'logfile=' parameter. ie

logfile=/vmfs/volumes/4d5abbeb-22518c58-5ddc-000c2954a30d/logging/messagesX

where '4d5abbeb-22518c58-5ddc-000c2954a30d' is your storeID. You can use datastore label also (like "datastore1") in this path. Be sure that all folders in this path exist.

- find existing syslogd process and restart it:
ps | grep syslog > PID of syslogd
kill -HUP $syslogPID (restart process with selected PID)

Check that syslogd logs in the new file. Keep in mind that it continues to log in original "messages" file also (/var/log/messages). New log file is rotated and old versions are compressed automatically.

Manage ESXi Lockdown Mode from DCUI

If your VMware ESXi 4.0 & 4.1 servers are joined in VMware vCenter Server infrastructure then you can enchance security for these hosts. Follow on VMware Security Hardening you need to enable Lockdown Mode to restrict root access (HCN02 requirement).

Lockdown mode forces all operations to be performed through vCenter Server (you can continue to use Direct Console User Interface aka DCUI to manage host).

VMware Security Hardening guide notes that lockdown mode can be enabled or disabled in two places:
• In the vSphere Client, when connected to the vCenter Server managing the host
• In the DCUI of the host

In ESXi 4.0:
To check if Lockdown mode is enabled, run the command:
vim-cmd -U dcui vimsvc/auth/admin_account_is_enabled

To disable Lockdown mode, run the command:
vim-cmd -U dcui vimsvc/auth/admin_account_enable

To enable Lockdown mode, run the command:
vim-cmd -U dcui vimsvc/auth/admin_account_disable

In ESXi 4.1:
To check if Lockdown mode is enabled, run the command:
vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled

To disable Lockdown mode, run the command:
vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit

To enable Lockdown mode, run the command:
vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter

See VMware kb to more details