How are are you going to control logon to the esxi hosts?
One solution is to add hosts to the domain, and then use active directory nominal accounts and groups assignments to access the esxi servers. The advantage of this is that account creation, permissions and policies are set in the domain and will be covered by the process for standard users and administrators.
However the root account will still be needed with superuser permissions, the auditor will expect you to provide traceability and control for the root account.
One acceptable solution is classify root as an emergency account, used only for advanced configuration, troubleshooting and emergency access. Controls are still needed but password reset policies are normally less stringent than a standard administrator account.
The diagram below shows how access control and an audit trail could be set up, vCenter alerts can trigger monitoring events, informing operations and security teams of access, these events will be available in the logs so you can demonstrate you have access control and an audit trail.
When lockdown mode is disabled from within vCenter and an alarm is flagged establishing a link between a nominal and root access, another alarm is configured for ssh access, and yet another for direct access to the console.
See the following to set lockdown mode and configure the ssh service to time out after a set period of time
/set-and-validate-lock-down-mode-for-multiple-hosts/
/set-ssh-timeout/
Configuration lockdown disabled alarm
In vSphere select alarms -> new alarm
Enter alarm name “Lockdown mode disabled”
Alarm type: Host
Option: Monitor for Specific Events
Trigger: Add new -> Host Administrator Access Enabled
Status: Warning
Configuration ssh and shell warning*
A simple test of disabling lockdown mode and enabling the ssh service should generate events in the vCenter
Stop ssh service state
Get-cluster <cluster>| Get-VMhost | Foreach {Stop-VMHostService -HostService ($_ | Get-VMHostService | Where {$_.Key -eq “TSM-SSH”})}
Stop shell service state
Get-cluster <cluster> | Get-VMhost | Foreach {Stop-VMHostService -HostService ($_ | Get-VMHostService | Where {$_.Key -eq “TSM”})}
Configure the alarm
Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0
Validation ssh service state
Get-cluster <cluster>| Get-VMhost | Get-VMHostService | Where {$_.Key -eq “TSM-SSH”}
Validation shell service state
Get-cluster <cluster>-A | Get-VMhost | Get-VMHostService | Where {$_.Key -eq “TSM”}
Validation ssh and shell warning
Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.SuppressShellWarning | ft -autosize
How to Create a vCenter Alarm to Monitor for root logins
http://www.virtuallyghetto.com/2011/10/how-to-create-vcenter-alarm-to-monitor.html
https://github.com/lamw/vghetto-scripts