Home
Home Products Compliance Checker Compliance Checker User Guide Please or register.
ECM ECM Modules Compliance Toolkits Compliance Checker ECM Analytics CIA RSCA ECM Tour
 

gfx_arrowsBlue.gif Media Quote

"Compliance Checker is a bit more robust than ConfigCheck as it allows for scanning multiple ESX hosts at once, scans against two different benchmarks and also allows you to print or save the results."

- Eric Siebert

SearchVMware
 
  

Compliance Checker for VMware ESX User's Guide

Compliance Checker for VMware ESX is a Windows-based utility that enables you to assess the compliance of ESX 3.0 and ESX 3.5 servers against the VMware Security Hardening Guidelines and the Center for Internet Security (CIS) VMware ESX Server 3.x Benchmark. Use Compliance Checker to assess the compliance of up to five ESX servers at a time, after which you can print or save the results of your assessment, or learn more about how to remediate the ESX servers that failed the assessment.

Compliance Checker for VMware ESX uses the SSH protocol to assess up to five remote ESX 3.0 and 3.5 servers at one time. In order to successfully perform these assessments, you must ensure that you have met the following pre-requisites.

Windows Workstation

The machine that you are installing Compliance Checker on must have:

  • 70 MB of available disk space
  • Microsoft .NET 2.0 SP 1 installed
    Download .NET Framework here
  • Internet Explorer 7.0 or Firefox 2.x installed with the following options set:
    • JavaScript enabled
    • Security options set to allow active content to run in files on My Computer (Internet Explorer only). See Troubleshoot for more information.
  • One of the following supported operating systems:
    • Windows XP SP2
    • Windows Vista - Business edition SP1
    • Windows Server 2003 SP2 - Enterprise edition
    • Windows server 2003 SP2 - Standard edition

In addition to these requirements, you should ensure that the machine you are installing this application on is trusted, all administrators on the machine are trusted, and that you have equipped the machine with the latest patch levels and anti-virus definitions.

ESX Servers

Compliance Checker does not require you to enter root passwords.

You may use one of three methods to configure access from Compliance Checker to your ESX 3.0 and 3.5 servers: sudo, su or standard login. To establish communication with your ESX servers, Compliance Checker will first attempt to use sudo. If it fails to switch to the root account, either because sudo is not configured, or because it is configured to switch to a non-root account, Compliance Checker will then attempt to switch to the root user via su with the (optionally) provided root password. If su succeeds, Compliance Checker will execute as the substitute (root) user. If su fails, or if the root password was not provided, Compliance Checker will execute as the logged-in account.

If you are executing Compliance Checker as the logged-in account, be advised that you may not be able to assess compliance across all rules in both guidelines. Many assessment results may display as "Unknown Status", simply because Compliance Checker was not given the appropriate privileges to verify the necessary data on the specified ESX servers.

Note: Industry best practice recommends that you configure your ESX 3.0 and 3.5 servers with sudo access before running your assessments.

Access Method Description How to Configure
Sudo Sudo, or "do as another user," enables a System Administrator to grant users or groups of users the ability to run commands as root or another user, while providing an audit trail of their activities.

1. On the ESX host, type "su – root" at the prompt to switch to root.

2. Run the following command to edit the sudoers file: /usr/sbin/visudo.

3. Using visudo to edit the file, add the following line to the end of the file, substituting the desired user ID for 'test_user':
test_user ALL=(ALL)NOPASSWD: ALL

4. Exit visudo.
Su Su, or "substitute user," is a command used to switch to the root account. When sudo is not configured, Compliance Checker tries the (optionally) provided password to switch to root via su. If you'd like to exercise this option, fill in the optional root password during configuration of Compliance Checker. See Run an Assessment for more information.
Standard Login If you are not using sudo or su to configure access from Compliance Checker to your ESX 3.0 and 3.5 servers, then Compliance Checker will use the User ID and Password you provide to access your servers.

If you are using this method, be advised that Compliance Checker may not be able to assess compliance across all the rules in both guidelines. Many assessment results may display as "Unknown Status", simply because Compliance Checker was not given the appropriate privileges to verify the necessary data on the specified ESX servers.		 The account that you are using to log on to the ESX server must have access to the machine.

Configure the User ID and password in the appropriate fields during configuration of Compliance Checker. See Run an Assessment for more information.

Use the following procedure to install and start-up Compliance Checker for VMWare ESX:

  1. Download VMWareComplianceChecker.msi to a Windows machine that has Microsoft .NET 2.0 SP1 installed.
    Download .NET Framework here
  2. Double-click VMWareComplianceChecker.msi from its downloaded location to launch the installer. The Setup Wizard appears. Click Next.
  3. Accept the license agreement, and then click Next.
  4. Browse to select the location where you want to install Compliance Checker, and then click Next.
  5. Click Install to begin the installation.
  6. Click Finish to complete the installation.
  7. Click Start | All Programs | ComplianceCheckerForVMwareEsx.exe to launch the application.

Before you run an assessment of your ESX Servers, ensure that the account you are using to access those servers has sufficient privileges on each machine. In addition, make sure that the User ID and passwords supplied are valid for those accounts.

To run an assessment:

  1. Complete the fields within the ESX Servers option area as follows:
    • IP Address or Hostname: Enter the IP Address or Hostname of the ESX 3.0 or 3.5 machine that you want to assess.
    • User ID and Password: Enter the User ID and password of the account that you are using to access that ESX server. If you are using the same administrative account for all servers that you intend to assess, select the option Use the same User ID and Password for all ESX Servers. When this option is selected, only the first User ID and Password fields are editable. Compliance Checker automatically uses the credentials in these fields to access the remaining ESX servers.
    • Root Password (optional): Enter the root password that you want Compliance Checker to use for su access to your ESX servers. This is only necessary if you want to use su to access your servers and have not configured sudo.
    • Include in Assessment: Select the Assess box next to each server name to select the ESX servers that you want to assess. Compliance Checker retains the machine and account information between sessions. This enables you to enter machine information once, and then decide each time you launch the application which of those servers that you want to assess during that session.
  2. Click the optional Verify Connections if you want to verify that Compliance Checker can communicate with and collect data from the ESX servers that you intend to assess. If the verification has failed, an error message will appear describing the failure. See Troubleshoot for information on how to troubleshoot these connections.
  3. Click Assess Compliance to begin evaluating your ESX Servers against the VMWare Security Hardening Guidelines and Center for Internet Security (CIS) VMWare ESX Server 3.x Benchmark. Your results will appear in the Compliance Checker Summary screen in a separate web browser window. See View Results for information about this view.

Note: Due to the extent of this collection and the depth of this analysis, assessment could take a few minutes per ESX Server.

Compliance Checker retains the results of your most recently assessment only. To view a summary of these results, click View most recent results. The results from your most recent assessment will appear in the Compliance Checker Summary screen. See View Results for more information about this view.

The Compliance Checker Results screen displays both a Summary and a Detailed view of the guidelines that your ESX servers were assessed against. See the following sections for more information about each view.

Compliance Assessment Summary

The Compliance Assessment Summary view displays the compliance status of your ESX servers against the VMware Security Hardening Guidelines and the CIS VMware ESX Server 3.x Benchmark. Results are grouped into categories by color (see graphic below). Unknown results indicate that Compliance Checker for VMware ESX could not collect the data required to assess compliance for that rule.

  • Policy View Summary Bars: The summary bars on the left side of the view display the percentage of the rules across all guidelines that the assessed ESX servers were complaint with. Results are displayed for each guideline, as well as for overall compliance with both guidelines. Use this view to quickly assess your overall compliance with one or both guidelines.
  • Machine View Summary Bars: The summary bars on the right side of the view display the names of the assessed servers, and the percentage of the rules in each guideline that each of these individual servers passed. Use this view to quickly determine which ESX servers require immediate remediation.
Compliance Assessment Summary Bars

Compliance Assessment Details

The Compliance Assessment Details view in the lower portion of the screen presents a tabular view of rules that the ESX servers were assessed against, and the pass/fail results of that evaluation. Click the tabs for each guideline to display the rules that your servers were assessed against.

Within this view, you can perform the following actions:

  • View the Data: Hover over a test result icon to view the ESX server name.
  • Remediate: Click the rule name or test result icon to view more information and remediation procedures on the Configuresoft website. This information opens in a new browser window, and will not erase your other results.
  • Print: Click Printable Version from within the Compliance Assessment Summary title bar to print the results of your assessment.
Assessment Result Details Grid

The icons that appear within the Details view indicate whether the rule passed, failed, or is unknown because Compliance check could not collect enough data to evaluate that rule.

Compliance Assessment Details Icons

The icons that appear within the Details view indicate whether the rule passed, failed, or is unknown because Compliance Checker could not collect enough data to evaluate that rule.

Icon Definition Description
Passed Check Passed Check The machine met the requirements of the listed rule.
Failed Check Failed Check The machine failed to meet the requirements of the listed rule.
Unknown Status Unknown Status Compliance Checker could not collect enough data to determine a definitive "Passed" or "Failed" result. This is likely because the appropriate privileges were not provided.
Machine Not Found Machine Not Found Machine could not be found.

Refer to the following table for solutions to problems that you may experience while using Compliance Checker. For additional technical questions not described here, contact us at: compliancechecker@configuresoft.com.

Symptom Possible Cause Solution
When I click Verify Connections, I receive an error message. The account you are using does not have access to the ESX servers that you are attempting to assess. Obtain an account with permission to access these servers.
The User ID that you are using does not exist or is not valid. Obtain a valid User ID.
The password that you are using is not valid for the User ID. Obtain the correct password for that User ID.
Network problems are preventing your machine from communicating with the ESX server(s) that you are attempting to assess. Troubleshoot your network and verify that you have connectivity before attempting another assessment.
The ESX server(s) that you are attempting to connect to do not exist. Verify that the servers exist on your network prior to attempting another assessment.
The most likely scenario here is that you might be using a root account for the credentials and your ESX servers are already configured to not allow root to directly connect via SSH. If you use sudo, you can just provide a sudo enabled account in the User ID/Password fields. Otherwise, try providing a non-root account in the User ID/Password fields and a root password that could be used to SSH in.
The application will not install on my machine. Insufficent disk space. Verify that you have 70MB of available disk space prior to installing Compliance Checker.
The application will not run on my machine. Required software is not present. Verify that you have Microsoft .NET 2.0 SP1 installed on your machine prior to installing Compliance Checker.
Browser settings are not configured properly.

Verify that Java Script is enabled in your web browser.

In Internet Explorer:

  1. Click Tools | Internet Options
  2. Select the Security tab.
  3. Click Custom Level.
  4. Under Scripting, select the Enable button for Active Scripting.
  5. Click OK.

In Firefox:

  1. Click Tools | Options
  2. Select the Contents tab.
  3. Select the Enable JavaScript checkbox.
  4. Click OK.
Insufficient disk space. Verify that you have 70MB of available disk space prior to installing Compliance Checker.
The Summary Results View does not display correctly, or at all. Required software is not present. Verify that you are using either Internet Explorer 7 or Firefox 2.x with JavaScript enabled prior to using Compliance Checker.
I was able to verify my connections, but when I click Assess Compliance, I get an error message. Insufficient privileges on your ESX Servers. Verify that you have an administrative account with full permissions on the servers that you are attempting to evaluate. Verify that you are using a valid ID and password for that account.
My reports are not printing correctly. Print settings are set incorrectly.

If you are using Internet Explorer:

  1. Click Tools | Internet Options.
  2. Select the Advanced tab.
  3. Under Printing, check the Print background colors and images box.

If you are using Firefox 2.x:

  1. Click File | Page Setup.
  2. Select the Format & Options tab.
  3. Under Options, check the Print Background (colors & images) box.
I am receiving an error message about Internet Explorer restricting the webpage from running scripts or ActiveX controls that could access my computer. Internet Explorer is not configured to allow the content to run.

Click on the error message, and then select the Allow Blocked Content... option. You must select this option each time you run the tool.

Alternatively, you can make the following configuration change, so that you do not have to allow blocked content each time you run the tool.

  1. Click Tools | Internet Options.
  2. Select the Advanced tab.
  3. Under Security, check the option Allow active content to run in files on My Computer.
  4. Click OK.
   
  © 2008 Configuresoft, Inc. All Rights Reserved.