Symantec standards based on VMware hardening guidelines cover only a subset of the security recommendations.

book

Article ID: 181689

calendar_today

Updated On:

Products

Control Compliance Suite Exchange

Issue/Introduction

 

Resolution

This HOWTO is about the two new VMware standards introduced in SCU 2013-3. 

  • VMware Hardening Guidelines ESXi 5.1 via vCenter
  • VMware Hardening Guidelines for vCenter Servers

 

When comparing them to the official VMware Hardening guide, it is noticed that the Symantec standards only covers a subset of the security recommendations in the VMware hardening guidelines. 

Symantec CCS is able to include only the “Parameter” based checks in the VMware standard based on the latest hardening guidelines. Other type of checks that are not a part of the standard assessment are either “Configuration” type Or “Operational” type, because of their procedural / site dependent nature.

As the sections VUM, SSO, web client and VCSA in the official VMware Hardening guide, these have no Parameter based checks, therefore they are not included in the Symantec standard.

Some key pointers to be aware of with these standards:

The following list enumerates the set of Hardening Guideline Items, for which Control Type = ‘Parameter’ , but are ‘not scorable’ by logic, hence not implemented. 

Type

Item ID

Comments

VM

verify-network-filter

Not Scorable Check, as the enforcement of the hardening parameter depends on whether, the  VM is supposed to be protected by a product using the dvfilter API. The incorrect enforcement can negatively impact functionality of tools that use vmsafe API.

VM

verify-vmsafe-cpumem-agentaddress

Not Scorable Check, as the enforcement of the hardening parameter depends on whether, the  VM is being protected by a VMsafe CPU/memory product. The incorrect enforcement can negatively impact functionality of tools that use vmsafe API.

VM

verify-vmsafe-cpumem-agentport

Not Scorable Check, as the enforcement of the hardening parameter depends on whether, the  VM is being protected by a VMsafe CPU/memory product. The incorrect enforcement can negatively impact functionality of tools that use vmsafe API.

VM

verify-vmsafe-cpumem-enable

Not Scorable Check, as the enforcement of the hardening parameter depends on whether, the  VM is being protected by a VMsafe CPU/memory product. The incorrect enforcement can negatively impact functionality of tools that use vmsafe API.

ESXi

enable-host-profiles

Not Scorable, as the required best Host Profile may vary.

ESXi

enable-remote-dump

Not Scorable, as the log server will depend on the site. Assessment should ideally check the validity of the log server which is procedural aspect.

ESXi

set-dcui-access

Not Scorable, as the list of highly trusted users would vary from site to site. This needs a procedural / audit.

ESXi

verify-acceptance-level-accepted

This is one of the 3 optional checks. ( VIB acceptance level setting would be chosen case to case basis & is site dependent )

ESXi

verify-acceptance-level-certified

This is one of the 3 optional checks. ( VIB acceptance level setting would be chosen case to case basis & is site dependent )

ESXi

verify-acceptance-level-supported

This is one of the 3 optional checks. ( VIB acceptance level setting would be chosen case to case basis & is site dependent )

ESXi

verify-dvfilter-bind

Not scorable / dependent on the usage of dvfilter-based network security appliance

vCenterServer

restrict-datastore-web

Not Scorable, as the User Authorization would vary from site to site. This needs procedural / audit.

 

1.       For configuration & operation checks, these are site specific or procedural in nature. A lot of the recommendations in the VMware hardening guidelines talk about having appropriate user permissions or appropriate usage pattern, where no absolute recommendations are given.

E.g.: “disable unnecessary VM functions” – Here only the customer can determine what is unnecessary.

E.g.: “Use templates to deploy VMs whenever possible.” - This is too generic to harden or to give a clear recommendation here.

 

2.       For covering configuration & operational checks one could use Symantec™ Control Compliance Suite Assessment Manager.

 

3.       Also there are checks in the standard which cover two or more guideline items, so there may be some mismatch in numbers.

 

Customers who are concerned about the change in VMWare’s position should contact VMware support to determine best practices to secure their VMWare environments based on the changes from CIS Benchmarks to VMWare Hardening Guidelines.