As you probably know VMware has interesting guideline: vSphere 4.1 Security Hardening Guide. This document provides instructions on how to securely deploy VMware vSphere™ 4.1 (“vSphere”) in a production environment. Also you can find very useful Perl script vmwarevSphereSecurityHardeningReportCheck.pl that can be ran on your environment and allows you to check your current state in according to the Security Hardening Guide.
Despite the fact that script does not check all requirements, it can help a lot.
To use this script you need to download and run vSphere Management Assistant in your environment. It is distributed as OVF template and can be installed very quickly. Virtual machine already has all necessary SDKs installed and you need just to copy vmwarevSphereSecurityHardeningReportCheck.pl script on your vMA. Note: to enable SSH connections on your vMA you need to read this article where you can find instructions “Issue with vMA5 & ssh” (check comments also, because I had some issues with file editing)
The main issue with vMA is its 64-bit OS, so if you want to run vMA on the virtual ESX(i) server you need to have hardware that supports VT-x/EPT instructions. I have Intel Core 2 Duo on my workstation and it doesn’t support this feature.
Actually script does not need vMA, it uses vSphere SDK for Perl so I have decided to try to run it in Windows host. I installed vSphere SDK for Perl and ran script. And it works, but with some issues that I have fixed: I replaced ‘grep’ with ’findstr ‘ and changed folder creation method. Also you need to have openSSL on your host. I use binary files from this package:http://gnuwin32.sourceforge.net/packages/openssl.htm).
These are step by step instructions:
1. Download and install vSphere SDK for Perl on the your Windows host (I use Win7 but I think that it should work on XP, 2003 and 2008 also)
2. Download openSSL binary package and copy openssl.exe, and libssl32.dll to the directory with Perl binaries.
3. Add path to the Perl binaries to your PATH environment variable
4. Download this script and enjoy. It supports ESX(i) 4.X and 5.0. Check RN in the script.
ALL COPYRIGHTS for script pertain to William Lam http://www.virtuallyghetto.com | @lamw
During the script checking I have fixed 2 bugs in the setting analysis. I posted these bugs (1 & 2) to VMwarevSphereSecuriyHardening Group forum and I as far I know William fixed it in the original script also.
Command line example:
perl.exe "PATH_TO_SCRIPT\vmwarevSphereSecurityHardeningReportCheck_win.pl" --recommend_check_level enterprise --server YOUR_SERVER --password PSWD --username USER --reportname "esx41_enter.html"
Check original script page to get details about command line parameters.
I will update this post and script as soon as it will be changed. I'm planning to extend its functionality so stay tuned.
Now we're planing to use this script for automatic testing. Our product vGate helps you ensure that your virtual infrastructure is compliant to popular security standarts: VMware Security Hardening Guide, CIS Benchmarks for vSphere 4.0 and PCI DSS 2.0
Thanks to William who was very responsive and answered all my questions.
