Security Audit – esxi logon

How are are you going to control logon to the esxi hosts?

One solution is to add hosts to the domain, and then use active directory nominal accounts and groups assignments to access the esxi servers. The advantage of this is that account creation, permissions and policies are set in the domain and will be covered by the process for standard users and administrators.

Sec-audit-userValidation - esxi in domain

However the root account will still be needed with superuser permissions, the auditor will expect you to provide traceability and control for the root account.

One acceptable solution is classify root as an emergency account, used only for advanced configuration, troubleshooting and emergency access. Controls are still needed but password reset policies are normally less stringent than a standard administrator account.

The diagram below shows how access control and an audit trail could be set up, vCenter alerts can trigger monitoring events, informing operations and security teams of access, these events will be available in the logs so you can demonstrate you have access control and an audit trail.

Sec-audit-userValidation alerts

When lockdown mode is disabled from within vCenter and an alarm is flagged establishing a link between a nominal and root access, another alarm is configured for ssh access, and yet another for direct access to the console.

See the following to set lockdown mode and configure the ssh service to time out after a set period of time


Configuration lockdown disabled alarm

In vSphere select alarms -> new alarm

Enter alarm name “Lockdown mode disabled”

Alarm type: Host

Option: Monitor for Specific Events

Trigger: Add new -> Host Administrator Access Enabled

Status: Warning


Configuration ssh and shell warning*

A simple test of disabling lockdown mode and enabling the ssh service should generate events in the vCenter

Stop ssh service state

Get-cluster <cluster>| Get-VMhost | Foreach {Stop-VMHostService -HostService ($_ | Get-VMHostService | Where {$_.Key -eq “TSM-SSH”})}


Stop shell service state

Get-cluster <cluster> | Get-VMhost | Foreach {Stop-VMHostService -HostService ($_ | Get-VMHostService | Where {$_.Key -eq “TSM”})}


Configure the alarm

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0


Validation ssh service state

Get-cluster <cluster>| Get-VMhost | Get-VMHostService | Where {$_.Key -eq “TSM-SSH”}


Validation shell service state

Get-cluster <cluster>-A | Get-VMhost | Get-VMHostService | Where {$_.Key -eq “TSM”}


Validation ssh and shell warning

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.SuppressShellWarning | ft -autosize


How to Create a vCenter Alarm to Monitor for root logins



Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.