The main point of a security audit is not to try and strangle the auditor, he is just doing his job, although you might think he is there to make your life impossible. I have put together a collection of posts, so you need not fear the dreaded visit of the men in dark suits…
Explain on day one that there are multiple logon sources… this is really important as he will go away and request evidence from the domain and windows admins about user creation and deletion, password policy etc.
Here are a couple of diagrams that help clarify the path of account logon and the audit trail. You want the auditor to realize that the trail start is dependent on the origin of the account.
So once you have established the source of accounts isn’t vCenter, then it needs to be made clear permissions are not directly assigned to users or groups. Make sure you understand this.
Justifying generic accounts is going to be an issue in any audit, before you walk into the room, have a list of all the “principles”, that is users or groups. You will be expected to explain each one.
As vCenter access is a entry control point, failure to produce logon events will be a major failure in the audit.
How are are you going to control and track logon to the esx hosts, even if you add hosts to the domain, you will still need to demonstrate an audit trail for root access.
Security auditors will consider ssh access a vulnerability. This can be mitigated by setting timeout value.
Auditors are now asking that this is set on hosts, this shows how to set large numbers of hosts to lockdown and validate the setting quickly
Unless all the hosts are set to use a valid time source your audit logs aren’t going to impress the auditors.
Where and for how long are you saving esx logs
Decide on a log retention strategy
Set the values with PowerCLI
Disclaimer: This series of posts should not be taken as a complete and comprehensive set of security policies, rather its purpose is of identifying areas that security auditors frequently investigate, and how to quickly implement hardening through powerCLI scripts or other means.