Security Audit – vCenter logs retention and extract

As vCenter access is a entry control point, failure to produce logon events will be a major failure in the audit. vSphere vCenter should be configured to save logs for at lease 90 days or longer depending on your stated policy. If you have a sizeable environment you probably want to limit the size of …

Security Audit – Generic accounts have to be explained

Justifying generic accounts is going to be an issue in any audit, before you walk into the room, have a list of all the “principles”, that is users or groups. You will be expected to explain each one, and typically asked to search the logon events to see if they were used.   Some of the …

Security Audit – vCenter user roles, and assigned permissions

So once you have established the source of accounts isn’t vCenter, then it needs to be made clear permissions are not directly assigned to users or groups. Make sure you understand this; vCenter uses Roles,  permissions are assigned to the role not the user.               Roles and assignment can …

Security Audit – User Access Audit Trail

Here are a couple of diagrams that help clarify the path of account logon and the audit trail. You want the auditor to realize that the trail start is dependent on the origin of the account. But once LDAP/AD has validated the logon, access to vCenter is traceable.   Windows domain This is the best …

Surviving a security audit

The main point of a security audit is not to try and strangle the auditor, he is just doing his job, although you might think he is there to make your life impossible. I have put together a collection of posts, the configuration settings are all publicly available, mainly from VMware’s Hardening Guide, so there …

Security Audit – Sources of vCenter accounts

Explain on day one that there are multiple logon sources… this is really important as he will go away and request evidence from the domain and windows admins about user creation and deletion, password policy etc… simply there are no users created in vCenter they all originate somewhere else. Even SYSTEM-DOMAIN accounts are not created in …