For this blog post I am using a Pre-GA version of vROPs 7.0 with the vSphere Security Configuration Guide standards however the key concepts are the same for 6.x and 7.x.
Security Compliance has been around in vROPs for some time however it is often overlooked. Sometimes I think customers would rather live with their heads buried in the sand than address it, but this stuff is really important and vROPs does a really good job of identifying key issues within an environment.
The compliance overview dashboards are located under the “Troubleshooting” section of the “Home” page. No compliance is enabled by default as you can see from the screenshot below (note that version 7 has more security standards available than 6.x).
At its core, Security Compliance in vROPs is the addition of symptoms and alert definitions keyed to the various standards that you as an administrator are trying to be compliant with. Some are provided by management packs whilst the vSphere Security Configuration Guide standards are already baked into the product (they still need enabling though!).
Turning on Compliance
In this example we are going to turn on the vSphere Security Configuration Guide standards. The “Enable” button on the compliance page does nothing to enable the standards. It simply takes you to the tab that you can use to enable it.
There are 2 ways to turn on the compliance checking depending on how your environment is configured. The first is to edit the vSphere solution adapter and enable the hardening alerts within the monitoring goals. This turns on a selection of hardening alerts within the vSphere Default Security Policy and therefore will likely affect (dependent on environment configuration) all vCenter systems, hosts and virtual machines.
The second method is to edit individual security policies within your environment so that you can have different configurations applied to different environments. Both methods involve editing security policies so this is where we will go to next. In our example we have chosen to apply the setting in the monitoring goals so our default policy now has some alerts enabled. The update has created an updated version of the default vSphere policy.
The compliance alerts can seen by editing the latest version and going to the “Alert/Sympton Definitions” section and filtering on “security”.
The vSphere Security Configuration Guide comes with 7 alert definitions with a different definition for each type of object that is covered by the guide. As we applied compliance using the monitoring goals, several of the alert definitions for security are enabled.
If we had not used the monitoring goals to apply compliance checking and instead wanted to apply checking on a per environment basis then each policy for a relevant environment could have been edited and the appropriate definitions enabled.
Using the monitoring goals to apply compliance checking also automatically applies 1 of 3 risk profile policies for virtual machines (risk profile 1). This is the most strict policy and measures machines against the highest number of symptoms. We generally describe the risk profiles as:
Risk Profile 1: guidelines that only be implemented in the highest security environments, e.g. top-secret government or military, extremely sensitive data, etc.
Risk Profile 2: guidelines that should be implemented for more sensitive environments, e.g. those handling more sensitive data, those subject to stricter compliance rules, etc.
Risk Profile 3: guidelines that should be implemented in all environments
The risk profiles are NOT additive, that is if you enable one you must disable the other 2.
Viewing Compliance Alerts
Compliance alerts are just like any other vROPs alert so they are visible on the object that the alert has been triggered on. Since enabling the alert definitions one of the machines in this environment has been flagged with a compliance issue. As such the “Risk” status has been updated as shown below.
The same alert is also seen from the “Alerts” tab.
Using the “Compliance” setting on the home screen, we can see all the alerts for compliance that are currently triggered and get an overview of which key areas the alerts have been triggered in.
Clicking on any of the triggered alerts will provide a summary of why the alert has been tripped and give you the information that you need to rectify it. What it will not do (at this time) is allow you to drive the rectification from vROPs. This would be a nice future enhancement!
What About Everything Else?
The other security standards (i.e. PCI) need to be installed from management packs available from the VMware Solution Exchange (requires Advanced or Enterprise vROPs license).
Here I have installed the PCI pack (please check compatibility with vROPs versions before installing). There is nothing to be configured within the management pack once it has been installed.
The management pack adds a new set of symptoms and alert definitions which can be enabled as per the vSphere Security Guide alerts/definitions (note that enabling the alert definitions will automatically enable any required symptom definitions).
Now when we return to the “Compliance” settings on the “Home” screen our “PCI Security Standards” is enabled and the compliance details can be viewed.
For more info on policies, alerts and symptom definitions check out: