Symantec Enterprise Security Manager Modules ...€¦ · Symantec™ Enterprise Security Manager...

Symantec™ EnterpriseSecurity Manager Modulesfor ESX and ESXi server UserGuide

Release 2.0 for Symantec ESM 9.0.x and10.0 For ESX and ESXi servers withsupport for reporting on vCenter server

Symantec™ Enterprise Security Manager Modules forESX and ESXi server User Guide

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 2.0

Legal NoticeCopyright © 2010 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate areregistered trademarks of Symantec Corporation or its affiliates in the U.S. and othercountries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals



Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

Managed Services remove the burden of managing and monitoring securitydevices and events, ensuring rapid response to real threats.

Managed Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation,monitoring, andmanagement capabilities. Each is focused onestablishing andmaintaining the integrity and availability of your IT resources.

Consulting Services

EducationServices provide a full array of technical training, security education,security certification, and awareness communication programs.

Education Services

To access more information about enterprise services, please visit our web siteat the following URL:

www.symantec.com/business/services/

Select your country or language from the site index.

mailto:[email protected]



www.symantec.com/business/services/

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Introducing Symantec ESM Modules for ESX, ESXi,& vCenter servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

About the Symantec ESM Modules for ESX, ESXi, & vCenterservers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Where you can get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 2 Installing Symantec ESM Modules for ESX, ESXi, &vCenter servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Before you install .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Minimum account privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Disk space requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Installing and configuring the ESM Modules for ESX, ESXi, and

vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Silently installing the ESM modules for ESX server ... . . . . . . . . . . . . . . . . . . . . . . . . . 20Silently configuring the ESM modules for ESX, ESXi, vCenter

server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Configuring the ESM modules for ESX, ESXi, vCenter server ... . . . . . . . . . . . . . 21

About types of configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 3 ESM Modules for ESX and ESXi servers . . . . . . . . . . . . . . . . . . . . . . . . . . 25

ESX Configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About reporting through the vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Guest installed .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Guest status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Copy disabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Paste disabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Setinfo messages disabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Guest time synchronization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Guest connection control ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Host time synchronization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Contents

Guest logging .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31VMware Tools logging .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Guest log rotate size ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Guest old log keeping .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Set GUI Options disabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Host config option parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34NX/XD flag exposed to guest ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

ESX Network .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About reporting through the vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36iSCSI enabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36iSCSI CHAP authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37MAC address changes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Forged transmission .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Promiscuous mode .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Service console firewall .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Port groups in VLAN .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40SNMP traps setting .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

ESX Patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41About reporting through the vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Patch templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Superseded .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Disable patch module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Patch results summary .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Installed Patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44ESXi updates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

ESX System .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45About reporting through the vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45GRUB OS level password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Boot loader password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Root file system fill up .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Roles and privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47SU PAM Authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47ESX log auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Execute on vCenter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Lockdown mode .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Local accounts only ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Shell access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Maintenance mode .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49List users and groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Contents8

Introducing Symantec ESMModules for ESX, ESXi, &vCenter servers

This chapter includes the following topics:

■ About the Symantec ESM Modules for ESX, ESXi, & vCenter servers

■ Where you can get more information

■ Templates

About the Symantec ESM Modules for ESX, ESXi, &vCenter servers

TheSymantecESMmodules for ESX, ESXi, & vCenter servers include the followingfour modules:

■ ESX Configuration

■ ESX Network

■ ESX Patches

■ ESX System

The ESXmodules help to protect your ESX and ESXi servers from known securityvulnerabilities by reporting the differences between the preferred and the actualsetting on these servers.

ESX version 3.0.2, 3.0.3, 3.5, and 4.0 supports host-based reporting. Fornetwork-based reporting, youmust ensure that the ESXmodulesmust be installed

1Chapter

on an ESM agent computer that is running on a Red Hat Enterprise Linux server.You can then configure the ESX, ESXi, and vCenter servers that youwant to reporton.

Where you can get more informationFor more information about Symantec ESM modules and Security Updates, seethe latest versions of the SymantecEnterprise SecurityAdministrator’sGuide andthe Symantec ESM Security Update User Guide.

Formore information onSymantec Enterprise SecurityManager (ESM), SymantecESMSecurityUpdates, and Symantec ESM support for database products, see theSymantec Security Response Web site at the following URL: Security ResponseWeb site

TemplatesSeveral of the documented modules use templates to store the ESX parametersand object settings. Differences between the current settings and template valuesare reportedwhen themodules run.Modules use templates to store ESX and ESXiservers parameters and object settings.

Table 1-1 shows themodules and checks that use template files in Symantec ESMModules for ESX, ESXi, & vCenter servers.

Table 1-1 Template names

Predefinedtemplate

Template nameCheck nameModule

esxdefaultconf.coxESX ConfigurationParameters

Host config optionparameters

ESX Configurations

esxpatch.elxesxpatch.elxPatch templatesESX Patches

esxipatch.ilxESXi PatchESXi updatesESX Patches

noneESX Port group inVLAN

Port groups in VLANESX Network

noneESX log auditESX log auditingESX System

Table 1-2 shows the modules and checks that use sample template files.

Introducing Symantec ESM Modules for ESX, ESXi, & vCenter serversWhere you can get more information

10

http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm


Table 1-2 Sample template names

Sample templateCheck nameModule

esxgrpvlan_sample.lanPort groups in VLANESX Network

esxlogaudit_sample.evtESX log auditingESX System

Note: The sample templates are for reference only. You can use the sampletemplates to create customized templates for the check to report on the valuesthat you specify in the template.

11Introducing Symantec ESM Modules for ESX, ESXi, & vCenter serversTemplates

Introducing Symantec ESM Modules for ESX, ESXi, & vCenter serversTemplates

12

Installing Symantec ESMModules for ESX, ESXi, &vCenter servers


■ Before you install

■ Minimum account privileges

■ System requirements

■ Disk space requirements

■ Installing and configuring the ESMModules for ESX, ESXi, and vCenter server

■ Silently installing the ESM modules for ESX server

■ Silently configuring the ESM modules for ESX, ESXi, vCenter server

■ Configuring the ESM modules for ESX, ESXi, vCenter server

Before you installWhen an ESX server is installed, the default firewall setting block’s the incomingand the outgoing ports. To establish communication between the ESM managerand the ESM agent, which is installed on the ESX server, open the ports 5600 and5601 before you install the ESM agent on the ESX server.

To install the modules, you need the following:

2Chapter

At least one computer on your network must have a CD-ROMdrive.

CD-ROM access

You must have access to an account with superuser privilegeson each computer where you plan to install the modules.

Account privileges

Verify that the Symantec ESM enterprise console can connectto the Symantec ESM manager.

Connection to themanager

The Symantec ESM agentmust be running and registered to atleast one Symantec ESM manager.

Agent and manager

Minimum account privilegesYou can use the following minimum account privileges for installation andreporting:

■ Minimum privileges to install the ESM ESX ModulesYou must have superuser privileges to install the ESM ESX Modules on ESXhost and Red Hat Enterprise Linux.For example, root.

■ Minimum account privileges for reporting on the vCenter, ESX and ESXi 3.5or laterYou must configure the ESM ESX modules with ESX or ESXi or vCenter serverso that an ESM policy with ESX modules and appropriate checks selected, canbe executed on the configured servers. During configuration, youmust providethe server details like server name or the IP address and the name of the useraccount that has the appropriate privileges or permissions on the server thatyou provide. This user account is used as the logon account to connect to therespectiveESXorESXi or vCenter server. The configurationdetails areprovidedon the execution of the esxsetup binary. The minimum permission requiredfor the configured user account should have a role with Global.Diagnosticprivilege assigned to it.For example, precreated user.For more information on how to run the esxsetup, See “Installing andconfiguring the ESM Modules for ESX, ESXi, and vCenter server” on page 16.

Note:While you configure the server with domain\user, you must enclose thevalue in single quotes as 'domain\user'.

Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversMinimum account privileges

14

Warning: If you use less than the recommended privileges for the accounts thattheESXApplicationmodule uses for reporting, then a fewchecksmaynot functioncorrectly. This could also result in any intentional or unintentional blocking ofthe module's ability to report on the conditions you may need to know exists.

System requirementsTable 2-1 list the supported ESX server versions for host-based reporting.

Note:As per Symantec's End of Life product support policy, the ESM Modules forESX servers are only supported on ESX version 3.0.2 till August 2010.

Table 2-1 Supported ESX server versions for host-based reporting

Supported ESX versionsArchitecture

3.0.2, 3.0.3, 3.5, 4.0, 4.1x86, x86_64

Note: The host-based reporting works only on the ESX server.

Table 2-2 lists the supported ESX, ESXi, and vCenter server versions and operatingsystems for network-based reporting.

Table 2-2 Supported ESX, ESXi, and vCenter server versions and operatingsystems for network-based reporting

Supported ESX versionsArchitectureSupported OSversions

Supportedoperatingsystems

3.5, 3.5i, 4.0, 4.0i, 4.1, 4.1i

vCenter server update 4.0.x

x865.1, 5.2, 5.3, 5.4RedHatEnterpriseLinux ES (32-bit)

3.5, 3.5i, 4.0, 4.0i, 4.1, 4.1i

vCenter server update 4.0.x

x645.1, 5.2, 5.3, 5.4RedHatEnterpriseLinux ES (64-bit)

Note: vCenter server update 4, which is installed on the Windows 2003 (x86, x64)and 2008 (x86, x64) platform supports network-based reporting.

15Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversSystem requirements

Disk space requirementsTable 2-3 lists the free disk space that you require to install the ESM modules forESX server.

Table 2-3 Disk space requirements

Disk spaceArchitectureSupported operatingsystem

170 MBx86, x86_64ESX 3.0.2, 3.0.3, 3.5, 4.0, 4.1

170 MBx86, x64Red Hat Enterprise Linux ES(32-bit and 64-bit)

Installing and configuring the ESM Modules for ESX,ESXi, and vCenter server

You can use the esmesx.tpi to install the ESXmodule on the ESMagent computer.

The installation program does the following:

■ Extracts and installs module executables, configuration (.m) files, and thetemplate files.

■ Registers the .m and the template files by using the ESM agent’s registrationprogram.

Note: If you register the .m files during a module installation on an agent thatis installed on the same platform, then you do not have to re-register the .mfiles.

■ Launches the esxsetup for configuration.

Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversDisk space requirements

16

To install the ESM modules for ESX, ESXi, vCenter server

1 From the product disc, run the esmesx.tpi.

You can also download and copy the esmesx.tpi from the Security ResponseWeb site to the desired location.

Note:You can use the LiveUpdate feature, if youwant to upgrade the existingESX version to the latest ESX version. For more information on LiveUpdate,you can refer to the SymantecEnterprise SecurityManager InstallationGuide.

2 Choose one of the following options:

To display the contents of the package.Option 1

To install the module.Option 2

3 The Do you wish to register the template or .m files? message appears. Doone of the following:

■ Type a Y, if the files are not registered with the manager.

■ Type an N, if the files have already been registered.See “To configure the ESX, ESXi, vCenter servers on the ESM agentcomputers” on page 18.See “To configure for the ESX, ESXi, vCenter by using generic credentials”on page 19.

Note:Youmust register the template and the .m files once for the agents thatuse the same manager on the same operating system.

4 Enter the ESM manager that the agent is registered to.

Usually, it is the name of the computer that the manager is installed on.

5 Enter the ESM access name (logon name) for the manager.

6 Enter the ESM password that is used to log on to the ESM manager.

7 Enter the network protocol that is used to contact the ESM manager.

8 Enter the port that is used to contact the ESM Manager. The default port is5600.

9 Enter the name of the agent as it is currently registered to the ESMmanager.

Usually, it is the name of the computer that the agent is installed on.

17Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversInstalling and configuring the ESM Modules for ESX, ESXi, and vCenter server



■ Type a Y, the agent continues with the registration to the ESM manager.

■ Type an N, the setup prompts to re-enter the details of the new manager.

When the extraction is complete, you are prompted to add configurationrecords to enable the ESM security checking for your ESX server.

10 The Continue and add configuration records to enable ESM securitychecking for your servers? [yes] message appears. Do one of the following:

■ Type a Y, to configure the ESX module on the agent computer.

■ Type an N, the program installation continues without configuration.

To configure the ESX, ESXi, vCenter servers on the ESM agent computers

1 To add a configuration record for the server, do the following:

■ Enter the server name or IP.

■ Enter an option to choose the connection mode.It can either be HTTP or https.

■ Press Enter to select the default port or enter a custom port.

2 Enter the logon account for the server.

See “Minimum account privileges” on page 14.

3 Enter the password for the logon account.

4 Re-type the password for confirmation.

5 The Do you want to specify a server certificate for client authentication?[yes] message appears. Do one of the following:

■ Type a Y, if you want to specify a server certificate for clientauthentication.You must enter the complete path of the certificate file that must existon your ESM agent computer. You can download the certificate file fromESX, ESXi, or vCenter server.

■ Type an N, if you do not want to specify a server certificate for clientauthentication.

6 TheDoyouwanttovalidatetheconnectionbeforesavingtheconfigurationrecord? [yes] message appears.

■ Type a Y, if you want to validate the connection.If the validation is not successful, then the installation program reportsan errormessage and the record is not added to the configuration record.

Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversInstalling and configuring the ESM Modules for ESX, ESXi, and vCenter server

18

■ Type an N, if you do not want to validate the connection.

7 The Would you like to add another ESX server to configuration record?message appears.

■ Type a Y, if you want to add another server.

■ Type an N, if you want to end the installation program.

To configure for the ESX, ESXi, vCenter by using generic credentials

1 The Do you want this record to be configured to use generic credentials?[no] message appears. Do one of the following:

■ Type aY, if youwant the record to be configured to use generic credentials.The installation program displays a warning message to configure thegeneric credentials if you have not yet configured them.

■ Type an N, if you do not want the record to be configured to use genericcredentials.

2 The Do you want to specify a server certificate for client authentication?[yes] message appears. Do one of the following:

■ Type a Y, if you want to specify a server certificate for clientauthentication.You must enter the complete path of the certificate file that must existon your ESM agent computer.

■ Type an N, if you do not want to specify a server certificate for clientauthentication.

3 TheDoyouwanttovalidatetheconnectionbeforesavingtheconfigurationrecord? [yes] message appears.

■ Type a Y, if you want to validate the connection.If the validation is not successful, then the installation program reportsan errormessage and the record is not added to the configuration record.

■ Type an N, if you do not want to validate the connection.

4 The Would you like to add another ESX server to configuration record?message appears.

■ Type a Y, to add another server record.If you type anN, the configuration exits, and the setup continueswith theinstallation program. After you have created the configuration recordsfor each ESX server, the program lists all of the configuration records.

19Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversInstalling and configuring the ESM Modules for ESX, ESXi, and vCenter server

Silently installing the ESM modules for ESX serverYou can use the esmesx.tpi to install the ESM ESX module silently.

Table 2-4 lists the command line options for silently installing the ESM moduleson ESX server.

Table 2-4 Options to silently install the ESM modules on ESX server

DescriptionOption

Display Help.-h

Display thedescription and contents of this tune-up/third-party package.-d

Install this tune-up/third-party package.-i

Force an installation of the package.-f

Specify the ESM user name.-U

Skip the configuration during installation.-e

Specify the ESM user’s password.-P

Specify the TCP port to use.-p

Specify the ESM manager name.-m

Connect to the ESM manager by using TCP.-t

Specify the ESM agent name to use for re-registration.-g

Do not prompt for nor do the re-registration of the agents.-K

Specify the application name.-L

Do not update the report content file on the manager.-N

Update the report content file on the manager.-Y

Silently configuring the ESM modules for ESX, ESXi,vCenter server

You can use the esxsetup to silently configure the ESM modules for the server.You can find the esxsetup at /esm/bin/<OS architecture>/esxsetup.

Table 2-5 lists the options for silently configuring the ESMmodules for the server.

Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversSilently installing the ESM modules for ESX server

20

Table 2-5 Options to silently configure the ESM modules for ESX, ESXi, vCenterserver

DescriptionOption

Specify the server host name or IP.-S

Specify the connection mode [HTTP or https].-M

Specify the port where the HTTP or https is configured or theconnection mode will use the default ports.

-p

Skip connection validation.-sv

If you specify this option, then the generic credentials are used tologon to the respective server.

-g

Specify the authorized logon account.-L

Provide the password for the specified logon account.-P

Specify the name and the path of the certificate file for clientauthentication. Without this certificate the client authenticationwill not be used.

-C

For example,

./esxsetup -S server -M mode [-p port] [-sv] {-g | -L login -P

password} [-C certpath]

Note: If you do not specify any option then ./esxsetup runs with the -h option.

Configuring the ESM modules for ESX, ESXi, vCenterserver

You can use the esxsetup to configure the ESM modules for the server. You canfind the esxsetup at /esm/bin/<OS architecture>/esxsetup.

Configuration is a method by which Application module save information aboutthe servers it has to report on.

Table 2-6 lists the options to configure the ESM modules interactively.

21Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversConfiguring the ESM modules for ESX, ESXi, vCenter server

Table 2-6 Options to configure the ESM modules for ESX, ESXi, vCenter serverinteractively

DescriptionOption

Display Help.-h

Create configuration records for the servers that should be scanned.

Note: This option overwrites the existing configuration file.

-c

List all the configured servers.-l

Add new configuration records for the servers that should be scanned.-a

Modify the existing configuration records of the server.-m

Add the configuration record for the generic credentials.-G

Remove the generic credential information.-rg

Specify the file name that contains the encrypted generic credentials.-gif

Specify the file namewhere you save the encrypted generic credentials.-gof

For example,

./esxsetup : [-h | -c | -l | -a | -m | -G | -rg | -gif gen_cred_file

| -gof gen_cred_file]

About types of configurationThis section gives information on theESMagents that you can configure by addingthe ESX/ESXi/vCenter server to the ESX configuration file of ESM.

You are not required to configure the ESX or ESXi servers with the ESM ESXApplication Modules if they are being managed by the vCenter server providedthis vCenter server is configured with the ESM ESX Application Modules.

Table 2-7 lists the types of configuration.

Table 2-7 Types of configuration

Support fornetwork-basedreporting

Support forhost-basedreporting

VersionAgent OS

**Yes (Configurationrequired)

No5.1, 5.2, 5.3, 5.4Red Hat EnterpriseLinux (x86 and x64)

Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversConfiguring the ESM modules for ESX, ESXi, vCenter server

22

Table 2-7 Types of configuration (continued)

Support fornetwork-basedreporting

Support forhost-basedreporting

VersionAgent OS

NoYes (Noconfigurationrequired)

3.0.2, 3.0.3ESX

Yes (Configurationrequired)

Yes (Configurationrequired)

3.5, 4.0, 4.1ESX

Note: ** Symantec recommends this approach.

23Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversConfiguring the ESM modules for ESX, ESXi, vCenter server

Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversConfiguring the ESM modules for ESX, ESXi, vCenter server

24

ESM Modules for ESX andESXi servers


■ ESX Configurations

■ ESX Network

■ ESX Patches

■ ESX System

ESX ConfigurationsTheESXConfigurationsmodule reports the configuration information of the ESXand ESXi servers and the guest operating systems. Symantec recommends thatyou must ensure that the server configurations and the guests are as per yoursecurity policies.

The properties that are referred by the ESM ESX modules for the ESX and ESXi3.5 or later versions along with their Managed Object Browser (MOB) paths havebeen provided for the individual checks.

Note:While processing the vCenter server, modules skip the host systems thatare in a disconnected state. This happens because queries from the vCenter serverto disconnected hosts system retrieve old data instead of live data, which isincorrect and does not reflect the correct values.

3Chapter

About reporting through the vCenter serverIn order to report through the vCenter server, youmust first register the ESX andESXi servers with it. You can configure the vCenter server with the applicationmodule in the same way you configure the ESX or ESXi servers. When you runthe ESX Applicationmodule on the agent where the vCenter server is configured,the module fetches the information of the hosts that are registered with thevCenter server. Certain information from the ESX/ ESXi hosts is not available atvCenter server, like local users etc. This information can be reported by the ESXApplication module only when the respective host is directly configured in theESX configuration file of ESM.

Guest installedThis check reports a list of guests that are installed and their configuration pathif the name list is blank. If you specify a disallowed directory name in the namelist, then it reports the guests that are installed under the specified directory.

The check refers to the following properties:

■ config.datastoreUrlUse theManagedObjectBrowser(MOB) to view the property of the respectivevirtual machines. You can navigate through [VirtualMachine] > config >datastoreUrl path to view the property.

■ summary.configUse theManagedObjectBrowser(MOB) to view the property of the respectivevirtual machines. You can navigate through [VirtualMachine] > summary >config > vmPathName to view the property.

Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.

Table 3-1 lists the messages for this check.

Table 3-1 Guest installed check messages

SeverityTitleMessage name

Green (0)Guest installedSTKU_INSTLGUEST

Yellow (2)Disallowed directorySTKU_DISALLOWDIR

ESM Modules for ESX and ESXi serversESX Configurations

26

Guest statusThis check reports on the state and heartbeats of all the guests. The state can bepowered OFF, powered ON, or suspended and the heartbeats can be Gray, Green,Yellow, or Red. On ESX 3.0.2, the heartbeats can be alive or dead.

To determine the guest status, the check refers to the runtime.powerStateproperty.

Use the Managed Object Browser (MOB) to view the property of the respectivevirtual machines. You can navigate through [VirtualMachine] > runtime >powerState to view the property.

To determine the heart beat status, the check refers to the runtime.powerStateproperty.

Use the Managed Object Browser (MOB) to view the property of the respectivevirtual machines. You can navigate through [VirtualMachine] > summary >quickStats > guestHeartbeatStatus to view the property.



Table 3-2 Guest status check messages


Green (0)Guest statusSTKU_GUESTSTATUS

Copy disabledThis check verifies if the copying operation is disabled for the guest.

The properties and conditions that the check verifies for reporting are as follows:

■ Both the isolation.tools.copy.disableproperty and isolation.tools.copy.enableproperties are not defined.

■ Either the isolation.tools.copy.disable property is set to false or theisolation.tools.copy.enable property is set to true.

■ Both the isolation.tools.copy.disable property and theisolation.tools.copy.enable property are set to false.

■ Both the isolation.tools.copy.disableproperty and isolation.tools.copy.enableproperty are set to true.

27ESM Modules for ESX and ESXi serversESX Configurations

Note:The check has beenmodified to report a differentmessage if it does not findany of the properties configured. If you have applied any suppression in theInformation field, then the message reappears with the new information.

Use the ManagedObjectBrowser (MOB) to view the isolation.tools.copy.enableand isolation.tools.copy.disable properties of the respective virtual machine.You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.



Table 3-3 Copy disabled check messages


Yellow (2)Copy enabledSTKU_COPY

Paste disabledThis check verifies if the pasting operation is disabled for the guest.


■ Both the isolation.tools.paste.disable and isolation.tools.paste.enableproperties are not defined.

■ Either the isolation.tools.paste.disable property is set to false or theisolation.tools.paste.enable property is set to true.

■ Both the isolation.tools.paste.disable property and theisolation.tools.copy.paste property are set to false.

■ Both the isolation.tools.paste.disable property and theisolation.tools.paste.enable property are set to true.


Use theManagedObjectBrowser(MOB) to view the isolation.tools.paste.disableand isolation.tools.paste.enable properties of the respective virtual machine.You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.


28



Table 3-4 Paste disabled check messages


Yellow (2)Paste enabledSTKU_PASTE

Setinfo messages disabledThis check verifies if Setinfo messages are disabled for the guest.


■ Both the isolation.tools.setinfo.disable and isolation.tools.setinfo.enableproperties are not defined.

■ Either the isolation.tools.setinfo.disable property is set to false or theisolation.tools.setinfo.enable property is set to true.

■ Both the isolation.tools.setinfo.disable property and theisolation.tools.setinfo.enable property are set to false.

■ Both the isolation.tools.setinfo.disable property and theisolation.tools.setinfo.enable property are set to true.


Use theManagedObjectBrowser(MOB) to view the isolation.tools.setinfo.disableand isolation.tools.setinfo.enable properties of the respective virtual machine.You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.



Table 3-5 Setinfo messages disabled check messages


Yellow (2)Setinfo enabledSTKU_SETINFO


Guest time synchronizationThis check verifies if time synchronization is enabled between the guest and theESX server.

The check verifies if the config.tools.syncTimeWithHost property is set to false.

Use the Managed Object Browser (MOB) to view theconfig.tools.syncTimeWithHost property of the respective virtualmachine. Youcan navigate through [VirtualMachine] > config > tools > syncTimeWithHostto view the property.



Table 3-6 Guest time synchronization check messages


Yellow (2)Guest timenot synchronizedSTKU_TIMESYNC

Guest connection controlThis check reports the name of the devices that can be connected or disconnectedby the guest.

To determine the set of virtual devices that are present on the guest OS, the checkrefers to the config.hardware.device property.

Use the Managed Object Browser (MOB) to view the property of the respectivevirtualmachines.Youcannavigate through [VirtualMachine]>config>hardware> device to view the property.



Table 3-7 Guest connection control check messages


Yellow (2)Guest connection controlSTKU_GUESTCONNCTRL


30

Host time synchronizationThis check verifies if the ntpd service is running on the host system. On ESX 3.0.2and ESX 3.0.3, this check also reports if the time difference between the host andthe time server exceeds the specified limit (in seconds). For the check to calculatethe time difference, you must specify the time server, IP address, and time offsetas IP:Offset. For example, 10.218.145.95:0.000005.

The check refers to the config.service.service ["ntpd"] property to validate thepresence and status of the ntpd service.

Use the Managed Object Browser (MOB) to view the config.service.service["ntpd"] property of the respective host system. You can navigate through[HostSystem] > config > service to view the property.

Note: [HostSystem] is the Managed Object Reference to a host system.


Table 3-8 Host time synchronization check messages


Yellow (2)ntpd not runningSTKU_NTPDSTOPPED

Yellow (2)Offset exceededSTKU_OFFSETEXCEEDED

Guest loggingThis check verifies if the Guest logging is disabled.

The check verifies if the config.flags.enableLogging property is set to true.

Use the ManagedObjectBrowser (MOB) to view the config.flags.enableLoggingproperty of the respective virtual machine. You can navigate through[VirtualMachine] > config > flags > enableLogging to view the property.



Table 3-9 Guest logging check messages


Yellow (2)Guest loggingSTKU_GUESTLOGGING


VMware Tools loggingThis check verifies if the VMware Tools logging is disabled.


■ Both the isolation.tools.log.disable and isolation.tools.log.enablepropertiesare not defined.

■ Either the isolation.tools.log.disable property is set to false or theisolation.tools.log.enable property is set to true.

■ Both the isolation.tools.log.disableproperty and the isolation.tools.log.enableproperty are set to false.

■ Both the isolation.tools.log.disableproperty and the isolation.tools.log.enableproperty is set to true.


Use the Managed Object Browser (MOB) to view the isolation.tools.log.disableand isolation.tools.log.enable properties of the respective virtual machine. Youcan navigate through [VirtualMachine] > config > extraConfig to view theproperty.



Table 3-10 VMware Tools logging check messages


Yellow (2)VMware Tools loggingSTKU_VMTOOLSLOGGING

Guest log rotate sizeThis check verifies whether the log rotate size is not greater than the value thatyou specify in the Maximum size in KB text box.

To determine the log rotate size, the check refers to theconfig.extraConfig["log.rotateSize"] property.

Use the Managed Object Browser (MOB) to view theconfig.extraConfig["log.rotateSize"] property of the respective virtual machine.


32

You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.



Table 3-11 Guest log rotate size check messages


Yellow (2)Guest log rotate sizeSTKU_LOGROTATESIZE

Guest old log keepingThis check verifies whether the log rotate size is not greater than the value thatyou specify in the number of log files to keep text box.

To determine the log rotate size, the check refers to the config.extraConfig["log.keepOld"] property.

Use the Managed Object Browser (MOB) to view theconfig.extraConfig["log.keepOld"] property of the respective virtual machine.You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.



Table 3-12 Guest old log keeping check messages


Yellow (2)Guest old log keepingSTKU_OLDLOGKEEPING

Set GUI Options disabledThis check verifies if the Set GUI Options is disabled for the guest.


■ Both the isolation.tools.setGUIOptions.disable andisolation.tools.setGUIOptions.enable properties are not defined.


■ Either the isolation.tools.setGUIOptions.disable property is set to false orthe isolation.tools.setGUIOptions.enable property is set to true.

■ Both the isolation.tools.setGUIOptions.disable property and theisolation.tools.setGUIOptions.enable property are set to false.

■ Both the isolation.tools.setGUIOptions.disable property and theisolation.tools.setGUIOptions.enable property are set to true.


Use the Managed Object Browser (MOB) to view theisolation.tools.setGUIOptions.disable and isolation.tools.setGUIOptions.enableproperties of the respective virtual machine. You can navigate through[VirtualMachine] > config > extraConfig to view the property.



Table 3-13 Set GUI Options disabled check messages


Yellow (2)Set GUI Options enabledSTKU_SETGUI

Host config option parametersThis check reports the unauthorized values for the configuration parameters thatare specified in the enabled ESX/ESXi Host Configuration Parameters template.This check is not supported on ESX 3.0.2 and ESX 3.0.3 servers.


Table 3-14 Host config option parameters messages


Green (0)Unauthorized configurationparameter (Green level)

ESM_ESX_CONFIG_OPT_GREEN_LEVEL

Yellow (2)Unauthorized configurationparameter (Yellow level)

ESM_ESX_CONFIG_OPT_YELLOW_LEVEL


34

Table 3-14 Host config option parameters messages (continued)


Red (4)Unauthorized configurationparameter (Red level)

ESM_ESX_CONFIG_OPT_RED_LEVEL

Yellow (2)Configurationparameter notfound

ESM_ESX_CONFIG_OPT_NOT_FOUND

Green (0)Unsupported configurationparameter

ESM_ESX_CONFIG_OPT_NOT_SUPPORTED

Formore informationon the template see,Symantec™EnterpriseSecurityManagerModules for ESX and ESXi server Release Notes.

NX/XD flag exposed to guestThis check verifies if the NX flag is exposed to the guest OS.

The check verifies the CPUID identification mask structures. The check assessthe CPUID identification mask that has its level set as -2147483647 (Hex value0x80000001). The check reports a violationmessage if the structure does not havethe 20th MSB of the edx register set to value ‘1’ or ‘H’. The check does not reportany violationmessage, if it finds the cpuFeatureMaskproperty not set. By default,the NX/XD flag is exposed to the guest OS.

Use the Managed Object Browser (MOB) to view the cpuFeatureMask propertyfor the virtual machine. You can navigate through [Virtual Machine] > config >cpuFeatureMask to view the property.



Table 3-15 NX/XD flag exposed to guest messages


Yellow (2)NX/XD flag hidden fromguest OS

ESM_ESX_NX_XD_FLAD_NOT_EXPOSED

Green (0)NX/XD flag set to implicitempty value

ESM_ESX_NX_XD_FLAD_EMPTY_VAL


ESX NetworkThe ESX Network module reports information about the network configurationof the ESX and ESXi servers. It lets you verify if these servers are compliant withyour security standards.




iSCSI enabledThis check verifies if iSCSI is enabled on the host system.

To determine if iSCSI is enabled on the host system, the check refers to thesoftwareInternetScsiEnabled property.

Use the Managed Object Browser (MOB) to view the config.storageDevice.softwareInternetScsiEnabled property for the host system. You can navigatethrough [HostSystem]> config> storageDevice> softwareInternetScsiEnabledto view the property.



ESM Modules for ESX and ESXi serversESX Network

36

Table 3-16 iSCSI enabled check messages


Yellow (2)iSCSI disabledSTKU_ISCSIDISABLED

iSCSI CHAP authenticationThis check verifies that if iSCSI is enabled on the host system then iSCSI CHAPauthentication should also be enabled.

To determine if the iSCSI CHAP authentication is enabled on the host system, thecheck refers to the hostBusAdapter["key-vim.host.InternetScsiHba-*"] andchapAuthEnabled properties of the host system.

Use the Managed Object Browser (MOB) to view the authentication andchapAuthEnabled properties of the respective iSCSI storage device on the hostsystem. You can navigate through [HostSystem] > config > storageDevice >hostBusAdapter["key-vim.host.InternetScsiHba-*"]>authenticationProperties> chapAuthEnabled to view the property.



Table 3-17 iSCSI CHAP authentication check messages


Yellow (2)iSCSI CHAP disabledSTKU_ISCSICHAPDISABLED

Yellow (2)iSCSI disabledSTKU_ISCSIDISABLED

MAC address changesThis check verifies if the MAC address change is not set to Accept.

The check verifies that for every vSwitch and every port group the security policyfor MAC address changes is not set to Accept.

To determine the policy forMACaddress change, the check refers to the followingproperties:

■ config.network.portgroup[ ].computedPolicy.security.macChanges

■ config.network.vswitch[ ].computedPolicy.security.macChanges

37ESM Modules for ESX and ESXi serversESX Network

Use the Managed Object Browser (MOB) to navigate through [HostSystem] >config>network>HostPortGroup[]>computedPolicy> security>macChangesand [HostSystem] > config > network > vswitch[ ] > spec > policy > security >macChanges to view the properties.



Table 3-18 MAC address changes check messages


Yellow (2)MAC address changesaccepted

STKU_MACADDRCHANGS

Forged transmissionThis check verifies if the Forged transmission is not set to Accept.

The check verifies that for every vSwitch and every port group the security policyfor Forged transmission is not set to Accept.

Todetermine thepolicy forMACaddress changes, the check refers to the followingproperties:

■ config.network.portgroup[ ].computedPolicy.security.forgedTransmits

■ config.network.vswitch[ ].computedPolicy.security.forgedTransmits

Use the Managed Object Browser (MOB) to navigate through [HostSystem] >config > network > HostPortGroup[] > computedPolicy > security >forgedTransmits and [HostSystem] > config > network > vswitch[ ] > spec >policy > security > forgedTransmits to view the properties.



Table 3-19 Forged transmission check messages


Yellow (2)Forged transmissionaccepted

STKU_FORGEDTRANS


38

Promiscuous modeThis check verifies if the Promiscuous mode is not set to Accept.

The check verifies that for every vSwitch and every port group the security policyfor Promiscuous mode is not set to Accept.

Todetermine thepolicy forMACaddress changes, the check refers to the followingproperties:

■ config.network.portgroup[ ].computedPolicy.security.allowPromiscuous

■ config.network.vswitch[ ].computedPolicy.security.allowPromiscuous

Use the Managed Object Browser (MOB) to navigate through [HostSystem] >config > network > HostPortGroup[] > computedPolicy > security >allowPromiscuous and [HostSystem] > config > network > vswitch[] > spec >policy > security > allowPromiscuous to view the properties.



Table 3-20 Promiscuous mode check messages


Yellow (2)Promiscuous mode acceptedSTKU_PROMISCUOUS

Service console firewallThis check verifies the service console firewall security level. This check reportsonly on the ESX hosts.

The security levels are as follows:

■ HIGH - By default, the incoming and the outgoing ports are blocked.

■ MEDIUM - Incoming ports are blocked, but outgoing ports are not blocked bydefault or vice versa.

■ LOW - By default, the incoming and the outgoing ports are not blocked.

The check verifies if the config.firewall.defaultPolicy property is set to true.

Use theManagedObjectBrowser(MOB) to view the config.firewall.defaultPolicyproperty of the respective host system. You can navigate through [HostSystem]> config > firewall > defaultPolicy to view the property.

39ESM Modules for ESX and ESXi serversESX Network



Table 3-21 Service console firewall messages


Green (0)Service console firewallSTKU_SVCCONSFIREWALL_G

Yellow (2)Service console firewallSTKU_SVCCONSFIREWALL_Y

Red (4)Service console firewallSTKU_SVCCONSFIREWALL_R

Port groups in VLANThis check verifies if the port groups are in the same VLAN ID as you specify inthe template.

The check verifies that for every port group that is found on the host system andwhose entry exists in the template, the vlanid or the vSwitch name or both thatyou specify in the template should match.

Use the Managed Object Browser (MOB) to view the config.network.vswitchproperty of the respective host system. You can navigate through [HostSystem]> config > network > vswitch to view the property.



Table 3-22 Port groups in VLAN messages


Yellow (2)Port groups in VLANSTKU_PORTGROUPSINVLAN

Red (4)No template specifiedSTKU_NOTEMPLATEFILE

See “Templates” on page 10.

SNMP traps settingIf you specify zero in theSNMPservicedisabled/enabled text box, then the checkverifies whether the SNMP traps setting is disabled. If you specify a value, whichis greater than zero, then the check verifies that if SNMP is in use, then either at


40

least one trap destination must be configured or the trap destinations areacceptable or both. Use the name list to provide the list of acceptable trapdestinations in either of the following formats:

■ hostname@port/community

■ hostname/community

■ hostname

This check does not report through vCenter servers.

For more information on the issue, see Symantec™ Enterprise Security ManagerModules for ESX and ESXi server Release Notes.


Table 3-23 SNMP traps setting messages


Red (4)SNMP service is enabledESM_ESX_SNMP_NOT_DISABLED

Red (4)SNMP trap destination notconfigured

ESM_ESX_SNMP_DEST_NOT_SET

Red (4)Unauthorized SNMP trapdestination

ESM_ESX_UNAUTHORISED_TRAP_DEST

ESX PatchesThe ESX patches module reports non-compliance with the patch informationcontained in the ESX Patches (esxpatch.elx) and in the ESXi Patch (esxpatch.ilx)templates. The information includes patch ID, patch release date, revision, anddescription. You can use the name list to specify the template files that are to beincluded for the check. You must verify that all current patches are installed onyour ESX and ESXi servers. The ESX Patches template includes ESX Patches thathave been released on or before June 25, 2010.

This module runs in the host-based mode on the ESX server versions 3.0.2, 3.0.3,3.5.x, and 4.0.x. For the module to report correctly on ESX 3.5.x and 4.0.x, youmust have the latest version of the esxupdate utility that supports –a optioninstalled on the host system. The –a option lists the latest patches that are foundon the host.

The –a option is specific to ESX server 4.0. The –a option reports the patches thatare up to date or obsolete as our template cannot defer between them. However,

41ESM Modules for ESX and ESXi serversESX Patches

not all versions of ESX 4.0 support this option and so a user must ensure that thelatest version of the esxupdate utility comes with the –a option.




Patch templatesThis check lets you enable or disable the template files that the ESX Patchesmodule use to check agent systems.


Table 3-24 Patch templates messages


Red (4)No applicable template filesspecified

ESM_NO_TEMPLATE_SPECIFIED

Green (0)Patch not installedSTKU_PATCHNOTINS0

Yellow (2)Patch not installedSTKU_PATCHNOTINS1

Yellow (2)Patch not installedSTKU_PATCHNOTINS2

Red (4)Patch not installedSTKU_PATCHNOTINS3

ESM Modules for ESX and ESXi serversESX Patches

42

Table 3-24 Patch templates messages (continued)


Red (4)Patch, Superseded patch notinstalled

STKU_PATCHNOTINS4

Green (0)Forbidden patch foundESM_FORBIDDEN_PATCH_0

Yellow (2)Forbidden patch foundESM_FORBIDDEN_PATCH_1

Yellow (2)Forbidden patch foundESM_FORBIDDEN_PATCH_2

Red (4)Forbidden patch foundESM_FORBIDDEN_PATCH_3

Yellow (2)Patch not availableSTKU_PATCHNOTAVAIL2

Red (4)Patch not availableSTKU_PATCHNOTAVAIL3

Yellow (2)Patch not availableSTKU_PATCHNOTAVAIL4

Red (4)Patch not availableSTKU_PATCHNOTAVAIL5

SupersededThis check reports a patch and its superseding patches if a particular patch andits superseding patches are not installed on the host system.


Table 3-25 Superseded messages


Yellow (2)Superseded patch notinstalled

ESM_SUPERSEDED_PATCH_NOT_INSTALLED

Yellow (2)Optional patch supersedesnothing

ESM_OPTIONAL_PATCH_NO_SUPERSEDE

Disable patch moduleWhen you select this check, no checks in the ESX patches module are executedand themodule reports amessage, Noproblems found. Enable this check to savetime, if you recently ran the ESX patches module.

In ESX Patches module there are a few dotted checks that are selected by defaultand cannot be disabled. When you run the ESX Patches module without selectingany checks, then the dotted checks, which are template based, compares the list

43ESM Modules for ESX and ESXi serversESX Patches

of installed patches on the host with the values that you specify in the template.If you disable the template, then an error message is reported. To avoid thissituation, you can use the Disable Patch module check.


Table 3-26 Disable patch module message


Green (0)Disable patch moduleX

Patch results summaryThis check, when enabled, lists the following:

Includes the patches that apply to this operating system,architecture, and ESX server version.

Total number of availablepatches

Includes the patches that apply and have not been skipped.Patches canbe skippeddue to anunsatisfied sublist conditionor when they apply to an application that is not installed.

Checked patches

Includes the patches that were supposed to be installed onthe system, but are not present.

Missing patches

Includes the patches that are present, but are not allowed.Forbidden patches


Table 3-27 Patch results summary messages


Green (0)Patch results summaryESM_PATCH_SUMMARY

Installed PatchesThis check lets you view all the installed patches that ESM checks.


Table 3-28 Installed Patches messages


Green (0)Installed patchesESM_INSTALLED_PATCH

ESM Modules for ESX and ESXi serversESX Patches

44

ESXi updatesEnable this check to select the appropriate template to verify if the ESXi hostsystem is patched with the latest patch updates.


Table 3-29 ESXi updates messages


Red (0)No applicable template filesspecified

ESM_NO_TEMPLATE_SPECIFIED

Red (4)ESXi patch not installedESM_ESXI_PATCH_NOT_INSTALLED

Green (0)Patch installedESM_INSTALLED_PATCH

Formore informationon the template see,Symantec™EnterpriseSecurityManagerModules for ESX and ESXi server Release Notes.

ESX SystemThe ESX System module reports information about the ESX and ESXi serversaccess configuration, server logs, and available storage space.



About reporting through the vCenter serverIn order to report through the vCenter server, youmust first register the ESX andESXi servers with it. You can configure the vCenter server with the applicationmodule in the same way you configure the ESX or ESXi servers. When you runthe ESX Applicationmodule on the agent where the vCenter server is configured,the module fetches the information of the hosts that are registered with thevCenter server. Certain information from the ESX/ ESXi hosts is not available atvCenter server, like local users etc. This information can be reported by the ESX

45ESM Modules for ESX and ESXi serversESX System

Application module only when the respective host is directly configured in theESX configuration file of ESM.

GRUB OS level passwordThis check verifies if theGRUBboot loader password is enabled on thehost systemfor every operating system that is present in the GRUB boot menu. This checkoperates only in the host-based mode.


Table 3-30 GRUB OS level password messages


Yellow (2)GRUB OS level passwordSTKU_BOOTPASSWORD_GRUB_OSLEVEL

Boot loader passwordThis check verifies if theGRUBboot loader password is enabled on thehost system.This check operates only in the host-based mode.


Table 3-31 Boot loader password messages


Yellow (2)Boot loader passwordSTKU_BOOTPASSWORD

Root file system fill upThis check reports the percentage of available disk space in every disk partitiononly if the value that you specify is zero.

In the Used% text box, if you specify a value, which is greater than zero, then thecheck reports the disk partitions that have more disk space than the value thatyou specify. This check operates only in the host-based mode.


Table 3-32 Root file system fill up messages


Green (0)Disk freeSTKU_DISKFREE

ESM Modules for ESX and ESXi serversESX System

46

Table 3-32 Root file system fill up messages (continued)


Red (4)Low disk spaceSTKU_DISKSPACELOW

Roles and privilegesThis check reports the roles and privileges that are granted to a user or a group.Use the name list to include or exclude the users. This check does not reportthrough the vCenter servers.

Use the Managed Object Browser (MOB) to view the list of roles and privileges.You can use the managed object reference to Authorization Manager and invokeits RetrieveAllPermissions method with appropriate values. You can navigatethrough authorizationManager > Permission[] > RetrieveAllPermissions toview the property.


Table 3-33 Roles and privileges messages


Green (0)Roles and privilegesSTKU_ROLESANDPRIV

Green (0)Role assigned to userSTKU_USERWITHROLE

Green (0)Role assigned to groupSTKU_GROUPWITHROLE

Green (0)User defined roleSTKU_USERDEFINEDROLE

SU PAM AuthenticationThis check reports whether non-wheel group members have 'su' access. It alsoreports if the wheel group members are trusted implicitly without passwords.This check operates only in the host-based mode.


Table 3-34 SU PAM Authentication messages


Yellow (2)SU PAM AuthenticationSTKU_PAMAUTH


ESX log auditingThis check audits the ESX log files to report the match that it finds based on thevalue that you specify in the template. If you select the ExecuteonvCenter checkalong with the ESX Log auditing check, then the ESX Log auditing check alsoretrieves individual log files for the host systems that are registered with thevCenter server. However, it may affect the performance of the checks.

You can use the managed object reference to Diagnostic Manager and invoke itsBrowseDiagnosticLogmethodwith appropriate values. You cannavigate throughdiagnosticManager > DiagnosticManagerLogHeader BrowseDiagnosticLog toview the property.


Table 3-35 ESX log auditing messages


Yellow (2)ESX log auditingSTKU_LOGAUDIT_Y

Green (0)ESX log auditingSTKU_LOGAUDIT_G

Red (4)ESX log auditingSTKU_LOGAUDIT_R

Red (4)No template specifiedSTKU_NOTEMPLATE

See “Templates” on page 10.

Execute on vCenterEnable this check to execute the supported checks on vCenter server. This checkmay increase the turnaround time of the policy execution.

Lockdown modeThis check verifies if the lockdownmode is enabled for an ESXi host system. Thischeck operates only on the vCenter server wherein the check reports on the ESXiserver's lockdownmode property if themodule is connected through the vCenterserver.

The check verifies if the config.adminDisabled property is set to true.

Use the Managed Object Browser (MOB) to view the config.adminDisabledproperty of the respective host system. You can navigate through [HostSystem]> config > adminDisabled to view the property.


48



Table 3-36 Lockdown mode messages


Red (4)Lockdown mode not enabledSTKU_ESX_HOST_LOCKDOWN_MODE

Local accounts onlyThis check works only with the Shell access check. This check filters the NIS andthe LDAP users that are reported by the Shell access check when run on thehost-based mode. This check is supported only on ESX 3.0.2 or 3.0.3 servers.

Shell accessThis check reports if the option,Grantshellaccesstothisuser, is set for the user.Use the name list to include or exclude the users. This check also reports on theNIS and the LDAP users that are configured on the host. In the network-basedmode the check reports only on the local accounts that are present in the/etc/password file. When this check is run in the host-based mode along with theLocal accounts only check, then the Shell access check reports only on the localaccounts that are listed in the /etc/password file. This check does not reportthrough vCenter servers.

See “Local accounts only” on page 49.

You can use the managed object reference to User Directory and invoke itsRetrieveUserGroupsmethodwith appropriate values. You can navigate throughuserDirectory>UserSearchResult[]>RetrieveUserGroups to view theproperty.


Table 3-37 Shell access messages


Yellow (2)Shell accessSTKU_SHELLACCESS

Maintenance modeThis check verifies if the Maintenance mode is disabled.


The check verifies if the runtime.inMaintenanceMode property is set to false.This check is not supported on ESX 3.0.2 and ESX 3.0.3 servers.

Use theManagedObjectBrowser(MOB) toviewthe runtime.inMaintenanceModeproperty of the respective host system. You can navigate through [HostSystem]> runtime > inMaintenanceMode to view the property.



Table 3-38 Maintenance mode messages


Yellow (2)Maintenancemode is enabledSTKU_ESX_HOST_MAINTENANCE_MODE

List users and groupsThis check reports all the local users and groups that are present on the host. Usethe name list to include or exclude the users and the groups for the check to reporton. This check does not report through the vCenter servers.

Use the Managed Object Browser (MOB) to view the list of roles and privileges.You can use the managed object reference to User Directory and invoke itsRetrieveUserGroups method with appropriate values.


Table 3-39 List users and groups messages


Green (0)Local userSTKU_ESX_LOCAL_USER

Yellow (2)Local groupSTKU_ESX_LOCAL_GROUP


50

Date post:	07-Oct-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

Symantec Enterprise Security Manager Modules ...€¦ · Symantec™ Enterprise Security Manager...

Documents