Monday, June 11, 2012

vSphere Security - Hardening a VM

VMware provides a nice guide to describe the configuration items you can modify to further lock down your vSphere Host/VM/Network/vCenter.   I like the effort and attention VMware has given to security in all of their products.  They have clearly stood up to the challenge and responded to the fears about "Cloud Security."

Security lock down or hardening comes in three different sizes if you will.  Small, Medium and Large.  That's one way to think about security levels.  The other way to look at it is small is the least amount of hardening. Medium is a moderate level of lock down.  Large is the maximum level of lock down. Security hardening will break the application.  Much effort is needed to find a balance between the security engineer and the application administrator. 

It's important to note you still need to apply hardening to the operating system used for your virtual machine (like Windows, Linux, etc.) and the application (like Oracle, Apache, etc.).  I know, it never ends!  Not to mention every time you patch ANY of these software components you need to rescan and possibly reapply hardening tasks as needed.  Unless, of course, you are using Security Content Automation Protocol (SCAP), (and its components like Extensible Configuration Checklist Description Format - XCCDF or Open Vulnerability Assessment Language - OVAL) via XML or some machine-readable automated procedure to ensure your software configuration is always in compliance.  Let's put it this way. If you are NOT using SCAP or some equivalent then you SHOULD BE.  Having to repeat the tedious task of locking your systems down should never happen in this day and age.  It may take some time to set up something like SCAP across an enterprise but it's worth it. 

Here's the idea.  A script will surely follow.

Observe the current state of the parameter in question.  Then decided to modify it or accept the default configuration.

Parameter:  vmci0.unrestricted=FALSE
Setting: FALSE by default
Action:  Take the default
Threat:  The virtual machine can be exposed to others within the same system as long as there is at least one program connected to the VMCI socket interface.

Most of the virtual machine parameters changes take place in the vmx file.  Other areas where you might make security changes can exist in BIOS (CPU, HBA, etc.) at the ESXi level, Network, Storage and in vCenter.

I'll update this blog when my script has been tested and works for ESXi v5.0. Here it is:

# Power Shell Script
#
# john.lear@oombasecurity.com
# June 2012
#
# Description:  This script applies ALL recommended security settings
# in the vmx file for each virtual machine. Written for ESXi v5.0 virtual
# machines. This is script falls into the Large category for applying
# security hardening (out of the small, medium and large categories).
#
# Caution: These changes WILL BREAK SOMETHING. You must thoroughly test
# the application after making these changes.
#
#

# Set the array of parameters
# sorted in alpha order
# Options omitted:
# vmsafe.agentAddress    not present, or site-specific
# vmsafe.agentPort    not present, or site-specific
# ethernetn.filtern.name = filtername    undefined unless using dvfilter

$SecurityOptions = @{
    "floppyX.present"="false";
    "ideX:Y.present"="false";
    "isolation.bios.bbs.disable"="true";
    "isolation.device.connectable.disable"="true";
    "isolation.device.edit.disable"="true";
    "isolation.monitor.control.disable"="true";
    "isolation.tools.autoInstall.disable"="true";
    "isolation.tools.copy.disable"="true";
    "isolation.tools.paste.disable"="true";
    "isolation.tools.diskShrink.disable"="true";
    "isolation.tools.diskWiper.disable"="true";
    "isolation.tools.getCreds.disable"="true";
    "isolation.tools.ghi.autologon.disable"="true";
    "isolation.tools.ghi.launchmenu.change"="true";
    "isolation.tools.hgfsServerSet.disable"="true";
    "isolation.tools.memSchedFakeSampleStats.disable"="true";
    "isolation.tools.connectable.disable"="true";
    "isolation.tools.setGUIOptions.Enable"="false";
    "isolation.tools.unity.push.update.disable"="true";
    "log.keepOld"="10";
    "log.rotateSize"="100000";
    "parallelX.present"="false";
    "RemoteDisplay.maxConnections"="1";
    "scsiX:Y.mode"="nonpersistent";
    "serialX.present"="false";
    "tools.guestlib.enableHostInfo"="false";
    "tools.setInfo.sizeLimit"="1048576";
    "usb.present"="false";
    "vmci0.unrestricted"="false";
    "vmsafe.enable"="false"
}

# Add/Delete/Modify the options array above as needed
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec

# Call the GetEnumerator firt then apply each setting
Foreach ($Option in $ExtraOptions.GetEnumerator()) {
    $OptionValue = New-Object VMware.Vim.optionvalue
    $OptionValue.Key = $Option.Key
    $OptionValue.Value = $Option.Value
    $vmConfigSpec.extraconfig += $OptionValue
}

# Apply to all VMs NOT including templates
$VMs = Get-View -ViewType VirtualMachine -Property Name -Filter @{"Config.Template"="false"}

# Apply to all VMs INCLUDING templates
#$VMs = Get-View -ViewType VirtualMachine -Property Name

# For each VM apply security
foreach($vm in $vms){
    $vm.ReconfigVM_Task($vmConfigSpec)
}



Automation is the key to managing security hardening for any security program.  Without automation you'll find yourself repeating these steps.  Hardening is a critical part of the overall system security program.  Locking down a single system requires input and a lot of teamwork from your security, network, application and storage admins. 




Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)