Security Audit – User Access Audit Trail

Posted onAuthorruss oconnorLeave a comment

Here are a couple of diagrams that help clarify the path of account logon and the audit trail. You want the auditor to realize that the trail start is dependent on the origin of the account. But once LDAP/AD has validated the logon, access to vCenter is traceable.

 

Windows domain

This is the best option, nominal domain accounts, password authentication and policy is handled by the domain, and vCenter will indicate logon events.

audit-userValidation - vSphere access

 

SYSTEM-DOMAIN

As login in done directly with a generic account, the audit trail is difficult, to avoid issues do not give these accounts permissions in vCenter, treat them as service accounts and do not use them for regular login. NOTE: default setting is password is reset once a year.

audit-userValidation - sso access

 

Direct access to ESXi host

If your hosts are in domain, then use nominal accounts to logon and lock up the root password and do not use it for logon, configure sudo etc.

If your esxi hosts are not in domain, you might find it easier to not add any nominal accounts, as maintaining the password is a hassle. In a later post I’ll show how you sent up an audit trail when root is used.

audit-userValidation - esxi access

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.