Chapter 7 Configuration Management
This chapter presents the following topics:
Overview ... 98 vCenter host profiles ... 99 vSphere Update Manager ... 101 vCenter Configuration Manager ... 107 Use case 1: Configure a custom compliance standard ... 110 Use case 2: Apply exceptions to compliance templates ... 116 Summary ... 119
Chapter 7: Configuration Management
Overview
In the Federation Software-Defined Data Center, we applied the recommendations in
the vSphere 5.5 Security Hardening Guide and security configuration
recommendations from EMC and other vendors. This raises the challenge of how to apply these hardening recommendations and operational configurations consistently across all affected components in the hypervisor and virtualization plane. You also need to confirm that these configurations are in effect and remain so, ensuring adherence with electronic governance, risk, and compliance (eGRC) requirements, in addition to your internal IT or security standards.
Configuration management is a vital element of implementing secure systems
consistently and in accordance with your security policies. It comprises a collection of steps focused on establishing a configuration baseline to maintain the integrity of the Federation Software-Defined Data Center and the resources it supports.
Many organizations’ IT and security groups face a significant challenge in gaining visibility into configuration management and compliance in their environments. To address this challenge in the Federation Software-Defined Data Center we use a number of native capabilities, such as:
vCenter host profiles ensure that a configuration set is applied consistently across all ESXi hosts. Host profiles also enable many vSphere Hardening Guidelines to be centrally applied. It provides a means to perform ad-hoc scans for host compliance with a profile and displays alerts within the vSphere Web Client.
vSphere Update Manager enables patch management across virtual appliances and ESXi hosts and provides a means to install and update third-party software on ESXi hosts. Organization can establish a baseline and audit compliance.
vCenter Configuration Manager extends the capabilities of vCenter host profiles and vSphere Update Manager to provide inventory and asset management, scheduled configuration and compliance scans, reports and integration with vCenter Operations Manager. In addition, it enables patch management configuration management of Windows and Linux guest operating systems and can audit the entire virtualized environment against many industry or regulatory frameworks and standards.
Chapter 7: Configuration Management
vCenter host profiles
vCenter host profiles ensure that a consistent configuration is applied across all vSphere ESXi hosts when the Federation Software-Defined Data Center is initially deployed and as it is scaled out to meet future capacity requirements. Specifically, host profiles:
Ensure consistency for compliance
Reduce the deployment time for new hosts
Apply the same change to multiple hosts
To apply the same configuration settings to a group of vSphere ESXi hosts, you can create or import a host profile. When you create or import a host profile you must associate it with a reference host, this also allows you to update the profile from a reference host.
When firmware upgrades or other events happen that require storage, network, or security configuration changes on multiple hosts in a cluster, you can edit the host profile and apply it across the cluster for consistent configuration updates. In addition, you can remove any settings that must be excluded from the host profile check to avoid propagating host configuration values that need to be unique across your environment. Figure 43 shows some of the available parameters that can be configured in a host profile.
Chapter 7: Configuration Management
When the host profile has been created and configured, it can be attached to one or more vSphere hosts or clusters. Once attached, the host configuration is compared against the host profile and any deviations are reported. For example, Figure 44 shows a non-compliant status for one of the hosts in the cluster.
Figure 44. View of host compliance status with host profile
Additional host profiles, shown in Figure 45, correspond to other clusters in our test environment that have different vDS configurations and demonstrate that you can have multiple host profiles according to your configuration requirements.
Chapter 7: Configuration Management compliance status in the vSphere Web Client by selecting the host profile and
selecting Monitor, as shown in Figure 45.
Figure 45. Compliance view of the clusters attached to the Resource Pods host profile
When compliance checks return a non-compliant status, a vCenter error event is generated that can be tracked in vCenter Operations Manager. While vCenter Operations Manager is beyond the scope of this security guide, it is discussed in detail in the Federation Software-Defined Data Center: Foundation Solution Guide.
vSphere Update Manager
Organizations that are unable to patch systems effectively and efficiently are
susceptible to compromises that are easily preventable. Consider patch management carefully in the context of security, because it is important in establishing and
maintaining a solid security baseline. In addition, patch management is a core requirement of various security compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) that requires that all system components and software are protected from known vulnerabilities by having the latest vendor- supplied security patches installed.
To address patch management in the Federation Software-Defined Data Center, VMware vSphere Update Manager (VUM) is used to keep vSphere hosts and virtual appliances up-to-date. VUM automates patch management and eliminates manual tracking and patching of vSphere hosts and virtual appliances.
Chapter 7: Configuration Management
vSphere Update Manager includes these core features:
A compliance dashboard to provide visibility into the patch and upgrade status of hosts and virtual appliances for compliance to static or dynamic baselines
Stage and schedule patching for remote sites and scheduled maintenance windows
Deployment of patches that are downloaded directly from a vendor website, including drivers, Common Information Model (CIM), and other updates from hardware vendors for VMware vSphere hosts
Patching can lead to compatibility errors that require remediation. VUM can eliminate the most common patching problems before they occur, ensuring that the time you save in batch-processing automation is not wasted later in performing rollbacks. Benefits of VUM include:
Storing snapshots for a user-defined period, so that administrators can roll back the virtual machine if necessary.
Securely patching offline virtual machines without exposing them to the network, reducing the risk of non-compliant virtual machines.
Ensuring the most current version of a patch is applied with automatic notification services.
vSphere Update Manager compares the state of vSphere hosts with baselines, and can then stage and patch them to enforce compliance. Figure 46 shows examples of different types of baselines.
Chapter 7: Configuration Management As an example, the Critical Host Patches baseline that ships with vSphere Update Manager, as shown in Figure 47, is configured to include any patch of severity Critical from any vendor for any product as its inclusion criteria. This is a good example of a dynamic baseline where the baseline updates and the vendors release additional patches. Fixed baselines are for upgrades, and extension baselines are statically defined.
Figure 47. Example of patch inclusion criteria for a vSphere Update Manager baseline
The inclusion criteria are granular; you can include or exclude individual patches, giving you the flexibility to define a custom baseline specific to your environment. In addition, you can include non-VMware extensions, such as EMC PowerPath/VE in a custom baseline, as shown in Figure 48.
Chapter 7: Configuration Management
Figure 48. EMC PowerPath/VE extension added to vSphere Update Manager custom baseline
This enables you to deploy EMC PowerPath/VE (and any other extensions) to all your ESXi hosts and ensure that consistent revision control is maintained throughout your environment. Baselines can be grouped together and included in a baseline group, as shown in Figure 49.
Figure 49. Components of the baseline group
Baseline groups are useful in applying multiple baselines to virtual appliances, hosts, clusters, or data center objects but especially when you audit compliance, because the compliance status can be viewed across the group of baselines, not individually. The vSphere Update Manager Compliance view in the vSphere Web Client provides a quick overview of your compliance status. An example is shown in Figure 50.
Chapter 7: Configuration Management
Figure 50. View of compliance state for the Core Pod
In this example, of the hosts in the cluster, 50 percent are out of compliance and the affected baseline group and individual baseline are red-flagged as non-compliant. In addition, the type of update is red-flagged on the affected host. To rectify this
situation, click Remediate to start the remediation wizard. From there, the
appropriate baseline can be applied to the affected assets, as shown in Figure 51.
Figure 51. Selection view of the vSphere Update Manager Remediation wizard
You can schedule the remediation for a later time and date. This is useful when you are restricted to a maintenance window and combine a scheduled remediation with the staging feature to ensure you meet your maintenance window requirements. As shown in Figure 51, the extension has already been staged.
The remediation wizard also allows for the selection of host remediation options including the virtual machine power state and the disabling of any removable media mounted to virtual machines on the hosts to be remediated. The cluster remediation
Chapter 7: Configuration Management
Figure 52. Cluster remediation options presented in the Remediation wizard
Selecting the Enable parallel remediation option, as shown in Figure 52, can
significantly reduce the time to remediate by running the remediation tasks in parallel on clusters with two or more hosts and according to the resources in demand on the cluster at the time of remediation. It is important to note that when remediating a vSphere cluster with DRS enabled, all workloads remain available throughout the remediation process.
Chapter 7: Configuration Management
vCenter Configuration Manager
The security status of each cloud system changes dynamically. These changes may be caused by a cloud administrator operation introducing risk into the environment, cloud components that are susceptible to a vulnerability, or an external environment change such as a new attack method. Therefore, it is important to continuously monitor the security status of the Federation Software-Defined Data Center, mitigate or remediate the potential risk, and keep the system compliant to a security baseline. In this solution, we integrated VMware vCenter Configuration Manager (VCM) to build a configuration compliance audit and management system.
VCM provides a unified dashboard for managing configuration compliance. It integrates with vSphere to perform configuration data collection, which enables the vSphere infrastructure and its dependent components to be audited, exceptions to policy flagged, and remediation performed. Preset rules and templates are available that enable you to begin monitoring system compliance to regulatory (Sarbanes-Oxley or SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach- Bliley Act (GLBA), Federal Information Security Management Act (FISMA), industry (PCI DSS), and Microsoft standards, as shown in Figure 53.
Figure 53. View of the VCM compliance dashboards showing vSphere Hardening compliance
Examples of elements that can be tracked for compliance are:
Hypervisor configuration through vCenter host profiles
Hypervisor and virtual appliance patch management through VUM baselines
Linux and Windows guest OS configuration
Chapter 7: Configuration Management
Configuration compliance can be maintained against internal standards, security best practices, vendor hardening guidelines, and regulatory mandates such as:
Security best practices developed by the Defense Information Systems Agency (DISA STIGs), the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), and many more
Hardening guidelines from VMware and Microsoft
Regulatory mandates such as SOX, the PCI standard, HIPAA, and FISMA You can also use VCM to assess compliance with your own internal IT standard to drive best practices in your environment.
The integration between vCenter Operations Manager and VCM includes using the VCM compliance template results to contribute to the Risk badge score in vCenter Operations Manager, as shown in Figure 54.
Chapter 7: Configuration Management
Figure 55. vC Ops dashboard displaying compliance status summary
vCenter Operations Manager pulls the scores into the formulas used to calculate the Risk badge scores. When you review the standards compliance in vCenter Operations Manager, you can navigate back to VCM to view the detailed results and identify any configuration changes that you must make to bring an object that is non-compliant back into compliance.
Enable operational compliance
Operational compliance views enable you to proactively enforce configuration standards, detect configuration drift early, and automatically remediate against violations of IT policies. You can also harden the infrastructure for security and regulatory requirements. Preparing for and responding to an audit is no longer an intimidating and time consuming process because, with automated reporting, you can pinpoint critical areas with ease. Compliance views are tightly integrated with the operations dashboard for comprehensive visibility into the health, risk, and efficiency of the infrastructure and applications.
Chapter 7: Configuration Management
Figure 56. Risk dashboard showing compliance status in environment
Use case 1: Configure a custom compliance standard
Compliance rules compare your virtual or physical machines running Linux, UNIX, Mac OS X, or Windows operating systems against configuration standards that you import or create, to determine if the machines meet the standards. The results of the compliance run notify you what machines comply with or are in violation of the standards. In some cases, you can enforce certain settings on the machines that are not in compliance, initiating the changes from VCM.
Preset rules and templates are available that enable you to begin monitoring system compliance to any imported regulatory, industry, or vendor standards. You can create and manage rules and rule groups based on Active Directory, virtualization and physical objects and configuration data, or on machine data.
Note: The VCM Compliance Monitor does not query systems directly, but rather it queries the
Chapter 7: Configuration Management Create a rule group
To create a rule group:
1. In the VCM console, navigate to Compliance -> Virtual Environment Compliance > Rule Groups.
2. Click Add and then provide a name for the new rule, as shown in Figure 57.
Figure 57. VCM custom rule creation view
3. To add compliance rules to the rule group just created, expand the rule group, select Rules, and then click Add in the menu bar, as shown in Figure 58.
Figure 58. Creating a custom compliance rule
4. In this example, to check that vmtools is running in guest virtual machines, enter an appropriate rule name and description.
5. Select vCenter – Guests – Summary, as shown in Figure 59, from the list of Custom
Chapter 7: Configuration Management
Figure 59. Data type to select for custom compliance rule
6. Select the Conditional rule type to exclude those virtual machines that do not have vmtools installed.
7. On the next screen, click Add to create the “IF” rule criteria. Select Tools Version Status from the list and select the <> (NOT) operator, then click the ellipsis (…) to select the correct state.
8. To exclude virtual machines where vmtools is not installed, click the ellipsis and select ‘guestToolsNotInstalled’.
9. In the THEN panel, click Add to create the THEN rule criteria.
10. Select Tools Running Status from the list and click the ellipsis to choose the correct state.
11. To check that the vmtools are running, click the ellipsis and select ‘guestToolsRunning’, as shown in Figure 60.
Chapter 7: Configuration Management 12. On the Options screen leave the severity as Moderate and click Finish to exit
the wizard.
Note: On the Options screen, you can change the severity according to your requirements.
You can also configure an automatic remediation action by enabling the enforcement checkbox and configuring the appropriate action.
Filtering the results
In this example, to show only those results for guests in the inventory of the two Federation Software-Defined Data Center vCenter servers, add a filter to the rule group but follow the same sequence, as shown in Figure 61.
Figure 61. Creating a custom compliance rule group filter
1. On the Data Type screen select vCenter – Guests – Summary, as shown in Figure 62. Select Basic as the rule type for the filter.
2. On the next screen specify the vCenters to filter by choosing the OR operator as indicated in Figure 62.
Figure 62. Selecting vCenters to filter
Chapter 7: Configuration Management
Compliance preview results
To test the compliance rule created, select the rule, click Preview, and choose Do not apply machine filters to preview. This produces a list of guests in the vCenter
inventories that have vmtools installed but are not running. A sample output is shown in Figure 63.
Figure 63. Sample out-of-compliance results for the custom vmtools rule
Add custom rule group to new template
A template is a collection of rule groups and can be included in scheduled collections. To add a custom rule group to a custom template:
1. Navigate to Virtual Compliance Templates.
2. Click Add in the menu bar, and then provide a name and description for the template, as shown in Figure 64.
Custom compliance template
Chapter 7: Configuration Management
Figure 65. Rule groups to choose from in the template creation wizard
4. To run the Custom Compliance Template to verify the configuration, select the Templates folder and click the newly created Custom Compliance Template. 5. Click Run Template. A configuration screen opens. Leave the options at
default.
6. Click OK and the compliance run completes. Refresh the UI to see the resulting data rows.
To see a graphical representation of the compliance data results, click the newly created Custom Compliance Template in the navigation side bar. A summary is displayed similar to that shown in Figure 66.
Chapter 7: Configuration Management
Figure 66. Graphical summary of the Custom Compliance Template results
Use case 2: Apply exceptions to compliance templates
To temporarily or permanently override the specific template results, exceptions are used rather than explicitly resolving non-compliant results. The exceptions are applied against the compliance template results and indicate that a specific result is compliant or non-compliant even though it does not match the requirements of the rules. Examples of where exceptions may be necessary are:
Avamar image-level backup and restore. Avamar uses the http datastore browser feature in vCenter to backup or restore virtual machines
Chapter 7: Configuration Management The template to which you want to apply the exception must already exist. In our example we will create and apply the exception items against the VMware vSphere 5.5 Hardening Jun 2014 - vSphere Controls - No Guests compliance template. Adding an exception for the datastore http browser
To create the MOB exception:
1. Navigate to Virtual Environment Compliance and select the Exceptions folder. 2. Click Add to start the wizard and provide a suitable name and description for
the exception, as shown in Figure 67.
Figure 67. Navigating to the Compliance Exception wizard
3. On the next Templates screen, choose the compliance template to which you