The main point of a security audit is not to try and strangle the auditor, he is just doing his job, although you might think he is there to make your life impossible. I have put together a collection of posts, so you need not fear the dreaded visit of the men in dark suits…
Sources of vCenter accounts
Explain on day one that there are multiple logon sources… this is really important as he will go away and request evidence from the domain and windows admins about user creation and deletion, password policy etc.
User Access Audit Trail
Here are a couple of diagrams that help clarify the path of account logon and the audit trail. You want the auditor to realize that the trail start is dependent on the origin of the account.
vCenter user roles, and assigned permissions
So once you have established the source of accounts isn’t vCenter, then it needs to be made clear permissions are not directly assigned to users or groups. Make sure you understand this.
Generic accounts have to be explained
Justifying generic accounts is going to be an issue in any audit, before you walk into the room, have a list of all the “principles”, that is users or groups. You will be expected to explain each one.
vCenter logs retention and extract
As vCenter access is a entry control point, failure to produce logon events will be a major failure in the audit.
esxi logon
How are are you going to control and track logon to the esx hosts, even if you add hosts to the domain, you will still need to demonstrate an audit trail for root access.
Set ssh timeouts
Security auditors will consider ssh access a vulnerability. This can be mitigated by setting timeout value.
Set lockdown on hosts
Auditors are now asking that this is set on hosts, this shows how to set large numbers of hosts to lockdown and validate the setting quickly
Set a valid time source
Unless all the hosts are set to use a valid time source your audit logs aren’t going to impress the auditors.
Persistent logging Overview
Where and for how long are you saving esx logs
ESX log retention
Decide on a log retention strategy
ESX log retention configuration
Set the values with PowerCLI
Disclaimer: This series of posts should not be taken as a complete and comprehensive set of security policies, rather its purpose is of identifying areas that security auditors frequently investigate, and how to quickly implement hardening through powerCLI scripts or other means.