security audit survival guide

The main point of a security audit is not to try and strangle the auditor, he is just doing his job, although you might think he is there to make your life impossible. I have put together a collection of posts, so you need not fear the dreaded visit of the men in dark suits…


Sources of vCenter accounts

Explain on day one that there are multiple logon sources… this is really important as he will go away and request evidence from the domain and windows admins about user creation and deletion, password policy etc.


User Access Audit Trail

Here are a couple of diagrams that help clarify the path of account logon and the audit trail. You want the auditor to realize that the trail start is dependent on the origin of the account.


vCenter user roles, and assigned permissions

So once you have established the source of accounts isn’t vCenter, then it needs to be made clear permissions are not directly assigned to users or groups. Make sure you understand this.


Generic accounts have to be explained

Justifying generic accounts is going to be an issue in any audit, before you walk into the room, have a list of all the “principles”, that is users or groups. You will be expected to explain each one.


vCenter logs retention and extract

As vCenter access is a entry control point, failure to produce logon events will be a major failure in the audit.


esxi logon

How are are you going to control and track logon to the esx hosts, even if you add hosts to the domain, you will still need to demonstrate an audit trail for root access.


Set ssh timeouts

Security auditors will consider ssh access a vulnerability. This can be mitigated by setting timeout value.


Set lockdown on hosts

Auditors are now asking that this is set on hosts, this shows how to set large numbers of hosts to lockdown and validate the setting quickly


Set a valid time source

Unless all the hosts are set to use a valid time source your audit logs aren’t going to impress the auditors.


Persistent logging Overview

Where and for how long are you saving esx logs


ESX log retention

Decide on a log retention strategy


ESX log retention configuration

Set the values with PowerCLI



Disclaimer: This series of posts should not be taken as a complete and comprehensive set of security policies, rather its purpose is of identifying areas that security auditors frequently investigate, and how to quickly implement hardening through powerCLI scripts or other means.


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.