vSphereHardeningGuide:ConsoleOSConfigurationRevisionB:Publicdraft(January2010)
ConsoleNetworkProtectionESXincludesabuiltinfirewallbetweentheserviceconsoleandthenetwork.Toensuretheintegrityoftheserviceconsole,VMwarehasreducedthenumberoffirewallportsthatareopenbydefault.Atinstallationtime,theserviceconsolefirewallisconfiguredtoblockallincomingandoutgoingtrafficexceptforports902,80,443,and22,whichareusedforbasiccommunicationwithESX.ThissettingenforcesahighlevelofsecurityfortheESXhost.MediumSecurityblocksallincomingtrafficexceptonthedefaultports(902,443,80,and22),andanyportsusersspecificallyopen.Outgoingtrafficisnotblocked.LowSecuritydoesnotblockeitherincomingoroutgoingtraffic.Thissettingisequivalenttoremovingthefirewall.BecausetheportsopenbydefaultontheESXarestrictlylimited,additionalportsmayneedtobeopenafterinstallationforthirdpartyapplicationssuchasmanagement,storage,NTP,etc.Forinstance,abackupagentmayusespecificportssuchas13720,13724,13782,and13783.ThelistofportsusedbyESXmaybefoundinthisKBarticle:http://kb.vmware.com/kb/1012382
ConfigurationElement Description
CodeNumber CON01
Name EnsureESXFirewallisconfiguredtoHighSecurity
Description ESXServerincludesabuiltinfirewallbetweentheserviceconsoleandthenetwork.AHighSecuritysettingdisablesalloutboundtrafficandonlyallowsselectedinboundtraffic.
RiskorControl Preventionofnetwork‐basedexploits
RecommendationLevel Enterprise
Parametersorobjectsconfiguration
ThefollowingcommandsconfigureHighSecurityonthefirewall
esxcfg‐firewall‐‐blockIncoming
esxcfg‐firewall‐‐blockOutgoing
Test Ensurethatoutboundconnectionsareblockedandonlyselectedinboundconnectionsareallowed
ConfigurationElement Description
CodeNumber CON02
Name Limitnetworkaccesstoapplicationsandservices
Description Asasecuritybestpractice,disablingandremovingservicesandapplicationsthataren’trequiredisadvisable.TheESXServiceConsole,bydefault,hasanumberofavailableservicesthatshouldbedisabledunlessrequiredforbusiness.Also,ensurethatlimiteduseofexternalsoftwarewithintheserviceconsole.Examplesofadditionalsoftwarethatmaybeacceptabletorunintheserviceconsolewouldbemanagementandbackupagents.
Formoreinformationandrecommendationsonrunningthird‐partysoftwareintheserviceconsole,seehttp://www.vmware.com/vmtn/resources/516
RiskorControl Preventionofnetwork‐basedexploits
RecommendationLevel Enterprise
Parametersorobjectsconfiguration
Allservicesnotrequiredexplicitlyforbusinesspurposesshouldbedisabled.
Test Runthe“esxcfg‐firewall–query”commandtodeterminewhatservicesareenabled.Todisableaservice,executethe“esxcfg‐firewall–d<servicename>”command.
ConsoleManagementAlthoughtheESXServiceConsoleisderivedfromRedHatLinux,itisauniqueoperatingplatformthatshouldnotbemanagedasatrueLinuxhost.Assuch,theServiceConsoleshouldbemanagedaccordingtoVMwareandothervirtualizationsecuritybestpractices,whichmaydifferfrommanywell‐knownLinux‐focusedbestpracticesinsomeways.
Ifyoufollowthebestpracticeofisolatingthenetworkfortheserviceconsole,thereisnoreasontorunanyantivirusorothersuchsecurityagents,andtheiruseisnotnecessarilyrecommended.However,ifyourenvironmentrequiresthatsuchagentsbeused,useaversiondesignedtorunonRedHatEnterpriseLinux3,Update6.
OperationalElement Description
CodeNumber COM01
Name DonotapplyRedHatpatchestotheServiceConsole,
Description AlthoughtheESXServiceConsoleisderivedfromRedHatLinux,itisimportantthatyounottreattheserviceconsolelikeaLinuxhostwhenitcomestopatching.NeverapplypatchesissuedbyRedHatoranyotherthird‐partyvendor.
RiskorControl TheserviceconsoleisgeneratedfromaRedHatLinuxdistributionthathasbeenmodifiedtoprovideexactlythefunctionalitynecessarytocommunicatewithandallowmanagementoftheVMkernel.AnyadditionalsoftwareinstalledshouldnotmakeassumptionsaboutwhatRPMpackagesarepresent,northatthesoftwarecanmodifythem.Inseveralcases,thepackagesthatdoexisthavebeenmodifiedespeciallyforESX.
RecommendationLevel Enterprise
Conditionorsteps ApplyonlypatchesthatarepublishedbyVMwarespecificallyfortheversionsofESXthatyouhaveinuse.Thesearepublishedfordownloadperiodically,aswellasonanas‐neededbasisforsecurityfixes.Youcanreceivenotificationsforsecurity‐relatedpatchesbysigningupforemailnotificationsathttp://www.vmware.com/security.
OperationalElement Description
CodeNumber COM02
Name DonotrelyupontoolsthatonlycheckforRedHatpatches
Description YoushouldneveruseascannertoanalyzethesecurityoftheserviceconsoleunlessthescannerisspecificallydesignedtoworkwithyourversionofESX.
RiskorControl ScannersthatassumetheserviceconsoleisastandardRedHatLinuxdistributionroutinelyyieldfalsepositives.Thesescannerstypicallylookonlyforstringsinthenamesofsoftware,andthereforedonotaccountforthefactthatVMwarereleasescustomversionsofpackageswithspecialnameswhenprovidingsecurityfixes.Becausethesespecialnamesareunknowntothescanners,theyflagthemasvulnerabilitieswheninrealitytheyarenot.
RecommendationLevel Enterprise
Conditionorsteps YoushoulduseonlyscannersthatspecificallytreattheESXserviceconsoleasauniquetarget.Formoreinformation,seethesection“SecurityPatchesandSecurityVulnerabilityScanningSoftware”inthechapter“ServiceConsoleSecurity”oftheESXServer4ConfigurationGuide.
OperationalElement Description
CodeNumber COM03
Name DoNotManagetheServiceConsoleasaRedHatLinuxHost
Description Theusualredhat‐config‐*commandsarenotpresent,norareothercomponentssuchastheXserver.
RiskorControl AttemptstomanagetheServiceConsoleasatypicalRedHatLinuxhostcouldresultinmisconfigurationsthataffectsecurity,includingavailability.
RecommendationLevel Enterprise
Conditionorsteps ManagetheServiceconolseusingpurpose‐builtcommands,suchasvmkfstoolsandtheesxcfg‐*commands.
OperationalElement Description
CodeNumber COM04
Name UsevSphereClientandvCentertoAdministertheHostsInsteadofServiceConsole
Description Thebestmeasuretopreventsecurityincidentsintheserviceconsoleistoavoidaccessingitifatallpossible.YoucanperformmanyofthetasksnecessarytoconfigureandmaintaintheESXhostusingthevSphereClient,eitherconnecteddirectlytothehostor,betteryet,goingthroughvCenter.Anotheralternativeistousearemotescriptinginterface,suchastheVIPerlToolkitortheremotecommandlineinterface(RemoteCLI).TheseinterfacesarebuiltonthesameAPIthatvSphereClientandvCenteruse,soanyscriptusingthemautomaticallyenjoysthesamebenefitsofauthentication,authorization,andauditing.
RiskorControl M:HandM:AG
RecommendationLevel Enterprise
Conditionorsteps SecuritypoliciesandprocessesshouldbewrittentorequiretheuseoftheremoteAPIbasedtoolswhereverpossible.Accountswithdirectserviceconsoleaccessshouldbelimitedtotheminimumnumberofadministratorspossible.
Someadvancedtasks,suchasinitialconfigurationforpasswordpolicies,cannotbeperformedviathevSphereClient.Forthesetasks,youmustlogintotheserviceconsole.Also,ifyouloseyourconnectiontothehost,executingcertainofthesecommandsthroughthecommandlineinterfacemaybeyouronlyrecourse—forexample,ifthenetworkconnectionfailsandyouarethereforeunabletoconnectusingvSphereClient.
ConsolePasswordPolicies
ConfigurationElement Description
CodeNumber COP01
Name UseaDirectoryServiceforAuthentication
Description AdvancedconfigurationandtroubleshootingofanESXhostmayrequirelocalprivilegedaccesstotheserviceconsole.Forthesetasks,youshouldsetupindividualhost‐localizeduseraccountsandgroupsforthefewadministratorswithoverallresponsibilityforyourvirtualinfrastructure.Ideally,theseaccountsshouldcorrespondtorealindividualsandnotbe
accountssharedbymultiplepeople.Althoughyoucancreateontheserviceconsoleofeachhostlocalaccountsthatcorrespondtoeachglobalaccount,thispresentstheproblemofhavingtomanageusernamesandpasswordsinmultipleplaces.Itismuchbettertouseadirectoryservice,suchasNISorLDAP,todefineandauthenticateusersontheserviceconsole,soyoudonothavetocreatelocaluseraccounts.
RiskorControl Low
AccessVectoristhemanagementnetwork(AV:A/AC:L:Au:S/C:?/I:?/A:?)
RecommendationLevel Enterprise
Parametersorobjectsconfiguration
Inthedefaultinstallation,ESX3.5‐4.0cannotuseActiveDirectorytodefineuseraccounts.However,itcanuseActiveDirectorytoauthenticateusers.Inotherwords,youcandefineindividualuseraccountsonthehost,thenusethelocalActiveDirectorydomaintomanagethepasswordsandaccountstatus.Youmustcreatealocalaccountforeachuserthatrequireslocalaccessontheserviceconsole.Thisshouldnotbeseenasaburden;ingeneral,onlyrelativelyfewpeopleshouldhaveaccesstotheserviceconsole,soitisbetterthatthedefaultisfornoonetohaveaccessunlessyouhavecreatedanaccountexplicitlyforthatuser.
AD,NIS,Kerberos,andLDAPareallsupporteddirectoryservices.Authenticationontheserviceconsoleiscontrolledbythecommandesxcfg‐auth.Youcanfindinformationonthiscommandinitsmanpage.Typemanesxcfg‐authatthecommandlinewhenloggedintotheserviceconsole.ForinformationonauthenticationwithActiveDirectory,seethetechnicalnoteathttp://www.vmware.com/vmtn/resources/582.
Itisalsopossibletousethird‐partypackages,suchasWinbindorCentrify,toprovidetighterintegrationwithActiveDirectory.Consultthedocumentationforthosesolutionsforguidanceonhowtodeploythemsecurely.
Test Theesxcfg‐auth–probecommandwilllistallofthefilesthataregeneratedandeditedbytheesxcfg‐authcommand.Theentriesinthosefileswillbedifferentdependingonwhichauthenticationmechanismyouchoose.
Configuration Description
Element
CodeNumber COP02
Name EstablishaPasswordPolicyforPasswordComplexity
Description Thesecontrolsensurethatuserscreatepasswordsthatarehardforpasswordgeneratorstodetermine.Insteadofusingwords,acommontechniqueforensuringpasswordcomplexityistouseamemorablephrase,thenderiveapasswordfromit—forexample,byusingthefirstletterofeachword.
Thedefaultpam_cracklib.soplug‐inprovidessufficientpasswordstrengthenforcementformostenvironments.However,ifthepam_cracklib.soplug‐inisnotstringentenoughforyourneeds,youcanchangetheparametersusedforthepam_cracklib.soplug‐inorusethepam_passwdqc.soplug‐ininstead.Youchangetheplug‐inusingtheesxcfg‐auth–usepamqccommand.
RiskorControl Thisrecommendationaddressestheriskofpasswordsbeingguessedorcracked.
RecommendationLevel
DMZ
Parametersorobjectsconfiguration
esxcfgauthusepamqc
Thiscommandrequires6parametersinthefollowingorder:‐ minimumlengthofasinglecharacterclasspassword‐ minimumlengthofapasswordthathascharactersfrom2
characterclasses‐ minimumnumberofwordsinapassphrase‐ minimumlengthofapasswordthathascharactersfrom3
characterclasses‐ minimumlengthofapasswordthathascharactersfrom4
characterclasses‐ maximumnumberofcharactersreusedfromtheprevious
password
Ifyoupassavalueof‐1foranyofthesixparametersitdisablesthatoption.
Forexamplethecommandline:
esxcfgauthusepamqc=1111281
disablesthefirstthreeparameters,requiresa12characterpasswordusingcharactersfrom3characterclassesoran8characterpasswordthatusescharactersfrom4characterclassesanddisablesthefinalparameter.
Test Checkthefollowinglineinthe/etc/pam.d/systemauthgenericfile:
“passwordrequired/lib/security/$ISA/pam_passwdqc.so”:
ifnotextstringisdisplayed,thecomplexityisnotset.Ifthereisatextstringattheendofthisline,ensurethatitmeetsyourpolicy.
ConfigurationElement Description
CodeNumber COP03
Name EstablishaPasswordPolicyforPasswordHistory
Description Keepingapasswordhistorymitigatestheriskofauserreusingapreviouslyusedpasswordtoooften.
RiskorControl Thisrecommendationaddressestheriskofpasswordsbeingguessedorcracked.
RecommendationLevel DMZ
Parametersorobjectsconfiguration
Ifitdoesnotalreadyexistcreateapasswordhistoryfile:
touch/etc/security/opasswd
chmod600/etc/security/opasswd
Setthenumberofpasswordstoretainformatching:
Editthe/etc/pam.d/system‐authfileandaddthestring“remember=x”wherexisthenumberofpasswordstoretaintotheendofthefollowingline:
“passwordsufficient/lib/security/$ISA/pam_unix.so”
Test Checkforthepresenceofthestring“remember=”andensurethatthevalueisincompliancewithyourinternalpolicy.
ConfigurationElement Description
CodeNumber COP04
Name EstablishaMaximumPasswordAgingPolicy
Description Thesecontrolsgovernhowlongauserpasswordcanbeactivebeforetheuserisrequiredtochangeit.
RiskorControl Theyhelpensurethatpasswordschangeoftenenoughthatifanattackerobtainsapasswordthroughsniffingorsocialengineering,theattackercannotcontinuetoaccesstheESXhostindefinitely.
RecommendationLevel DMZ
Parametersorobjectsconfiguration
Tosetthemaximumpasswordageusethefollowingcommand:
esxcfgauth–passmaxdays=n
wherenisthemaximumnumberofdaysforapasswordtolive.
Test Runthefollowingcommandtoseewhatthepasswordmaximulifesettingissetto:
grep–imax_days/etc/login.defs
Thisnumbershouldbecomparedtoyourpolicy.
ConfigurationElement Description
CodeNumber COP05
Name EstablishaPasswordPolicyforMinimumDaysBeforeaPasswordisChanged
Description Asthemaximumnumberofdaysforapasswordtoliveisimportant,therealsoneedstobeaminimumnumberofdaysaswell.Thiswillmitigatetheriskofauserchangingapasswordenoughtimestobeabletoreusetheirfavoritepasswordthatisoutsideofthepasswordreusepolicy.
RiskorControl Thisrecommendationaddressestheriskofpasswordsbeingguessedorcracked.
RecommendationLevel DMZ
Parametersorobjectsconfiguration
esxcfgauth–passmindays=n
Test Runthefollowingcommandtoseewhatthepasswordminimumlifesettingissetto:
“grep–imin_days/etc/login.defs”
Thisnumbershouldbecomparedtoyourpolicy.
ConfigurationElement Description
CodeNumber COP06
Name Ensurethatvpxuserauto‐passwordchangeinvCentermeetspolicy
Description BydefaultthevpxuserpasswordwillbeautomaticallychangedbyvCentereveryXnumberofdays.Ensurethatthissettingmeetsyourpoliciesandifnot,configuretomeetpasswordagingpolicies.NotethatitisveryimportantthatthepasswordagingpolicyshouldnotbeshorterthantheintervalthatissettoautomaticallychangethevpxuserpasswordorvCentercouldgetlockedoutofanESXHost.
RiskorControl Ifanattackerobtainsthevpxuserpasswordthroughbrute‐force,itcanonlybeusedforalimitedamountoftime.
RecommendationLevel DMZ
Parametersorobjectsconfiguration
vCenterServerAdvancedSettings:vCenterVirtualCenter.VimPasswordExpirationInDays
Test EnsurethatvCenterVirtualCenter.VimPasswordExpirationInDaysvalueissetlowerthanthepasswordagingpolicyontheCOS.
ConsoleLoggingProperandthoroughloggingallowsyoutokeeptrackofanyunusualactivitythatmightbeaprecursortoanattackandalsoallowsyoutodoapostmortemonanycompromisedsystemsandlearnhowtopreventattacksfromhappeninginthefuture.ThesyslogdaemonperformsthesystemlogginginESX.Youcanaccessthelogfilesintheserviceconsolebygoingtothe/var/log/directory.SeveraltypesoflogfilesgeneratedbyESXareshowninthefollowingtable.
Component Location Purpose
Vmkernel /var/log/vmkernel RecordsactivitiesrelatedtothevirtualmachinesandESX
VMkernelwarnings
/var/log/vmkwarning Recordsactivitieswiththevirtualmachines
VMkernelsummary
/var/log/vmksummary UsedtodetermineuptimeandavailabilitystatisticsforESX;human‐readablesummaryfoundin/var/log/vmksummary.txt
ESXhostagentlog
/var/log/vmware/hostd.log ContainsinformationontheagentthatmanagesandconfigurestheESXhostanditsvirtualmachines
Virtualmachines
Thesamedirectoryastheaffectedvirtualmachine’sconfigurationfiles;namedvmware.logandvmware‐*.log
Containinformationwhenavirtualmachinecrashesorendsabnormally
vCenteragent /var/log/vmware/vpx ContainsinformationontheagentthatcommunicateswithvCenter
Webaccess Filesin/var/log/vmware/webAccess
RecordsinformationonWeb‐basedaccesstoESX
Serviceconsole
/var/log/messages ContainallgenerallogmessagesusedtotroubleshootvirtualmachinesorESX
Authenticationlog
/var/log/secure Containsrecordsofconnectionsthatrequireauthentication,suchasVMwaredaemonsandactionsinitiatedbythexinetddaemon.
Thelogfilesprovideanimportanttoolfordiagnosingsecuritybreachesaswellasothersystemissues.Theyalsoprovidekeysourcesofauditinformation.Inadditiontostoringloginformationinfilesonthelocalfilesystem,youcansendthisloginformationtoaremotesystem.Thesyslogprogramistypicallyusedforcomputersystemmanagementandsecurityauditing,anditcanservethesepurposeswellforESXhosts.Youcanselectindividualserviceconsolecomponentsforwhichyouwantthelogssenttoaremotesystem.
ConfigurationElement Description
CodeNumber COL01
Name Configuresysloglogging
Description Remoteloggingtoacentralhostprovidesawaytogreatlyincreaseadministrationcapabilities.Bygatheringlogfilesontoacentralhost,youcaneasilymonitorallhostswithasingletoolaswellasdoaggregateanalysisandsearchingtolookforsuchthingsascoordinatedattacksonmultiplehosts.
RiskorControl Loggingtoasecure,centralizedlogservercanhelppreventlogtamperingandprovidesalong‐termauditrecord.
RecommendationLevel Enterprise
Parametersorobjectsconfiguration
Syslogbehavioriscontrolledbytheconfigurationfile/etc/syslog.conf.Forlogsyouwanttosendtoaremoteloghost,addalinewith@<loghost.company.com>afterthemessagetype,where<loghost.company.com>isthenameofahostconfiguredtorecordremotelogfiles.Makesurethatthishostnamecanbeproperlyresolved,puttinganentryinthenameservicemapsifneeded.
Example:
local6.warning@<loghost.company.com>
Aftermodifyingthefile,tellthesyslogdaemontorereaditbyissuingthefollowingcommand:
kill‐SIGHUP`cat/var/run/syslogd.pid`
Ataminimumthefollowingfilesshouldbeloggedtoaremotesyslogserver:
/var/log/vmkernel‐Recursive
/var/log/secure‐Recursive
/var/log/messages
/var/log/vmware/*log.
/var/log/vmware/aam/*log
/var/log/vmware/aam/*err
/var/log/vmware/webAccess/.*log
/var/log/vmware/vpx/vpxa.log
/vmfs/volumes/<vmpath>/vmware.log–forallVM’swherevmpathisthepathtotheVM.
Test Tocheckthatremoteloggingisconfigured:cat /etc/syslog.conf | grep @
Tocheckthatremoteloggingtrafficispermittedoutboundfromthehost:esxcfg-firewall –q | grep 514
Tocheckthatsyslogserviceisconfiguredtorun:chkconfig –list | grep syslog
ConfigurationElement Description
CodeNumber COL02
Name ConfigureNTPtimesynchronization
Description Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),andthattherelativetimesourcecanbecorrelatedtoanagreed‐upontimestandard(suchasCoordinatedUniversalTime—UTC),youcanmakeitsimplertotrackandcorrelateanintruder’sactionswhenreviewingtherelevantlogfiles.
RiskorControl Incorrecttimesettingscouldmakeitdifficulttoinspectandcorrelatelogfilestodetectattacks,andwouldmakeauditinginaccurate.
RecommendationLevel Enterprise
Parametersorobjectsconfiguration
NTPcanbeconfiguredonanESXhostusingthevSphereClient,orusingaremotecommandlinesuchasvCLIorPowerCLI.
Test • QuerytheNTPconfigurationtomakesurethatavalidtimesourcehasbeenconfigured,
• MakesurethattheNTPserviceisrunningonthehost
ConsoleHardening
ConfigurationElement
Description
CodeNumber COH01
Name Partitionthedisktopreventtherootfilesystemfromfillingup
Description Iftherootfilesystemfillsup,itcanseriouslydegradetheperformanceofESXmanagementcapabilitiesorevenmakethemunresponsive.
WhenyouinstallESX4.0,thedefaultpartitioningcreatesonly3partitions.Toprotectagainsttherootfilesystemfillingup,youcancreateadditionalseparatepartitionsforthedirectories/home,/tmp,and/var/log.Thesearealldirectoriesthathavethepotentialtofillup,andiftheyarenotisolatedfromtherootpartition,youcouldexperienceadenialofserviceiftherootpartitionisfullandunabletoacceptanymorewrites.TheChapter“ESXPartitioning”intheESXandvCenterServerInstallationGuidecoversdiskpartitionsinmoredetail.
http://pubs.vmware.com/vsp40u1/install/c_esx_partitioning.html#1_9_18_1
RiskorControl Preventsadenial‐of‐serviceagainstthemanagementofthathost
RecommendationLevel
Enterprise
Parametersorobjectsconfiguration
/etc/fstab
Test Runthe“df”commandandensurethatthedirectoriesfor/home,/tmp,and/var/logaremountedontheirownpartitions.
ParameterElement Description
CodeNumber COH02
Name DisableAutomaticMountingofUSBDevices
Description ExternalUSBdrivescanbeconnectedtotheESXhostandbeloadedautomaticallyontheserviceconsole.TheUSBdrivemustbemountedbeforeyoucanuseit,butdriversareloadedtorecognizethedevice.
Threat AttackersmaybeabletorunmaliciouscodeontheESXhostandgoundetectedbecausetheUSBdriveisexternal.
RecommendationLevel SSLF
Parametersetting Bydefault,automaticUSBdrivemountingisenabled,butitisrecommendedthatyoudisablethisfeaturebyeditingtheserviceconsolefile/etc/modules.confandcommentingoutthelinecontainingaliasusb‐controllerbyplacingapoundsign(#)atthebeginning.
Effectonfunctionality ThereisariskthataUSB‐basedkeyboardandmousewillceasetofunctionproperlyafterimplementingthisstep.Itisrecommendedthatyouverifythatmouseandkeyboardcontinuetooperatenormallyandnotimplementthisstepiftheydonot.
Positiveevidence Ifthelinecontainingaliasusb‐controlerhasapoundsign(#)atthebeginningoftheline,thisisapositivetest.
Negativeevidence Ifthelinecontainingaliasusb‐controlerdoesnothaveapoundsign(#)atthebeginningoftheline,thisisanegativetest.
Theserviceconsolehasanumberoffilesthatspecifyitsconfigurations: /etc/profile /etc/ssh/sshd_config /etc/pam.d/system‐auth /etc/grub.conf /etc/krb.conf /etc/krb5.conf /etc/krb.realms /etc/login.defs /etc/openldap/ldap.conf /etc/nscd.conf /etc/ntp /etc/ntp.conf /etc/passwd /etc/group /etc/nsswitch.conf /etc/resolv.conf
/etc/sudoers /etc/shadowInaddition,ESXconfigurationfileslocatedinthe/etc/vmwaredirectorystorealltheVMkernelinformation.NotallofthesefilesareactuallyusedbyyourparticularESXdeployment,butallthefilesarelistedforcompleteness.
OperationalElement Description
CodeNumber COH03
Name EstablishandMaintainFileSystemIntegrity
Description ItiscriticaltomonitortheintegrityofcertaincriticalsystemfileswithintheESXServiceConsole.Inaddition,thepermissionsofnumerouscriticalfilesshouldbeconfiguredtopreventunnecessaryaccessfromoccurring.
RiskorControl
RecommendationLevel DMZ
Conditionorsteps Configurationfilesshouldbemonitoredforintegrityandunauthorizedtampering,usingacommercialtoolsuchasTripwire,orbyusingachecksumtoolsuchassha1sum,whichisincludedintheserviceconsole.Thesefilesshouldalsobebackedupregularly,eitherusingbackupagentsorbydoingbackupsbasedonfilecopying.
OperationalElement
Description
CodeNumber COH04
Name Ensurepermissionsofimportantfilesandutilitycommandshavenotbeenchangedfromdefault.
Description Variousfilesandutilitiesareinstalledwithparticularfilepermissionstoenablecertainfunctionalitywithoutrequiringunnecessaryprivilegelevelsfortheuseraccessingthem.
RiskorControl ChangingpermissionsfromdefaultontheseimportantfilescanhaveanaffectonthefunctionalityoftheESXhostandcouldpotentiallycausethesecommandstonotrunproperlyandassuchcauseadenialofservice.
RecommendationLevel
DMZ
Conditionorsteps
The/usr/sbin/esxcfg‐*commands,whichareallinstalledbydefaultwithpermissions555.
Thelogfilesdiscussedintheprevioussection,whichallhavepermissions600,exceptforthedirectory/var/log/vmware/webAccess,whichhaspermissions755,andthevirtualmachinelogfiles,whichhavepermissions644.
CertainsystemcommandsthathavetheSUIDbit.Thesecommandsarelistedhere:
http://pubs.vmware.com/vsp40u1/server_config/r_default_setuid_applications.html
Forallofthesefiles,theuserandgroupownershouldberoot.
ConsoleAccess
ParameterElement
Description
CodeNumber COA01
Name Preventtamperingatboottime
Description Agrubpasswordcanbeusedtopreventusersfrombootingintosingleusermodeorpassingoptionstothekernelduringboot.
Threat Bypassinginbootparameters,itmightbepossibletoinfluencethehostsothatitbehavesimproperly,perhapsinamannerthatishardtodetect.
RecommendationLevel
DMZ
Parametersetting DuringtheESXinstallation,theAdvancedoptionallowsyoutosetagrubpassword.Thiscanalsobesetbydirectlyediting/boot/grub.conf..SeetheChapter“InstallingVMwareESX”intheESXandvCenterServerInstallationGuideformoredetails.
Effectonfunctionality
Unlessthepasswordisentered,theserverbootsonlythekernelwiththedefaultoptions.
Positiveevidence Duringboot,itshouldnotbepossibletochangebootparameterswithoutenteringthecorrectpassword
Negativeevidence Thereisnopasswordconfiguredin/boot/grub.conf
ParameterElement Description
CodeNumber COA02
Name RequireAuthenticationforSingleUserMode
Description Anyonewithphysicalaccesscanaccesstheserviceconsoleasrootifapasswordisnotsetforsingleusermodeaccess.
Threat Whenthisrecommendationisfollowed,thenifanattackergainsaccesstotheconsole,theycanonlyloginasanordinaryuserandwon’tnecessarilybeabletoescalateprivilegelevelwithoutadditionaleffort.
RecommendationLevel SSLF
Parametersetting Addtheline
~~:S:wait:/sbin/sulogin
to/etc/inittab
Effectonfunctionality Iftherootpasswordislostthentherewillbenowaytoaccessthesystem.
Positiveevidence Checkforevidenceoftheline
~~:S:wait:/sbin/sulogin
to/etc/inittab
Ifitexiststhisisapositivetest.
Negativeevidence Checkforevidenceoftheline
~~:S:wait:/sbin/sulogin
to/etc/inittab
Ifitdoesnoexistthisisanegativetest.
ParameterElement Description
CodeNumber COA03
Name EnsurerootaccessviaSSHisdisabled
Description Becausetherootuseroftheserviceconsolehasalmostunlimitedcapabilities,securingthisaccountisthemostimportantstepyoucantaketosecuretheESXhost.Bydefault,allinsecureprotocols,suchasFTP,Telnet,andHTTP,aredisabled.RemoteaccessviaSSHisenabled,butnotfortherootaccount.Youcancopyfilesremotelytoandfromtheserviceconsoleusinganscp(securecp)client,suchasWinSCP.
Threat EnablingremoterootaccessoverSSHoranyotherprotocolisnotrecommended,becauseitopensthesystemtonetwork‐basedattackshouldsomeoneobtaintherootpassword.
RecommendationLevel Enterprise
Parametersetting Theline“PermitRootLogin”inthe/etc/sshd_confshouldbesetto“no”
Effectonfunctionality TherootuserwillnotbeabletologinviaSSH.
Positiveevidence Iftheline“PermitRootLoginno”inthe/etc/sshd_confexistsanditdoesnotstartwithapoundsign(#),thisisapositivefinding.
Negativeevidence Iftheline“PermitRootLoginyes”inthe/etc/sshd_confexists,orisprefacedbyapoundsign(#),orthethe“PermitRootLogin”parameterdoesnotexistinthefile,thisisanegativefinding.
ParameterElement Description
CodeNumber COA04
Name DisallowDirectrootLogin
Description YoucandisallowrootaccessevenontheconsoleoftheESXhost—thatis,whenyouloginusingascreenandkeyboardattachedtotheserveritself,ortoaremotesessionattachedtotheserver’sconsole.Thisapproachforcesanyonewhowantstoaccessthesystemtofirstloginusingaregularuseraccount,thenusesudoorsutoperformtasks.
Theneteffectisthatadministratorscancontinuetoaccessthesystem,buttheyneverhavetologinasroot.Instead,theyusesudotoperformparticulartasksorsutoperformarbitrarycommands.
Threat Whenthisrecommendationisfollowed,thenifanattackergainsaccesstotheconsole,theycanonlyloginasanordinaryuserandwon’tnecessarilybeabletoescalateprivilegelevelwithoutadditionaleffort.
RecommendationLevel SSLF
Parametersetting Topreventdirectrootloginontheconsole,modifythefile/etc/securettytobeempty.Whileloggedinasroot,enterthefollowingcommand:
cat/dev/null>/etc/securetty
Youshouldfirstcreateanonprivilegedaccountonthehosttoenablelogins,otherwiseyoucouldfindyourselflockedoutofthehost.Thisnonprivilegedaccountshouldbealocalaccount—thatis,onethatdoesnotrequireremoteauthentication—sothatifthenetworkconnectiontothedirectoryserviceislost,accesstothehostisstillpossible.Youcanassurethisaccessbydefiningalocalpasswordforthisaccount,usingthepasswdcommand.
Effectonfunctionality Afteryoudothis,onlynonprivilegedaccountsareallowedtologinattheconsole.Rootloginattheconsolewillnolongerbepossible.
Positiveevidence /etc/securettyisempty.
Negativeevidence /etc/securettyisnotempty.
ParameterElement Description
CodeNumber COA05
Name Limitaccesstothesucommand.
Description Becausesuissuchapowerfulcommand,youshouldlimitaccesstoit.Bydefault,onlyusersthataremembersofthewheelgroupintheserviceconsolehavepermissiontorunsu.Ifauserattemptstorunsu‐togainrootprivilegesandthatuserisnotamemberofthewheelgroup,thesu‐attemptfailsandtheeventislogged.
Threat
RecommendationLevel Enterprise
Parametersetting Besidescontrollingwhohasaccesstothesucommand,
throughthepluggableauthenticationmodule(PAM)infrastructure,youcanspecifywhattypeofauthenticationisrequiredtosuccessfullyexecutethecommand.Inthecaseofthesucommand,therelevantPAMconfigurationfileis/etc/pam.d/su.Toallowonlymembersofthewheelgrouptoexecutethesucommand,andthenonlyafterauthenticatingwithapassword,findthelinebeginningwithauthrequiredandremovetheleadingpoundsign(#)soitreads:
authrequired/lib/security/$ISA/pam_wheel.souse_uid
Effectonfunctionality Preventsusersthatarenotinthewheelgroupfromrunningthesucommand.
Positiveevidence authrequired/lib/security/$ISA/pam_wheel.souse_uiddoesnothaveleadingpoundsign(#).
Negativeevidence authrequired/lib/security/$ISA/pam_wheel.souse_uidhasleadingpoundsign(#).
Thesudoutilityshouldbeusedtocontrolwhatprivilegedcommandsuserscanrunwhileloggedintotheserviceconsole.Amongthecommandsyoushouldregulatearealloftheesxcfg‐*commandsaswellasthosethatconfigurenetworkingandotherhardwareontheESXhost.Youshoulddecidewhatsetofcommandsshouldbeavailabletomorejunioradministratorsandwhatcommandsyoushouldallowonlysenioradministratorstoexecute.Youcanalsousesudotorestrictaccesstothesucommand.Usethefollowingtipstohelpyouconfiguresudo:
‐ Configurelocalandremotesudologging(seeMaintainProperLogging“MaintainProperLogging”onpage12).
‐ Createaspecialgroup,suchasvi_admins,andallowonlymembersofthatgrouptousesudo.
‐ Usesudoaliasestodeterminetheauthorizationscheme,thenaddandremoveusersinthealiasdefinitionsinsteadofinthecommandsspecification.
‐ Becarefultopermitonlytheminimumnecessaryoperationstoeachuserandalias.Permitveryfewuserstorunthesucommand,becausesuopensashellthathasfullrootprivilegesbutisnotauditable.
‐ Ifyouhaveconfiguredauthenticationusingadirectoryservice,sudousesitbydefaultforitsownauthentication.Thisbehavioriscontrolledbythe/etc/pam.d/sudofile,onthelineforauth.Thedefaultsetting—service=system‐auth—tellssudotousewhateverauthenticationschemehasbeensetgloballyusingtheesxcfg‐authcommand.
‐ Requireuserstoentertheirownpasswordswhenperformingoperations.Thisisthedefaultsetting.Donotrequiretherootpassword,becausethis
presentsasecurityrisk,anddonotdisablepasswordchecking.Insudotheauthenticationpersistsforabriefperiodoftimebeforesudoasksforapasswordagain.
Forfurtherinformationandguidelinesforusingsudo,seehttp://www.gratisoft.us/sudo/.
ConfigurationElement Description
CodeNumber COA06
Name Configureandusesudotocontroladministrativeaccess
Description Thesudoutilityshouldbeusedtocontrolwhatprivilegedcommandsuserscanrunwhileloggedintotheserviceconsole.
RiskorControl
RecommendationLevel Enterprise
Parametersorobjectsconfiguration
Parameterstobeconfiguredareinthe/etc/sudoersfile.
Amongthecommandsyoushouldregulatearealloftheesxcfg‐*commandsaswellasthosethatconfigurenetworkingandotherhardwareontheESXhost.Youshoulddecidewhatsetofcommandsshouldbeavailabletomorejunioradministratorsandwhatcommandsyoushouldallowonlysenioradministratorstoexecute.Youcanalsousesudotorestrictaccesstothesucommand.Becauseeachsituationwillbedifferent,eachconfigurationwillbedifferent,sonospecificguidancecanbegivenhere.
Test Checktheconfigurationinthe/etc/sudoersfileandensurethatitmeetsyourpolicy.