How to configure esx to pass an audit

2,317 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,317
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • MGB 2003 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • How to configure esx to pass an audit

    1. 1. How to Configure your ESX Hosts to Successfully Pass an Audit… GUARANTEED! Greg Shields, MVP, vExpert Head Geek, Concentrated Technology www.ConcentratedTech.com
    2. 2. This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it within your own organization however you like. For more information on our company, including information on private classes and upcoming conference appearances, please visit our Web site, www.ConcentratedTech.com . For links to newly-posted decks, follow us on Twitter: @concentrateddon or @concentratdgreg This work is copyright ©Concentrated Technology, LLC
    3. 3. Four Documents of Note <ul><li>In Order of Usefulness </li></ul><ul><ul><li>VMware ’s VI3.5 Security Hardening Guide </li></ul></ul><ul><ul><ul><li>High-level guidance for security and auditing. </li></ul></ul></ul><ul><ul><li>The DISA ’s STIG for ESX Server & “Virtual Computing” </li></ul></ul><ul><ul><ul><li>Very specific guidance on security. Required if DoD-connected. </li></ul></ul></ul><ul><ul><li>CIS ’s VMware ESX Server 3.0 Benchmark </li></ul></ul><ul><ul><ul><li>This document is aged, but serves as an additional data point for learning / education on common ESX topics. </li></ul></ul></ul><ul><ul><li>CIS ’s Virtual Machine Security Guidelines </li></ul></ul><ul><ul><ul><li>This document, while also aged, is fairly general in its guidance. </li></ul></ul></ul>
    4. 4. DISA STIG Guidance <ul><li>Remember that ESX has roots in RHEL v3, specifically (Kernel 2.6.18-128.ESX). </li></ul><ul><ul><li>Thus, protecting/auditing ESX starts by protecting/auditing RHEL v3. </li></ul></ul><ul><li>DISA Requirement ESX0010 states: </li></ul><ul><ul><li>The IAO/SA will configure the ESX Server in accordance with the UNIX STIG and Checklist. This is not applicable to ESX Server 3i. </li></ul></ul><ul><li>Any ESX Server must first meet DISA ’s general UNIX STIG, then also the ESX STIG. </li></ul>
    5. 5. DISA STIG Guidance <ul><li>Once met, DISA ’s ESX STIG adds nearly 120 individual requirements for modifying / verifying the configuration of that server’s ESX functionality... </li></ul>
    6. 6. DISA STIG Guidance <ul><li>Once met, DISA ’s ESX STIG adds nearly 120 individual requirements for modifying / verifying the configuration of that server’s ESX functionality... </li></ul>Stepping through these items isn ’t value added. Let’s instead discuss high-level security and auditing requirements.
    7. 7. Guidance for Virtual Machines <ul><li>Secure virtual machines in the same ways you would physical machines. </li></ul><ul><ul><li>Updates, A/V, A/M, firewalls. </li></ul></ul><ul><li>Disable unnecessary functions. </li></ul><ul><ul><li>OS services, physical devices, screen savers (particularly important). </li></ul></ul><ul><li>Leverage templates when possible </li></ul><ul><ul><li>Templates ensure that every VM has a common start point, common security/auditing settings. </li></ul></ul><ul><ul><li>Eases config documentation. </li></ul></ul>
    8. 8. Guidance for Virtual Machines <ul><li>Set Limits/Reservations to prevent resource overuse. </li></ul><ul><ul><li>Greg ’s Advice: Be careful with setting too many limits/reservations. </li></ul></ul><ul><ul><li>Don ’t forget host reserve to protect host functions. </li></ul></ul><ul><li>Isolate VM networks. </li></ul><ul><ul><li>Physically separate VM interfaces from VMotion & management connection interfaces to prevent data leakage. Very important. </li></ul></ul><ul><ul><li>Leverage VLANs if your security policies allow. </li></ul></ul><ul><ul><li>Use dVSs when possible to reduce configuration error, centralize management of virtual switches. </li></ul></ul><ul><ul><li>Create isolated management network with high security level. </li></ul></ul><ul><li>Spec ESX hosts with lots of network cards! </li></ul>
    9. 9. Guidance for VMX File Customization <ul><li>Disable Remote Copy/Paste Operations between Guest OS and Remote Console </li></ul><ul><ul><li>Can be used as vector for data leakage. Typically unsecured. </li></ul></ul><ul><ul><ul><li>isolation.tools.copy.disable = TRUE </li></ul></ul></ul><ul><ul><ul><li>isolation.tools.paste.disable = TRUE </li></ul></ul></ul><ul><ul><ul><li>isolation.tools.setGUIoptions.disable = FALSE </li></ul></ul></ul><ul><li>Prevent Log Overflow </li></ul><ul><ul><li>VM logs to VI datastore can overflow log space. </li></ul></ul><ul><ul><li>Set rotation size and count of logs to keep. </li></ul></ul><ul><ul><ul><li>log.rotatesize = 100000 </li></ul></ul></ul><ul><ul><ul><li>log.keepOld = 10 </li></ul></ul></ul>
    10. 10. Guidance for VMX File Customization <ul><li>Do not permit use of nonpersistent disks. </li></ul><ul><ul><li>These disks revert back to snapshot when VM is rebooted. </li></ul></ul><ul><ul><li>Can be used by would-be attacker to cover tracks. </li></ul></ul><ul><ul><li>Verify in VM settings. </li></ul></ul><ul><li>Verify that unauthorized devices are not connected. </li></ul><ul><ul><li>Unnecessary peripherals should not be connected. </li></ul></ul><ul><ul><li>Prevent user from connecting devices from within the guest OS. </li></ul></ul><ul><ul><ul><li>floppy<x>.present </li></ul></ul></ul><ul><ul><ul><li>serial<x>.present </li></ul></ul></ul><ul><ul><ul><li>parallel<x>.present </li></ul></ul></ul><ul><ul><ul><li>isolation.tools.connectable.disable = TRUE </li></ul></ul></ul>
    11. 11. Guidance for VMX File Customization <ul><li>Verify correct assignment of guest OS </li></ul><ul><ul><li>While not necessarily a security risk, improper guest OS assignment will have an impact on system performance. </li></ul></ul><ul><li>Verify proper permissions on disk files. </li></ul><ul><ul><li>.VMX files should be 755 (o+rwx, g+rx) </li></ul></ul><ul><ul><li>.VMDK files should be 600 (o+rw) </li></ul></ul><ul><ul><li>User and group should be root. </li></ul></ul>
    12. 12. Guidance for ESX Service Console <ul><li>Configure Service Console with default firewall settings. </li></ul><ul><ul><li>Add additional settings as necessary for approved services. </li></ul></ul>
    13. 13. Suggested Firewall Exclusions Add exclusions as necessary. Remember that many “odd” faults are Firewall-based. Port # Purpose Traffic Type 5989/TCP CIM Secure Server Incoming 22/TCP SSH Server Incoming 5988/TCP CIM Server Incoming 427/TCP & 427/UDP CIM SLP Incoming & Outgoing 80,443/TCP vSphere Web Access Incoming 443,902/TCP VMware Consolidated Backup Outgoing 902/UDP VMware vCenter Agent Outgoing 3260/TCP Software iSCSI Client (If Used) Outgoing 123/UDP NTP Client Outgoing 80,9000-9100/TCP VMware Update Manager Outgoing
    14. 14. Guidance for ESX Service Console <ul><li>Minimize use of VI Console </li></ul><ul><ul><li>Console access can be substantial impact on VM performance. </li></ul></ul><ul><ul><li>Remote access protocols slightly better, but… </li></ul></ul><ul><ul><li>Stop managing infrastructure from any consoles! Use remote tools! </li></ul></ul><ul><li>Limit use of Service Console for administration </li></ul><ul><ul><li>VI Client and VirtualCenter leverage well-defined APIs for management. </li></ul></ul><ul><ul><li>Service Console leverages Linux-based administration. </li></ul></ul><ul><ul><li>More opportunity for mistakes with Linux-based administration. </li></ul></ul><ul><ul><li>If scripting/automation is necessary, leverage Remote CLI, VI Perl Toolkit, or PowerShell Toolkit for scripting rather than shell scripting. Well-defined interfaces. </li></ul></ul>
    15. 15. Guidance for ESX Service Console <ul><li>Authenticate via a Directory Service </li></ul><ul><ul><li>Centralization of authentication via directory service reduces chance of mistake or malicious (hidden) account creation. </li></ul></ul><ul><ul><ul><li>/usr/sbin/esxcfg-auth --enablead --addomain mydomain.com --addc mydc.mydomain.com --krb5realm=mydomain.com --krb5kdc mydc.mydomain.com --krb5adminserver mydc.mydomain.com </li></ul></ul></ul><ul><li>Control root privileges </li></ul><ul><ul><li>Disallow root logins to Service Console. Enforce sudo . </li></ul></ul><ul><ul><ul><li>cat /dev/null > /etc/security </li></ul></ul></ul><ul><ul><ul><li>Note: This may impact iLO and DRAC functionality. </li></ul></ul></ul><ul><ul><li>Limit sudo to users in wheel group only. </li></ul></ul><ul><ul><ul><li>auth required /lib/security/$ISA/pam_wheel.so use_uid </li></ul></ul></ul>
    16. 16. Guidance for ESX Service Console <ul><li>Disable accounts after three failed logins </li></ul><ul><ul><li>Common requirement in many compliance regs. </li></ul></ul><ul><ul><ul><li>auth required /lib/security/pam_tally.so no_magic_root </li></ul></ul></ul><ul><ul><ul><li>account required /lib/security/pam_tally.so deny=3 </li></ul></ul></ul><ul><ul><ul><li>no_magic_root </li></ul></ul></ul><ul><ul><li>Create file for logging failed login attempts. </li></ul></ul><ul><ul><ul><li>touch /var/log/faillog </li></ul></ul></ul><ul><ul><ul><li>chown root:root /var/log/faillog </li></ul></ul></ul><ul><ul><ul><li>chmod 600 /var/log/faillog </li></ul></ul></ul><ul><li>Always remember that ESX Console is not Linux . </li></ul><ul><ul><li>Don ’t manage like Linux. Only install ESX-compatible software. </li></ul></ul>
    17. 17. Guidance for Logging / Alerting <ul><li>Configure NTP </li></ul><ul><ul><li>Accomplished through VI Console. </li></ul></ul><ul><li>Enable remote syslog logging </li></ul><ul><ul><li>Most compliance regulations require offsite and protected log storage. </li></ul></ul><ul><ul><li>Configure /etc/syslog.conf. </li></ul></ul><ul><ul><ul><li>Add the line @<loghost.company.com> after each message type. </li></ul></ul></ul><ul><ul><ul><li>Kill –SIGHUP `cat /var/run/syslogd.pid` </li></ul></ul></ul><ul><li>Create and store key file hashes (/etc, /etc/vmware) </li></ul><ul><ul><li>sha1sum <fileName> </li></ul></ul><ul><ul><li>This process can be eased through Tripwire / ConfigureSoft </li></ul></ul>
    18. 18. Guidance for Logging / Alerting <ul><li>Configure SNMP. Use SNMP v3 where Possible. </li></ul><ul><ul><li>Modify /etc/snmp/snmpd.conf </li></ul></ul><ul><ul><li>(Details of this configuration are out of scope for today ’s class) </li></ul></ul><ul><ul><li>If SNMP v3 not possible, use isolated network for SNMP traffic. </li></ul></ul>
    19. 19. Guidance for Networks
    20. 20. Guidance for Networks <ul><li>Mask and Zone FC SAN resources correctly. </li></ul><ul><ul><li>Ensure that LUNs are only presented to interfaces which need them. </li></ul></ul><ul><li>Leverage iSCSI Authentication </li></ul><ul><ul><li>iSCSI CHAP authentication is per HBA/NIC, not per-target. </li></ul></ul><ul><ul><li>No Kerberos available. No encryption available. </li></ul></ul><ul><ul><li>Ensure that iSCSI traffic is always isolated (security + DoS prevention). </li></ul></ul><ul><li>Leverage VM-based firewalls for intra-ESX ACLing. </li></ul><ul><ul><li>ESX ’s internal layer 2 firewall terminates network ACLs. </li></ul></ul><ul><ul><li>External Switch Tagging (EST) VLANs terminate at pSwitch </li></ul></ul><ul><ul><li>Virtual Switch Tagging (VST) VLANs terminate at vSwitch </li></ul></ul>
    21. 21. Guidance for Networks
    22. 22. Guidance for Networks
    23. 23. Guidance for Networks vSphere + Cisco Nexus overcomes this limitation.
    24. 24. Guidance for Networks <ul><li>Replace self-signed certificates </li></ul><ul><ul><li>ESX ’s native self-signed certificates can be a MitM attack vector. </li></ul></ul><ul><ul><li>Replace existing certificates with CA-signed certificates. </li></ul></ul><ul><ul><li>Refer to the VMware document Replacing VirtualCenter Server Certificates for detailed specifications: http://www.vmware.com/pdf/vi_vcserver_certificates.pdf . </li></ul></ul><ul><li>Disable Promiscuous Mode, MAC Address Changes, Forged Transmissions where possible. </li></ul><ul><ul><li>Disabling MAC Address Changes can impact some clusters. </li></ul></ul><ul><ul><li>Promiscuous Mode required for IDS/IPS. Isolate if needed. </li></ul></ul>
    25. 25. Guidance for vCenter <ul><li>Limit administrator access. Ensure separation of duties. </li></ul><ul><ul><li>vCenter includes high-level administrator access, but also discrete task assignment. Ensure that tasks are assigned as needed. </li></ul></ul><ul><li>Limit database access after installation. </li></ul><ul><ul><li>vCenter database creation at installation requires DB Owner rights. </li></ul></ul><ul><ul><li>Database operations only requires Invoke/execute stored procedures, select, update, insert, and delete. </li></ul></ul><ul><li>Segregate VMware Update Manager and VMware Converter Enterprise roles to isolated computers. </li></ul><ul><ul><li>This maintains the security position of the vCenter server. </li></ul></ul>
    26. 26. Consider Automation <ul><li>Tripwire </li></ul><ul><li>ConfigureSoft </li></ul>
    27. 27. Sample Audit Program <ul><li>Stop by www.ConcentratedTech.com to download an actual ESX 3.5 audit program. </li></ul><ul><li>This audit program includes the exact steps an auditor (from this particular group) must use to verify settings on an ESX sever. </li></ul><ul><li>Follow this document, and pass that audit… GUARANTEED! </li></ul>
    28. 28. Virtualization ’s Four Horsemen <ul><li>Hypervisor Ubiquity </li></ul><ul><ul><li>There is a singular hypervisor upon which everything sits. </li></ul></ul><ul><li>VM Dormancy </li></ul><ul><ul><li>Powered down virtual machines don ’t get patched. </li></ul></ul><ul><li>Virtual Networking </li></ul><ul><ul><li>Intra-ESX network ACLs don ’t exist. </li></ul></ul><ul><li>VM Collocation </li></ul><ul><ul><li>VMotioning can collocate VMs that should be segregated. </li></ul></ul>
    29. 30. This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it within your own organization however you like. For more information on our company, including information on private classes and upcoming conference appearances, please visit our Web site, www.ConcentratedTech.com . For links to newly-posted decks, follow us on Twitter: @concentrateddon or @concentratdgreg This work is copyright ©Concentrated Technology, LLC

    ×