Centrify Resource Center

Home  |  Centrify Resource Center
Tom Kemp's Centrify Blog

Auditing VMware ESX with DirectAudit and Hardening the VMware Infrastructure with the Centrify Suite

Thursday, June 25, 2009

This is the last in a series of blog posts on securing VMware environments. In this blog post I will discuss how you can audit interactive administrative access to VMware ESX with DirectAudit and how you can in general harden your VMware Infrastructure with the Centrify Suite. In past posts I discussed our enhanced support for securing heterogeneous virtualization platform, how DirectControl provides significantly greater Active Directory integration capability then what comes out-of-the-box from VMware, and how DirectAuthorize complements vCenter Server by providing additional ways to manage roles and privileges in a VMware ESX environment.

As was the case for my last two blog posts, thanks to David McNeely, our Director of Product Management, for helping me out on this series of blog posts.

Auditing Interactive Administrative Access Using DirectAudit

ESX servers are typically one of the most crucial components in a virtualized infrastructure, and hence should be protected from security intrusion in the IT environment. Thus, all administrative access and activities on an ESX server should be logged and tracked. Centrify DirectAudit complements DirectControl by providing detailed and non-intrusive recording of UNIX and Linux user sessions, which gives auditors and security officers ad-hoc search and reporting capabilities. By using DirectAudit, the auditor now has an audit trail of which users accessed what systems, what commands they executed, and what changes they made to key files and data. To limit the amount of output, an administrator or auditor can further restrict the session auditing to a specific user or a specific shell.

When deployed in an ESX environment, DirectAudit strengthens your regulatory compliance reporting and helps you spot suspicious activity and detect deviances from standard usage patterns. It is made up of four primary components to provide detailed activity logging with centralized and correlated event reporting across all audited systems. The primary components are:

  • DirectAudit Agent - to be installed on a system to be audited, such as the ESX Service Console or Guest Linux Virtual Machine.
  • DirectAudit Collector Service - which runs on a Windows system on the network to receive audit logs and store the events in the Repository.
  • DirectAudit Repository - which is based on Microsoft SQL Server and stores all audit information.
  • DirectAudit Console - provides the auditor an interface to browse, search and replay any of the captured audit sessions.

Given the superuser privileges that are typically associated with administrator access to the VMware Service Console, VMware Infrastructure Management Assistant or VMware Studio, the DirectAudit agent should be installed on all of these VMware systems to ensure that the auditor has visibility into administrative access to all VMware management interfaces. The combination of DirectAudit on these Service Consoles and the audit logging that VMware provides within vCenter should provide the auditor complete visibility for all administrative operations across the Virtual Infrastructure.

Hardening the VMware Infrastructure with Centrify Suite

VMware provides guidance on how to harden your Virtual Infrastructure leveraging security best practices. These recommendations are designed to reduce risk and to increase security for all VMware components: the Virtual Machines, Service Console, ESX Server and Virtual Center. For further reading, the VMware Best Practices document on Security Hardening can be found at http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf.

As I discussed in these series of blogs, Centrify provides solutions to secure an ESX server and its Service Console by centralizing identity and access management within Active Directory as well as auditing user activity. Centrify also provides additional controls via Group Policy to centrally manage a wide range of security settings for the operating system and many of the services that run on the hosts. Group Policy is a powerful security configuration management solution that was designed to scale to support configuration management of tens to hundreds of thousands of systems. Since many of the hardening procedures involve properly configuring the Virtual Infrastructure host, Group Policy plays an important role in enforcing security configuration policies. These policies are automatically applied once the computer has joined Active Directory, and they are periodically refreshed to ensure compliance with the policy. This automated policy enforcement greatly simplifies the provisioning of a new VMware server or Guest Virtual Machine, ensuring that the system has been properly configured for the desired security level.

Security Hardening of the Service Console and VIMA

While there are many recommendations throughout the Security Hardening document, we will highlight those settings that the Centrify Suite can centrally control to secure the VMware Service Console and Infrastructure Management Assistant.

  1. Use VI Client and vCenter to administer the hosts instead of Service Console. DirectControl and DirectAuthorize provide controls to ensure that only the appropriate administrators are granted the right to log in to the Service Console. The administrator must be enabled through DirectControl for access to the Zone that the ESX host or VIMA system have joined. DirectAuthorize is also used to grant the appropriate rights to login interfaces, such as SSH, and to grant the rights to execute privileged commands. If these requirements are not met, the administrator will not be allowed to use the Service Console; however, the VI Client and vCenter system will continue to allow administration if administrative rights are granted within vCenter.
  2. Use a directory service for authentication. DirectControl establishes Active Directory as the authoritative directory service for all user accounts, granting login permissions for Active Directory users to the Service Console or VIMA system.
  3. Strictly control root privileges. The first challenge is to control the root account password to ensure that only a few upper-level administrators know the password. DirectControl can be configured to ensure that the root account password is centrally controlled by linking the local root account to a special account in Active Directory; this account's password will be required to su or log in to the root account. Additionally, DirectAuthorize defines roles and rights to grant administrators the specific privileges that are required to perform their duties, thus eliminating the need for administrators to know or access the root account directly.
  4. Limit access to su. DirectAuthorize controls all PAM calls to authenticate users, such as any user trying to su to any other account. Users who need to use the su command must be granted permissions to execute su. Additionally, Group Policy can be used to either update or push an appropriately configured /etc/pam.d/su file to control who can use this command.
  5. Use sudo. DirectControl provides a Group Policy to centrally manage the contents of the sudoers file, thus controlling who can execute specific commands with privilege. DirectControl should be used to map the root account to an Active Directory account, which locks down the root account and forces the usage of sudo. Additionally, DirectAuthorize provides enhanced privilege management so that privilege grants can be fine-tuned as needed. The primary benefits of DirectAuthorize over sudo are that privilege grants are linked to a single, centrally administered Active Directory user account, and dynamic policy distribution ensures current policies are applied to a Zone of computers or a single computer. Additionally, privilege grants can also be time bounded to specific start and end dates or to specific days and times during the week.
  6. Maintain proper logging. DirectControl can use Group Policy to push consistent configuration files, such as syslog.conf, to each system. DirectControl already provides many Group Policies to configure its own logging as well as the logging for DirectAuthorize. The VMware best practices call out a few specific requirements to ensure proper logging such as.
    • Ensure accurate time-keeping. DirectControl is configured by default to establish time synchronization with the Active Directory domain controllers to ensure that Kerberos operates properly. This requirement ensures that all log files can be correlated based on an accurate representation of time.
    • Control growth of log files. DirectControl has a Group Policy to control log file growth for its own logs. Additionally, Group Policy can push a centrally defined syslog configuration file to the system which defines this setting.
    • Use remote syslog logging. Group Policy can be used to push the syslog.conf file where this setting would be defined.
    • Display different log-level messages on different screens. Group Policy can be used to push the syslog.conf file where this setting would be defined.
    • Use local and remote sudo logging. Group Policy can be used to add the entries to the sudoers file to properly setup sudo logging. Additionally, DirectAuthorize has its own set of logs, which can also be directed to remote syslog servers through an appropriately configured syslog.conf file.
    • Secure SNMP configuration. Group Policy can be used to push an appropriately configured SNMP configuration file, snmpd.conf.

While several of these security settings are addressed with the features and functions provided by DirectControl and DirectAuthorize, many of these settings are centrally controlled by Group Policy, which DirectControl enforces on the ESX server as well as other UNIX or Linux guest virtual machines. Group Policy is a powerful way to ensure that these settings are enforced at the moment the ESX host has been joined to Active Directory, not to mention it is periodically refreshed based on the policy defined.

Summary: Benefits of the Centrify Suite for Virtualized Environments

The Centrify Suite features outlined in this series of blog posts directly translates into tangible benefits for administrators. Some of these benefits for administrators and IT managers include:

  • True centralized control for authentication, authorization and administration of ESX Server users and systems.
  • Cost savings through easy-to-use installation, configuration and management, and provisioning / de-provisioning of ESX user accounts.
  • Automated installation and setup, which means fewer mistakes, less downtime, reduced risk and faster time-to-market.
  • Better security through centralized control of ESX Server assets and multi-level controls for user access and permissions.
  • Enforcement of consistent security and configuration policies across banks of ESX servers through the DirectControl Group Policy engine.
  • Ability to leverage existing Active Directory investments in infrastructure, tools, processes and skills.
  • Centralized services and high availability of systems through off-line, cached login support.
  • Less time spent setting and resetting user passwords on ESX servers. Users simply use their Active Directory username and password.
  • Logging of system access and recording of user activities by DirectAudit, which reduces security exposure as companies strive to meet the requirements of new regulations and policies designed to protect systems, data, corporate information and customer information.

For more information on how Centrify can help secure VMware environments, you can check out these additional resources:

Categories: Centrify, Centrify Suite, DirectAudit, Regulatory Compliance, All
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows LiveTailrank

< Previous Article: Managing VMware Roles and Privileges with DirectAuthorize
> Next Article: Comparing DirectControl to the Apple Active Directory ("AD") Plug-In


View a 5-Minute Demo
3-Part Webinar Series What Gartner Says About Using Active Directory for Centralized Authentication, Auditing and SSO
White Paper Centralized Identity and Access Management with Active Directory View
Now
Video Chalktalk Library Detailed overviews of Centrify solutions and technology

And when RIM calculated ROI for an internally developed application [to authenticate Red Hat, Solaris and HP systems through Active Directory], systems architect Ian Brown said it became evident that it would be too challenging and expensive. What RIM needed, he decided, was a third-party application that worked out of the box. He said they found it in Mountain View, Calif.-based Centrify Corp.'s DirectControl. "Obviously RIM is a publicly traded company, so when the SOX auditors were looking at the access control to our systems, [we] were already covered with Centrify," Brown said. "Essentially, we could just print off a DirectControl report and say these people had access to this Linux system and when." With DirectControl, Brown could instantaneously produce this login documentation. He could then correlate that information to any maintenance ticket ever generated at RIM. Before DirectControl, Brown estimated his staff of six spent dozens of hours each week on local server administration - work they now complete in seconds.

Jack Loftus
SearchEnterpriseLinux
March 20, 2007