I previously created a VMware vRealize Log Insight security operations center (SOC), which has been updated to support vSphere 6.5 U1. This release, with the SecureESX teaser, has been released on GitHub already. SecureESX has a bit of history behind it and has always been about auditing ESX and vSphere for security issues.
When SecureESX was first created, back in the days of ESX 2.x, there were no hardening guides that were any good. Specifically, there were no guides from VMware. There was a DISA STIG and a CIS Security guide. Soon afterward, VMware started to publish its own guide. The reason was simple. The DISA STIG and CIS guides were Linux-based, and as of ESX v3, Linux was not part of the equation any more.
This tool started as a shell script, migrated to Perl and then to PowerShell, and eventually to where it is now, a combination of vSphere Perl SDK and shell scripting. At one point, the tool used its own audit files as well, which combined VMware’s, CISecurity’s, and DISA’s audits into one file. However, this approach proved unworkable. So, the name stuck. SecureESX is really about vSphere: not ESX specifically, but VMs and ESXi at this time.
The approach used today is to take the raw guide from VMware, parse it, convert it and, using SCAP, gather audit data per Figure 1: SecureESX Workflow.
The long and short of this workflow is that by using standard processes, I can leverage the existing and accepted Security Content Automation Protocol (SCAP) tools, which require data in the eXtensible Configuration Checklist Description Format (XCCDF). These are extremely well known and are the format of the DISA STIG.
Now, with the latest vSphere Security Configuration Guide from VMware, the DISA STIG IDs for each audit element are listed within the guide. This means that we can use these IDs instead of the ones provided by VMware, which are subject to change. The DISA STIG ones are not subject to change between versions of the Security Guide.
First we use the SecureESX SOC add-on to show the current state of our vSphere environment according to the Security Guide published by VMware. Since the hardening guide contains multiple profiles (each more secure than the previous one) we can see how those profiles are impacted by the current state of the vSphere environment.
We can also view status by DISA STIG id: in this case, the failed DISA STIG ESXi Host and VM elements.
To get more detail, we would go to interactive views of the failed host or VM dashboards. Inside here, we can find out exactly which rules have failed.
By using the DISA STIG IDs, the VMware Security Guide takes on new meaning and new use cases, and it becomes the master guide for all of vSphere.
The SecureESX Addon to the Security Operations Center improves visibility and adds into the log analysis tool VMware vRealize Log Insight more visibility. We now can add data that has real import and impact into our environment: data you just cannot get from the logs. You can only get it from doing an audit!
Now, when your security team says to implement the security guide, you can run through the SecureESX Audit and ask them which profile they wish to implement. You can show the differences, the passes, and the failures.
As vSphere is upgraded, you will also see the changes within the security guide, the actual elements that were impacted and the corrective actions that needs to be repeated to have a secure vSphere environment. On top of that, it audits against the DISA STIG!