Aka vSphere Hardening – Part 6
In Part 4 of this series, we ended with the collection of Data from our vCenter Server.
Before we continue, I will point to a few issues I have encountered while working with vCM.
First, while opening one of the Dashboards (Console -> Dashboards -> Select dashboard), the following error message was received; “An error has occurred performing an SRS security request. You must use Internet Explorer with the Run as administrator option to view dashboard reports when working locally on the Collector.”
VMware has multiple Knowledge Base articles discussing this error. The one that solved the problem in my case was KB “SSRS authentication must be configured in two-tier and three-tier installation environments that use Basic authentication (2000082)”. Also note, I run a one-tier installation!
But that was not all…
Now that the Dashboards came alive, one of the best features of the dashboards, the drill down functionality did not work. IE sometimes showed the “Only secure content is displayed” message. This issue was resolved by adjusting one of many IE settings. In IE, go to “Internet Options”, go to tab “Security”, button “Custom level…” and make sure that “Display mixed content” is set to “enable”.
This series about the vCenter Configuration Manager (vCM) started with a reason; to explore the compliance capabilities of vCM. So let’s continue.
As you can see in the menu, a complete section has been dedicated to enforcing Compliance.
But before we can take off, there waits another task. Compliance does not query an individual VM, but compares the data gathered during a Collection with compliance templates. Those compliance templates contain the rules that are set in regulatory like Sarbanes-Oxley, HIPAA or Hardening and Best Practices guides.
First we need to download and import the templates. VMware provides predefined templates that you can download from the Center for Policy and Compliance. Once downloaded, templates can be modified to your needs.
With the installation of the Collector, comes the Content Wizard Tool.
- Make sure that the server has Internet access and start this tool (All Programs > VMware vCenter Configuration Manager > Tools > Content Wizard Tool.).
- Select Get Updates from the Internet and click Next.
- After the updates are identified, click Next.
- Select the update(s) to install and click Install.
- The installation takes some time, do not interrupt.
- When the import process is finished, review the Event Log Results to verify a successful download and click Close.
When we take a closer look in the Compliance section, under the “Virtual Environment Compliance” section, the structure of the templates becomes clear. The elements are; Templates, Rule Groups, Rules Filters and Exceptions.
- Templates consist of one or more Rule Groups.
- Rule Groups: A rule group comprises rules and filters.
- Rules: The rules define the optimal configuration standards (the actual check).
- Filters: The filters limit the machines on which the template runs to only the machines that meet the filter criteria. If filters are not defined, the rules are run against all machines in the machine group based on the data types against which the rules run.
- Exceptions: The exceptions are optional permanent or temporary exceptions to the template results. The defined exception indicates that a specific result is compliant or noncompliant, even though it does not match the requirements of the rules.
And finally an example of a Filter.
In another post, we will analyze the anatomy of a rule in more detail. For now let’s see how to apply a Template.
Select a Template and choose “Run Template”.
Next, you will be prompted to select options for the run. Depending on the kind of template, one of the options is the ability to enforce (or not) noncompliant results.
The progress is shown and when the run has completed successfully, the results are presented in an overview.
For a closer look at the results, press the “View Data Grid” button.
The second column shows the Status, the green sign means “Compliant”. To get a quick overview of the compliant and non compliant results, drag the second column (header is not labeled) to the line that says: “Column Grouping”.
The Red exclamation mark in the Red circle means status is Non-Compliant, Non Enforceable.
Reading the table this way, is a bit hard. Resizing the column headers is not possible, another option is to select a row, right click and select “View row cells” .
This view is much more comfortable, it is also possible to browse through the rows, by using the arrow keys.
After installing VCM, doing the initial configuration, collecting data from our virtual environment, importing and running templates, we have come to the point that we have some compliance data available. In the next episodes we will explore the options to resolve non-compliant objects and ways to make sure that our environment stays compliant.
As always, I thank you for reading and I welcome your comments.
This post is the sixth part in a series about vSphere hardening. See also:
Part 1 vSphere Hardening, Introduction
Part 2 vSphere Hardening, Available Tools
Part 3 vCenter Configuration Manager – Installation
Part 4 vCenter Configuration Manager – Configuration
Part 5 vCenter Configuration Manager – The Videos
Part 6 vCenter Configuration Manager – First Run