symantec enterprise security manager modules ...€¦ · symantec™ enterprise security manager...
TRANSCRIPT
Symantec™ EnterpriseSecurity Manager Modulesfor ESX and ESXi server UserGuide
Release 2.0 for Symantec ESM 9.0.x and10.0 For ESX and ESXi servers withsupport for reporting on vCenter server
Symantec™ Enterprise Security Manager Modules forESX and ESXi server User Guide
The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.
Documentation version: 2.0
Legal NoticeCopyright © 2010 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate areregistered trademarks of Symantec Corporation or its affiliates in the U.S. and othercountries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.
THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation350 Ellis StreetMountain View, CA 94043
http://www.symantec.com
Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the rightamount of service for any size organization
■ Telephone and/or web-based support that provides rapid response andup-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis
■ Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our web siteat the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.
Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.
When you contact Technical Support, please have the following informationavailable:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport web page at the following URL:
www.symantec.com/business/support/
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
Additional enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.
Enterprise services that are available include the following:
Managed Services remove the burden of managing and monitoring securitydevices and events, ensuring rapid response to real threats.
Managed Services
Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation,monitoring, andmanagement capabilities. Each is focused onestablishing andmaintaining the integrity and availability of your IT resources.
Consulting Services
EducationServices provide a full array of technical training, security education,security certification, and awareness communication programs.
Education Services
To access more information about enterprise services, please visit our web siteat the following URL:
www.symantec.com/business/services/
Select your country or language from the site index.
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 1 Introducing Symantec ESM Modules for ESX, ESXi,& vCenter servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
About the Symantec ESM Modules for ESX, ESXi, & vCenterservers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Where you can get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2 Installing Symantec ESM Modules for ESX, ESXi, &vCenter servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Before you install .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Minimum account privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Disk space requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Installing and configuring the ESM Modules for ESX, ESXi, and
vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Silently installing the ESM modules for ESX server ... . . . . . . . . . . . . . . . . . . . . . . . . . 20Silently configuring the ESM modules for ESX, ESXi, vCenter
server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Configuring the ESM modules for ESX, ESXi, vCenter server ... . . . . . . . . . . . . . 21
About types of configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 3 ESM Modules for ESX and ESXi servers . . . . . . . . . . . . . . . . . . . . . . . . . . 25
ESX Configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About reporting through the vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Guest installed .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Guest status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Copy disabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Paste disabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Setinfo messages disabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Guest time synchronization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Guest connection control ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Host time synchronization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Contents
Guest logging .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31VMware Tools logging .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Guest log rotate size ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Guest old log keeping .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Set GUI Options disabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Host config option parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34NX/XD flag exposed to guest ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
ESX Network .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About reporting through the vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36iSCSI enabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36iSCSI CHAP authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37MAC address changes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Forged transmission .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Promiscuous mode .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Service console firewall .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Port groups in VLAN .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40SNMP traps setting .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
ESX Patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41About reporting through the vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Patch templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Superseded .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Disable patch module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Patch results summary .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Installed Patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44ESXi updates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
ESX System .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45About reporting through the vCenter server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45GRUB OS level password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Boot loader password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Root file system fill up .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Roles and privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47SU PAM Authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47ESX log auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Execute on vCenter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Lockdown mode .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Local accounts only ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Shell access ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Maintenance mode .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49List users and groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Contents8
Introducing Symantec ESMModules for ESX, ESXi, &vCenter servers
This chapter includes the following topics:
■ About the Symantec ESM Modules for ESX, ESXi, & vCenter servers
■ Where you can get more information
■ Templates
About the Symantec ESM Modules for ESX, ESXi, &vCenter servers
TheSymantecESMmodules for ESX, ESXi, & vCenter servers include the followingfour modules:
■ ESX Configuration
■ ESX Network
■ ESX Patches
■ ESX System
The ESXmodules help to protect your ESX and ESXi servers from known securityvulnerabilities by reporting the differences between the preferred and the actualsetting on these servers.
ESX version 3.0.2, 3.0.3, 3.5, and 4.0 supports host-based reporting. Fornetwork-based reporting, youmust ensure that the ESXmodulesmust be installed
1Chapter
on an ESM agent computer that is running on a Red Hat Enterprise Linux server.You can then configure the ESX, ESXi, and vCenter servers that youwant to reporton.
Where you can get more informationFor more information about Symantec ESM modules and Security Updates, seethe latest versions of the SymantecEnterprise SecurityAdministrator’sGuide andthe Symantec ESM Security Update User Guide.
Formore information onSymantec Enterprise SecurityManager (ESM), SymantecESMSecurityUpdates, and Symantec ESM support for database products, see theSymantec Security Response Web site at the following URL: Security ResponseWeb site
TemplatesSeveral of the documented modules use templates to store the ESX parametersand object settings. Differences between the current settings and template valuesare reportedwhen themodules run.Modules use templates to store ESX and ESXiservers parameters and object settings.
Table 1-1 shows themodules and checks that use template files in Symantec ESMModules for ESX, ESXi, & vCenter servers.
Table 1-1 Template names
Predefinedtemplate
Template nameCheck nameModule
esxdefaultconf.coxESX ConfigurationParameters
Host config optionparameters
ESX Configurations
esxpatch.elxesxpatch.elxPatch templatesESX Patches
esxipatch.ilxESXi PatchESXi updatesESX Patches
noneESX Port group inVLAN
Port groups in VLANESX Network
noneESX log auditESX log auditingESX System
Table 1-2 shows the modules and checks that use sample template files.
Introducing Symantec ESM Modules for ESX, ESXi, & vCenter serversWhere you can get more information
10
Table 1-2 Sample template names
Sample templateCheck nameModule
esxgrpvlan_sample.lanPort groups in VLANESX Network
esxlogaudit_sample.evtESX log auditingESX System
Note: The sample templates are for reference only. You can use the sampletemplates to create customized templates for the check to report on the valuesthat you specify in the template.
11Introducing Symantec ESM Modules for ESX, ESXi, & vCenter serversTemplates
Introducing Symantec ESM Modules for ESX, ESXi, & vCenter serversTemplates
12
Installing Symantec ESMModules for ESX, ESXi, &vCenter servers
This chapter includes the following topics:
■ Before you install
■ Minimum account privileges
■ System requirements
■ Disk space requirements
■ Installing and configuring the ESMModules for ESX, ESXi, and vCenter server
■ Silently installing the ESM modules for ESX server
■ Silently configuring the ESM modules for ESX, ESXi, vCenter server
■ Configuring the ESM modules for ESX, ESXi, vCenter server
Before you installWhen an ESX server is installed, the default firewall setting block’s the incomingand the outgoing ports. To establish communication between the ESM managerand the ESM agent, which is installed on the ESX server, open the ports 5600 and5601 before you install the ESM agent on the ESX server.
To install the modules, you need the following:
2Chapter
At least one computer on your network must have a CD-ROMdrive.
CD-ROM access
You must have access to an account with superuser privilegeson each computer where you plan to install the modules.
Account privileges
Verify that the Symantec ESM enterprise console can connectto the Symantec ESM manager.
Connection to themanager
The Symantec ESM agentmust be running and registered to atleast one Symantec ESM manager.
Agent and manager
Minimum account privilegesYou can use the following minimum account privileges for installation andreporting:
■ Minimum privileges to install the ESM ESX ModulesYou must have superuser privileges to install the ESM ESX Modules on ESXhost and Red Hat Enterprise Linux.For example, root.
■ Minimum account privileges for reporting on the vCenter, ESX and ESXi 3.5or laterYou must configure the ESM ESX modules with ESX or ESXi or vCenter serverso that an ESM policy with ESX modules and appropriate checks selected, canbe executed on the configured servers. During configuration, youmust providethe server details like server name or the IP address and the name of the useraccount that has the appropriate privileges or permissions on the server thatyou provide. This user account is used as the logon account to connect to therespectiveESXorESXi or vCenter server. The configurationdetails areprovidedon the execution of the esxsetup binary. The minimum permission requiredfor the configured user account should have a role with Global.Diagnosticprivilege assigned to it.For example, precreated user.For more information on how to run the esxsetup, See “Installing andconfiguring the ESM Modules for ESX, ESXi, and vCenter server” on page 16.
Note:While you configure the server with domain\user, you must enclose thevalue in single quotes as 'domain\user'.
Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversMinimum account privileges
14
Warning: If you use less than the recommended privileges for the accounts thattheESXApplicationmodule uses for reporting, then a fewchecksmaynot functioncorrectly. This could also result in any intentional or unintentional blocking ofthe module's ability to report on the conditions you may need to know exists.
System requirementsTable 2-1 list the supported ESX server versions for host-based reporting.
Note:As per Symantec's End of Life product support policy, the ESM Modules forESX servers are only supported on ESX version 3.0.2 till August 2010.
Table 2-1 Supported ESX server versions for host-based reporting
Supported ESX versionsArchitecture
3.0.2, 3.0.3, 3.5, 4.0, 4.1x86, x86_64
Note: The host-based reporting works only on the ESX server.
Table 2-2 lists the supported ESX, ESXi, and vCenter server versions and operatingsystems for network-based reporting.
Table 2-2 Supported ESX, ESXi, and vCenter server versions and operatingsystems for network-based reporting
Supported ESX versionsArchitectureSupported OSversions
Supportedoperatingsystems
3.5, 3.5i, 4.0, 4.0i, 4.1, 4.1i
vCenter server update 4.0.x
x865.1, 5.2, 5.3, 5.4RedHatEnterpriseLinux ES (32-bit)
3.5, 3.5i, 4.0, 4.0i, 4.1, 4.1i
vCenter server update 4.0.x
x645.1, 5.2, 5.3, 5.4RedHatEnterpriseLinux ES (64-bit)
Note: vCenter server update 4, which is installed on the Windows 2003 (x86, x64)and 2008 (x86, x64) platform supports network-based reporting.
15Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversSystem requirements
Disk space requirementsTable 2-3 lists the free disk space that you require to install the ESM modules forESX server.
Table 2-3 Disk space requirements
Disk spaceArchitectureSupported operatingsystem
170 MBx86, x86_64ESX 3.0.2, 3.0.3, 3.5, 4.0, 4.1
170 MBx86, x64Red Hat Enterprise Linux ES(32-bit and 64-bit)
Installing and configuring the ESM Modules for ESX,ESXi, and vCenter server
You can use the esmesx.tpi to install the ESXmodule on the ESMagent computer.
The installation program does the following:
■ Extracts and installs module executables, configuration (.m) files, and thetemplate files.
■ Registers the .m and the template files by using the ESM agent’s registrationprogram.
Note: If you register the .m files during a module installation on an agent thatis installed on the same platform, then you do not have to re-register the .mfiles.
■ Launches the esxsetup for configuration.
Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversDisk space requirements
16
To install the ESM modules for ESX, ESXi, vCenter server
1 From the product disc, run the esmesx.tpi.
You can also download and copy the esmesx.tpi from the Security ResponseWeb site to the desired location.
Note:You can use the LiveUpdate feature, if youwant to upgrade the existingESX version to the latest ESX version. For more information on LiveUpdate,you can refer to the SymantecEnterprise SecurityManager InstallationGuide.
2 Choose one of the following options:
To display the contents of the package.Option 1
To install the module.Option 2
3 The Do you wish to register the template or .m files? message appears. Doone of the following:
■ Type a Y, if the files are not registered with the manager.
■ Type an N, if the files have already been registered.See “To configure the ESX, ESXi, vCenter servers on the ESM agentcomputers” on page 18.See “To configure for the ESX, ESXi, vCenter by using generic credentials”on page 19.
Note:Youmust register the template and the .m files once for the agents thatuse the same manager on the same operating system.
4 Enter the ESM manager that the agent is registered to.
Usually, it is the name of the computer that the manager is installed on.
5 Enter the ESM access name (logon name) for the manager.
6 Enter the ESM password that is used to log on to the ESM manager.
7 Enter the network protocol that is used to contact the ESM manager.
8 Enter the port that is used to contact the ESM Manager. The default port is5600.
9 Enter the name of the agent as it is currently registered to the ESMmanager.
Usually, it is the name of the computer that the agent is installed on.
17Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversInstalling and configuring the ESM Modules for ESX, ESXi, and vCenter server
■ Type a Y, the agent continues with the registration to the ESM manager.
■ Type an N, the setup prompts to re-enter the details of the new manager.
When the extraction is complete, you are prompted to add configurationrecords to enable the ESM security checking for your ESX server.
10 The Continue and add configuration records to enable ESM securitychecking for your servers? [yes] message appears. Do one of the following:
■ Type a Y, to configure the ESX module on the agent computer.
■ Type an N, the program installation continues without configuration.
To configure the ESX, ESXi, vCenter servers on the ESM agent computers
1 To add a configuration record for the server, do the following:
■ Enter the server name or IP.
■ Enter an option to choose the connection mode.It can either be HTTP or https.
■ Press Enter to select the default port or enter a custom port.
2 Enter the logon account for the server.
See “Minimum account privileges” on page 14.
3 Enter the password for the logon account.
4 Re-type the password for confirmation.
5 The Do you want to specify a server certificate for client authentication?[yes] message appears. Do one of the following:
■ Type a Y, if you want to specify a server certificate for clientauthentication.You must enter the complete path of the certificate file that must existon your ESM agent computer. You can download the certificate file fromESX, ESXi, or vCenter server.
■ Type an N, if you do not want to specify a server certificate for clientauthentication.
6 TheDoyouwanttovalidatetheconnectionbeforesavingtheconfigurationrecord? [yes] message appears.
■ Type a Y, if you want to validate the connection.If the validation is not successful, then the installation program reportsan errormessage and the record is not added to the configuration record.
Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversInstalling and configuring the ESM Modules for ESX, ESXi, and vCenter server
18
■ Type an N, if you do not want to validate the connection.
7 The Would you like to add another ESX server to configuration record?message appears.
■ Type a Y, if you want to add another server.
■ Type an N, if you want to end the installation program.
To configure for the ESX, ESXi, vCenter by using generic credentials
1 The Do you want this record to be configured to use generic credentials?[no] message appears. Do one of the following:
■ Type aY, if youwant the record to be configured to use generic credentials.The installation program displays a warning message to configure thegeneric credentials if you have not yet configured them.
■ Type an N, if you do not want the record to be configured to use genericcredentials.
2 The Do you want to specify a server certificate for client authentication?[yes] message appears. Do one of the following:
■ Type a Y, if you want to specify a server certificate for clientauthentication.You must enter the complete path of the certificate file that must existon your ESM agent computer.
■ Type an N, if you do not want to specify a server certificate for clientauthentication.
3 TheDoyouwanttovalidatetheconnectionbeforesavingtheconfigurationrecord? [yes] message appears.
■ Type a Y, if you want to validate the connection.If the validation is not successful, then the installation program reportsan errormessage and the record is not added to the configuration record.
■ Type an N, if you do not want to validate the connection.
4 The Would you like to add another ESX server to configuration record?message appears.
■ Type a Y, to add another server record.If you type anN, the configuration exits, and the setup continueswith theinstallation program. After you have created the configuration recordsfor each ESX server, the program lists all of the configuration records.
19Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversInstalling and configuring the ESM Modules for ESX, ESXi, and vCenter server
Silently installing the ESM modules for ESX serverYou can use the esmesx.tpi to install the ESM ESX module silently.
Table 2-4 lists the command line options for silently installing the ESM moduleson ESX server.
Table 2-4 Options to silently install the ESM modules on ESX server
DescriptionOption
Display Help.-h
Display thedescription and contents of this tune-up/third-party package.-d
Install this tune-up/third-party package.-i
Force an installation of the package.-f
Specify the ESM user name.-U
Skip the configuration during installation.-e
Specify the ESM user’s password.-P
Specify the TCP port to use.-p
Specify the ESM manager name.-m
Connect to the ESM manager by using TCP.-t
Specify the ESM agent name to use for re-registration.-g
Do not prompt for nor do the re-registration of the agents.-K
Specify the application name.-L
Do not update the report content file on the manager.-N
Update the report content file on the manager.-Y
Silently configuring the ESM modules for ESX, ESXi,vCenter server
You can use the esxsetup to silently configure the ESM modules for the server.You can find the esxsetup at /esm/bin/<OS architecture>/esxsetup.
Table 2-5 lists the options for silently configuring the ESMmodules for the server.
Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversSilently installing the ESM modules for ESX server
20
Table 2-5 Options to silently configure the ESM modules for ESX, ESXi, vCenterserver
DescriptionOption
Specify the server host name or IP.-S
Specify the connection mode [HTTP or https].-M
Specify the port where the HTTP or https is configured or theconnection mode will use the default ports.
-p
Skip connection validation.-sv
If you specify this option, then the generic credentials are used tologon to the respective server.
-g
Specify the authorized logon account.-L
Provide the password for the specified logon account.-P
Specify the name and the path of the certificate file for clientauthentication. Without this certificate the client authenticationwill not be used.
-C
For example,
./esxsetup -S server -M mode [-p port] [-sv] {-g | -L login -P
password} [-C certpath]
Note: If you do not specify any option then ./esxsetup runs with the -h option.
Configuring the ESM modules for ESX, ESXi, vCenterserver
You can use the esxsetup to configure the ESM modules for the server. You canfind the esxsetup at /esm/bin/<OS architecture>/esxsetup.
Configuration is a method by which Application module save information aboutthe servers it has to report on.
Table 2-6 lists the options to configure the ESM modules interactively.
21Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversConfiguring the ESM modules for ESX, ESXi, vCenter server
Table 2-6 Options to configure the ESM modules for ESX, ESXi, vCenter serverinteractively
DescriptionOption
Display Help.-h
Create configuration records for the servers that should be scanned.
Note: This option overwrites the existing configuration file.
-c
List all the configured servers.-l
Add new configuration records for the servers that should be scanned.-a
Modify the existing configuration records of the server.-m
Add the configuration record for the generic credentials.-G
Remove the generic credential information.-rg
Specify the file name that contains the encrypted generic credentials.-gif
Specify the file namewhere you save the encrypted generic credentials.-gof
For example,
./esxsetup : [-h | -c | -l | -a | -m | -G | -rg | -gif gen_cred_file
| -gof gen_cred_file]
About types of configurationThis section gives information on theESMagents that you can configure by addingthe ESX/ESXi/vCenter server to the ESX configuration file of ESM.
You are not required to configure the ESX or ESXi servers with the ESM ESXApplication Modules if they are being managed by the vCenter server providedthis vCenter server is configured with the ESM ESX Application Modules.
Table 2-7 lists the types of configuration.
Table 2-7 Types of configuration
Support fornetwork-basedreporting
Support forhost-basedreporting
VersionAgent OS
**Yes (Configurationrequired)
No5.1, 5.2, 5.3, 5.4Red Hat EnterpriseLinux (x86 and x64)
Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversConfiguring the ESM modules for ESX, ESXi, vCenter server
22
Table 2-7 Types of configuration (continued)
Support fornetwork-basedreporting
Support forhost-basedreporting
VersionAgent OS
NoYes (Noconfigurationrequired)
3.0.2, 3.0.3ESX
Yes (Configurationrequired)
Yes (Configurationrequired)
3.5, 4.0, 4.1ESX
Note: ** Symantec recommends this approach.
23Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversConfiguring the ESM modules for ESX, ESXi, vCenter server
Installing Symantec ESM Modules for ESX, ESXi, & vCenter serversConfiguring the ESM modules for ESX, ESXi, vCenter server
24
ESM Modules for ESX andESXi servers
This chapter includes the following topics:
■ ESX Configurations
■ ESX Network
■ ESX Patches
■ ESX System
ESX ConfigurationsTheESXConfigurationsmodule reports the configuration information of the ESXand ESXi servers and the guest operating systems. Symantec recommends thatyou must ensure that the server configurations and the guests are as per yoursecurity policies.
The properties that are referred by the ESM ESX modules for the ESX and ESXi3.5 or later versions along with their Managed Object Browser (MOB) paths havebeen provided for the individual checks.
Note:While processing the vCenter server, modules skip the host systems thatare in a disconnected state. This happens because queries from the vCenter serverto disconnected hosts system retrieve old data instead of live data, which isincorrect and does not reflect the correct values.
3Chapter
About reporting through the vCenter serverIn order to report through the vCenter server, youmust first register the ESX andESXi servers with it. You can configure the vCenter server with the applicationmodule in the same way you configure the ESX or ESXi servers. When you runthe ESX Applicationmodule on the agent where the vCenter server is configured,the module fetches the information of the hosts that are registered with thevCenter server. Certain information from the ESX/ ESXi hosts is not available atvCenter server, like local users etc. This information can be reported by the ESXApplication module only when the respective host is directly configured in theESX configuration file of ESM.
Guest installedThis check reports a list of guests that are installed and their configuration pathif the name list is blank. If you specify a disallowed directory name in the namelist, then it reports the guests that are installed under the specified directory.
The check refers to the following properties:
■ config.datastoreUrlUse theManagedObjectBrowser(MOB) to view the property of the respectivevirtual machines. You can navigate through [VirtualMachine] > config >datastoreUrl path to view the property.
■ summary.configUse theManagedObjectBrowser(MOB) to view the property of the respectivevirtual machines. You can navigate through [VirtualMachine] > summary >config > vmPathName to view the property.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-1 lists the messages for this check.
Table 3-1 Guest installed check messages
SeverityTitleMessage name
Green (0)Guest installedSTKU_INSTLGUEST
Yellow (2)Disallowed directorySTKU_DISALLOWDIR
ESM Modules for ESX and ESXi serversESX Configurations
26
Guest statusThis check reports on the state and heartbeats of all the guests. The state can bepowered OFF, powered ON, or suspended and the heartbeats can be Gray, Green,Yellow, or Red. On ESX 3.0.2, the heartbeats can be alive or dead.
To determine the guest status, the check refers to the runtime.powerStateproperty.
Use the Managed Object Browser (MOB) to view the property of the respectivevirtual machines. You can navigate through [VirtualMachine] > runtime >powerState to view the property.
To determine the heart beat status, the check refers to the runtime.powerStateproperty.
Use the Managed Object Browser (MOB) to view the property of the respectivevirtual machines. You can navigate through [VirtualMachine] > summary >quickStats > guestHeartbeatStatus to view the property.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-2 lists the messages for this check.
Table 3-2 Guest status check messages
SeverityTitleMessage name
Green (0)Guest statusSTKU_GUESTSTATUS
Copy disabledThis check verifies if the copying operation is disabled for the guest.
The properties and conditions that the check verifies for reporting are as follows:
■ Both the isolation.tools.copy.disableproperty and isolation.tools.copy.enableproperties are not defined.
■ Either the isolation.tools.copy.disable property is set to false or theisolation.tools.copy.enable property is set to true.
■ Both the isolation.tools.copy.disable property and theisolation.tools.copy.enable property are set to false.
■ Both the isolation.tools.copy.disableproperty and isolation.tools.copy.enableproperty are set to true.
27ESM Modules for ESX and ESXi serversESX Configurations
Note:The check has beenmodified to report a differentmessage if it does not findany of the properties configured. If you have applied any suppression in theInformation field, then the message reappears with the new information.
Use the ManagedObjectBrowser (MOB) to view the isolation.tools.copy.enableand isolation.tools.copy.disable properties of the respective virtual machine.You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-3 lists the messages for this check.
Table 3-3 Copy disabled check messages
SeverityTitleMessage name
Yellow (2)Copy enabledSTKU_COPY
Paste disabledThis check verifies if the pasting operation is disabled for the guest.
The properties and conditions that the check verifies for reporting are as follows:
■ Both the isolation.tools.paste.disable and isolation.tools.paste.enableproperties are not defined.
■ Either the isolation.tools.paste.disable property is set to false or theisolation.tools.paste.enable property is set to true.
■ Both the isolation.tools.paste.disable property and theisolation.tools.copy.paste property are set to false.
■ Both the isolation.tools.paste.disable property and theisolation.tools.paste.enable property are set to true.
Note:The check has beenmodified to report a differentmessage if it does not findany of the properties configured. If you have applied any suppression in theInformation field, then the message reappears with the new information.
Use theManagedObjectBrowser(MOB) to view the isolation.tools.paste.disableand isolation.tools.paste.enable properties of the respective virtual machine.You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.
ESM Modules for ESX and ESXi serversESX Configurations
28
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-4 lists the messages for this check.
Table 3-4 Paste disabled check messages
SeverityTitleMessage name
Yellow (2)Paste enabledSTKU_PASTE
Setinfo messages disabledThis check verifies if Setinfo messages are disabled for the guest.
The properties and conditions that the check verifies for reporting are as follows:
■ Both the isolation.tools.setinfo.disable and isolation.tools.setinfo.enableproperties are not defined.
■ Either the isolation.tools.setinfo.disable property is set to false or theisolation.tools.setinfo.enable property is set to true.
■ Both the isolation.tools.setinfo.disable property and theisolation.tools.setinfo.enable property are set to false.
■ Both the isolation.tools.setinfo.disable property and theisolation.tools.setinfo.enable property are set to true.
Note:The check has beenmodified to report a differentmessage if it does not findany of the properties configured. If you have applied any suppression in theInformation field, then the message reappears with the new information.
Use theManagedObjectBrowser(MOB) to view the isolation.tools.setinfo.disableand isolation.tools.setinfo.enable properties of the respective virtual machine.You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-5 lists the messages for this check.
Table 3-5 Setinfo messages disabled check messages
SeverityTitleMessage name
Yellow (2)Setinfo enabledSTKU_SETINFO
29ESM Modules for ESX and ESXi serversESX Configurations
Guest time synchronizationThis check verifies if time synchronization is enabled between the guest and theESX server.
The check verifies if the config.tools.syncTimeWithHost property is set to false.
Use the Managed Object Browser (MOB) to view theconfig.tools.syncTimeWithHost property of the respective virtualmachine. Youcan navigate through [VirtualMachine] > config > tools > syncTimeWithHostto view the property.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-6 lists the messages for this check.
Table 3-6 Guest time synchronization check messages
SeverityTitleMessage name
Yellow (2)Guest timenot synchronizedSTKU_TIMESYNC
Guest connection controlThis check reports the name of the devices that can be connected or disconnectedby the guest.
To determine the set of virtual devices that are present on the guest OS, the checkrefers to the config.hardware.device property.
Use the Managed Object Browser (MOB) to view the property of the respectivevirtualmachines.Youcannavigate through [VirtualMachine]>config>hardware> device to view the property.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-7 lists the messages for this check.
Table 3-7 Guest connection control check messages
SeverityTitleMessage name
Yellow (2)Guest connection controlSTKU_GUESTCONNCTRL
ESM Modules for ESX and ESXi serversESX Configurations
30
Host time synchronizationThis check verifies if the ntpd service is running on the host system. On ESX 3.0.2and ESX 3.0.3, this check also reports if the time difference between the host andthe time server exceeds the specified limit (in seconds). For the check to calculatethe time difference, you must specify the time server, IP address, and time offsetas IP:Offset. For example, 10.218.145.95:0.000005.
The check refers to the config.service.service ["ntpd"] property to validate thepresence and status of the ntpd service.
Use the Managed Object Browser (MOB) to view the config.service.service["ntpd"] property of the respective host system. You can navigate through[HostSystem] > config > service to view the property.
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-8 lists the messages for this check.
Table 3-8 Host time synchronization check messages
SeverityTitleMessage name
Yellow (2)ntpd not runningSTKU_NTPDSTOPPED
Yellow (2)Offset exceededSTKU_OFFSETEXCEEDED
Guest loggingThis check verifies if the Guest logging is disabled.
The check verifies if the config.flags.enableLogging property is set to true.
Use the ManagedObjectBrowser (MOB) to view the config.flags.enableLoggingproperty of the respective virtual machine. You can navigate through[VirtualMachine] > config > flags > enableLogging to view the property.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-9 lists the messages for this check.
Table 3-9 Guest logging check messages
SeverityTitleMessage name
Yellow (2)Guest loggingSTKU_GUESTLOGGING
31ESM Modules for ESX and ESXi serversESX Configurations
VMware Tools loggingThis check verifies if the VMware Tools logging is disabled.
The properties and conditions that the check verifies for reporting are as follows:
■ Both the isolation.tools.log.disable and isolation.tools.log.enablepropertiesare not defined.
■ Either the isolation.tools.log.disable property is set to false or theisolation.tools.log.enable property is set to true.
■ Both the isolation.tools.log.disableproperty and the isolation.tools.log.enableproperty are set to false.
■ Both the isolation.tools.log.disableproperty and the isolation.tools.log.enableproperty is set to true.
Note:The check has beenmodified to report a differentmessage if it does not findany of the properties configured. If you have applied any suppression in theInformation field, then the message reappears with the new information.
Use the Managed Object Browser (MOB) to view the isolation.tools.log.disableand isolation.tools.log.enable properties of the respective virtual machine. Youcan navigate through [VirtualMachine] > config > extraConfig to view theproperty.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-10 lists the messages for this check.
Table 3-10 VMware Tools logging check messages
SeverityTitleMessage name
Yellow (2)VMware Tools loggingSTKU_VMTOOLSLOGGING
Guest log rotate sizeThis check verifies whether the log rotate size is not greater than the value thatyou specify in the Maximum size in KB text box.
To determine the log rotate size, the check refers to theconfig.extraConfig["log.rotateSize"] property.
Use the Managed Object Browser (MOB) to view theconfig.extraConfig["log.rotateSize"] property of the respective virtual machine.
ESM Modules for ESX and ESXi serversESX Configurations
32
You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-11 lists the messages for this check.
Table 3-11 Guest log rotate size check messages
SeverityTitleMessage name
Yellow (2)Guest log rotate sizeSTKU_LOGROTATESIZE
Guest old log keepingThis check verifies whether the log rotate size is not greater than the value thatyou specify in the number of log files to keep text box.
To determine the log rotate size, the check refers to the config.extraConfig["log.keepOld"] property.
Use the Managed Object Browser (MOB) to view theconfig.extraConfig["log.keepOld"] property of the respective virtual machine.You can navigate through [VirtualMachine] > config > extraConfig to view theproperty.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-12 lists the messages for this check.
Table 3-12 Guest old log keeping check messages
SeverityTitleMessage name
Yellow (2)Guest old log keepingSTKU_OLDLOGKEEPING
Set GUI Options disabledThis check verifies if the Set GUI Options is disabled for the guest.
The properties and conditions that the check verifies for reporting are as follows:
■ Both the isolation.tools.setGUIOptions.disable andisolation.tools.setGUIOptions.enable properties are not defined.
33ESM Modules for ESX and ESXi serversESX Configurations
■ Either the isolation.tools.setGUIOptions.disable property is set to false orthe isolation.tools.setGUIOptions.enable property is set to true.
■ Both the isolation.tools.setGUIOptions.disable property and theisolation.tools.setGUIOptions.enable property are set to false.
■ Both the isolation.tools.setGUIOptions.disable property and theisolation.tools.setGUIOptions.enable property are set to true.
Note:The check has beenmodified to report a differentmessage if it does not findany of the properties configured. If you have applied any suppression in theInformation field, then the message reappears with the new information.
Use the Managed Object Browser (MOB) to view theisolation.tools.setGUIOptions.disable and isolation.tools.setGUIOptions.enableproperties of the respective virtual machine. You can navigate through[VirtualMachine] > config > extraConfig to view the property.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-13 lists the messages for this check.
Table 3-13 Set GUI Options disabled check messages
SeverityTitleMessage name
Yellow (2)Set GUI Options enabledSTKU_SETGUI
Host config option parametersThis check reports the unauthorized values for the configuration parameters thatare specified in the enabled ESX/ESXi Host Configuration Parameters template.This check is not supported on ESX 3.0.2 and ESX 3.0.3 servers.
Table 3-14 lists the messages for this check.
Table 3-14 Host config option parameters messages
SeverityTitleMessage name
Green (0)Unauthorized configurationparameter (Green level)
ESM_ESX_CONFIG_OPT_GREEN_LEVEL
Yellow (2)Unauthorized configurationparameter (Yellow level)
ESM_ESX_CONFIG_OPT_YELLOW_LEVEL
ESM Modules for ESX and ESXi serversESX Configurations
34
Table 3-14 Host config option parameters messages (continued)
SeverityTitleMessage name
Red (4)Unauthorized configurationparameter (Red level)
ESM_ESX_CONFIG_OPT_RED_LEVEL
Yellow (2)Configurationparameter notfound
ESM_ESX_CONFIG_OPT_NOT_FOUND
Green (0)Unsupported configurationparameter
ESM_ESX_CONFIG_OPT_NOT_SUPPORTED
Formore informationon the template see,Symantec™EnterpriseSecurityManagerModules for ESX and ESXi server Release Notes.
NX/XD flag exposed to guestThis check verifies if the NX flag is exposed to the guest OS.
The check verifies the CPUID identification mask structures. The check assessthe CPUID identification mask that has its level set as -2147483647 (Hex value0x80000001). The check reports a violationmessage if the structure does not havethe 20th MSB of the edx register set to value ‘1’ or ‘H’. The check does not reportany violationmessage, if it finds the cpuFeatureMaskproperty not set. By default,the NX/XD flag is exposed to the guest OS.
Use the Managed Object Browser (MOB) to view the cpuFeatureMask propertyfor the virtual machine. You can navigate through [Virtual Machine] > config >cpuFeatureMask to view the property.
Note: [VirtualMachine] is the Managed Object Reference to a virtual machine.
Table 3-15 lists the messages for this check.
Table 3-15 NX/XD flag exposed to guest messages
SeverityTitleMessage name
Yellow (2)NX/XD flag hidden fromguest OS
ESM_ESX_NX_XD_FLAD_NOT_EXPOSED
Green (0)NX/XD flag set to implicitempty value
ESM_ESX_NX_XD_FLAD_EMPTY_VAL
35ESM Modules for ESX and ESXi serversESX Configurations
ESX NetworkThe ESX Network module reports information about the network configurationof the ESX and ESXi servers. It lets you verify if these servers are compliant withyour security standards.
The properties that are referred by the ESM ESX modules for the ESX and ESXi3.5 or later versions along with their Managed Object Browser (MOB) paths havebeen provided for the individual checks.
Note:While processing the vCenter server, modules skip the host systems thatare in a disconnected state. This happens because queries from the vCenter serverto disconnected hosts system retrieve old data instead of live data, which isincorrect and does not reflect the correct values.
About reporting through the vCenter serverIn order to report through the vCenter server, youmust first register the ESX andESXi servers with it. You can configure the vCenter server with the applicationmodule in the same way you configure the ESX or ESXi servers. When you runthe ESX Applicationmodule on the agent where the vCenter server is configured,the module fetches the information of the hosts that are registered with thevCenter server. Certain information from the ESX/ ESXi hosts is not available atvCenter server, like local users etc. This information can be reported by the ESXApplication module only when the respective host is directly configured in theESX configuration file of ESM.
iSCSI enabledThis check verifies if iSCSI is enabled on the host system.
To determine if iSCSI is enabled on the host system, the check refers to thesoftwareInternetScsiEnabled property.
Use the Managed Object Browser (MOB) to view the config.storageDevice.softwareInternetScsiEnabled property for the host system. You can navigatethrough [HostSystem]> config> storageDevice> softwareInternetScsiEnabledto view the property.
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-16 lists the messages for this check.
ESM Modules for ESX and ESXi serversESX Network
36
Table 3-16 iSCSI enabled check messages
SeverityTitleMessage name
Yellow (2)iSCSI disabledSTKU_ISCSIDISABLED
iSCSI CHAP authenticationThis check verifies that if iSCSI is enabled on the host system then iSCSI CHAPauthentication should also be enabled.
To determine if the iSCSI CHAP authentication is enabled on the host system, thecheck refers to the hostBusAdapter["key-vim.host.InternetScsiHba-*"] andchapAuthEnabled properties of the host system.
Use the Managed Object Browser (MOB) to view the authentication andchapAuthEnabled properties of the respective iSCSI storage device on the hostsystem. You can navigate through [HostSystem] > config > storageDevice >hostBusAdapter["key-vim.host.InternetScsiHba-*"]>authenticationProperties> chapAuthEnabled to view the property.
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-17 lists the messages for this check.
Table 3-17 iSCSI CHAP authentication check messages
SeverityTitleMessage name
Yellow (2)iSCSI CHAP disabledSTKU_ISCSICHAPDISABLED
Yellow (2)iSCSI disabledSTKU_ISCSIDISABLED
MAC address changesThis check verifies if the MAC address change is not set to Accept.
The check verifies that for every vSwitch and every port group the security policyfor MAC address changes is not set to Accept.
To determine the policy forMACaddress change, the check refers to the followingproperties:
■ config.network.portgroup[ ].computedPolicy.security.macChanges
■ config.network.vswitch[ ].computedPolicy.security.macChanges
37ESM Modules for ESX and ESXi serversESX Network
Use the Managed Object Browser (MOB) to navigate through [HostSystem] >config>network>HostPortGroup[]>computedPolicy> security>macChangesand [HostSystem] > config > network > vswitch[ ] > spec > policy > security >macChanges to view the properties.
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-18 lists the messages for this check.
Table 3-18 MAC address changes check messages
SeverityTitleMessage name
Yellow (2)MAC address changesaccepted
STKU_MACADDRCHANGS
Forged transmissionThis check verifies if the Forged transmission is not set to Accept.
The check verifies that for every vSwitch and every port group the security policyfor Forged transmission is not set to Accept.
Todetermine thepolicy forMACaddress changes, the check refers to the followingproperties:
■ config.network.portgroup[ ].computedPolicy.security.forgedTransmits
■ config.network.vswitch[ ].computedPolicy.security.forgedTransmits
Use the Managed Object Browser (MOB) to navigate through [HostSystem] >config > network > HostPortGroup[] > computedPolicy > security >forgedTransmits and [HostSystem] > config > network > vswitch[ ] > spec >policy > security > forgedTransmits to view the properties.
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-19 lists the messages for this check.
Table 3-19 Forged transmission check messages
SeverityTitleMessage name
Yellow (2)Forged transmissionaccepted
STKU_FORGEDTRANS
ESM Modules for ESX and ESXi serversESX Network
38
Promiscuous modeThis check verifies if the Promiscuous mode is not set to Accept.
The check verifies that for every vSwitch and every port group the security policyfor Promiscuous mode is not set to Accept.
Todetermine thepolicy forMACaddress changes, the check refers to the followingproperties:
■ config.network.portgroup[ ].computedPolicy.security.allowPromiscuous
■ config.network.vswitch[ ].computedPolicy.security.allowPromiscuous
Use the Managed Object Browser (MOB) to navigate through [HostSystem] >config > network > HostPortGroup[] > computedPolicy > security >allowPromiscuous and [HostSystem] > config > network > vswitch[] > spec >policy > security > allowPromiscuous to view the properties.
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-20 lists the messages for this check.
Table 3-20 Promiscuous mode check messages
SeverityTitleMessage name
Yellow (2)Promiscuous mode acceptedSTKU_PROMISCUOUS
Service console firewallThis check verifies the service console firewall security level. This check reportsonly on the ESX hosts.
The security levels are as follows:
■ HIGH - By default, the incoming and the outgoing ports are blocked.
■ MEDIUM - Incoming ports are blocked, but outgoing ports are not blocked bydefault or vice versa.
■ LOW - By default, the incoming and the outgoing ports are not blocked.
The check verifies if the config.firewall.defaultPolicy property is set to true.
Use theManagedObjectBrowser(MOB) to view the config.firewall.defaultPolicyproperty of the respective host system. You can navigate through [HostSystem]> config > firewall > defaultPolicy to view the property.
39ESM Modules for ESX and ESXi serversESX Network
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-21 lists the messages for this check.
Table 3-21 Service console firewall messages
SeverityTitleMessage name
Green (0)Service console firewallSTKU_SVCCONSFIREWALL_G
Yellow (2)Service console firewallSTKU_SVCCONSFIREWALL_Y
Red (4)Service console firewallSTKU_SVCCONSFIREWALL_R
Port groups in VLANThis check verifies if the port groups are in the same VLAN ID as you specify inthe template.
The check verifies that for every port group that is found on the host system andwhose entry exists in the template, the vlanid or the vSwitch name or both thatyou specify in the template should match.
Use the Managed Object Browser (MOB) to view the config.network.vswitchproperty of the respective host system. You can navigate through [HostSystem]> config > network > vswitch to view the property.
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-22 lists the messages for this check.
Table 3-22 Port groups in VLAN messages
SeverityTitleMessage name
Yellow (2)Port groups in VLANSTKU_PORTGROUPSINVLAN
Red (4)No template specifiedSTKU_NOTEMPLATEFILE
See “Templates” on page 10.
SNMP traps settingIf you specify zero in theSNMPservicedisabled/enabled text box, then the checkverifies whether the SNMP traps setting is disabled. If you specify a value, whichis greater than zero, then the check verifies that if SNMP is in use, then either at
ESM Modules for ESX and ESXi serversESX Network
40
least one trap destination must be configured or the trap destinations areacceptable or both. Use the name list to provide the list of acceptable trapdestinations in either of the following formats:
■ hostname@port/community
■ hostname/community
■ hostname
This check does not report through vCenter servers.
For more information on the issue, see Symantec™ Enterprise Security ManagerModules for ESX and ESXi server Release Notes.
Table 3-23 lists the messages for this check.
Table 3-23 SNMP traps setting messages
SeverityTitleMessage name
Red (4)SNMP service is enabledESM_ESX_SNMP_NOT_DISABLED
Red (4)SNMP trap destination notconfigured
ESM_ESX_SNMP_DEST_NOT_SET
Red (4)Unauthorized SNMP trapdestination
ESM_ESX_UNAUTHORISED_TRAP_DEST
ESX PatchesThe ESX patches module reports non-compliance with the patch informationcontained in the ESX Patches (esxpatch.elx) and in the ESXi Patch (esxpatch.ilx)templates. The information includes patch ID, patch release date, revision, anddescription. You can use the name list to specify the template files that are to beincluded for the check. You must verify that all current patches are installed onyour ESX and ESXi servers. The ESX Patches template includes ESX Patches thathave been released on or before June 25, 2010.
This module runs in the host-based mode on the ESX server versions 3.0.2, 3.0.3,3.5.x, and 4.0.x. For the module to report correctly on ESX 3.5.x and 4.0.x, youmust have the latest version of the esxupdate utility that supports –a optioninstalled on the host system. The –a option lists the latest patches that are foundon the host.
The –a option is specific to ESX server 4.0. The –a option reports the patches thatare up to date or obsolete as our template cannot defer between them. However,
41ESM Modules for ESX and ESXi serversESX Patches
not all versions of ESX 4.0 support this option and so a user must ensure that thelatest version of the esxupdate utility comes with the –a option.
The properties that are referred by the ESM ESX modules for the ESX and ESXi3.5 or later versions along with their Managed Object Browser (MOB) paths havebeen provided for the individual checks.
Note:While processing the vCenter server, modules skip the host systems thatare in a disconnected state. This happens because queries from the vCenter serverto disconnected hosts system retrieve old data instead of live data, which isincorrect and does not reflect the correct values.
About reporting through the vCenter serverIn order to report through the vCenter server, youmust first register the ESX andESXi servers with it. You can configure the vCenter server with the applicationmodule in the same way you configure the ESX or ESXi servers. When you runthe ESX Applicationmodule on the agent where the vCenter server is configured,the module fetches the information of the hosts that are registered with thevCenter server. Certain information from the ESX/ ESXi hosts is not available atvCenter server, like local users etc. This information can be reported by the ESXApplication module only when the respective host is directly configured in theESX configuration file of ESM.
Patch templatesThis check lets you enable or disable the template files that the ESX Patchesmodule use to check agent systems.
Table 3-24 lists the messages for this check.
Table 3-24 Patch templates messages
SeverityTitleMessage name
Red (4)No applicable template filesspecified
ESM_NO_TEMPLATE_SPECIFIED
Green (0)Patch not installedSTKU_PATCHNOTINS0
Yellow (2)Patch not installedSTKU_PATCHNOTINS1
Yellow (2)Patch not installedSTKU_PATCHNOTINS2
Red (4)Patch not installedSTKU_PATCHNOTINS3
ESM Modules for ESX and ESXi serversESX Patches
42
Table 3-24 Patch templates messages (continued)
SeverityTitleMessage name
Red (4)Patch, Superseded patch notinstalled
STKU_PATCHNOTINS4
Green (0)Forbidden patch foundESM_FORBIDDEN_PATCH_0
Yellow (2)Forbidden patch foundESM_FORBIDDEN_PATCH_1
Yellow (2)Forbidden patch foundESM_FORBIDDEN_PATCH_2
Red (4)Forbidden patch foundESM_FORBIDDEN_PATCH_3
Yellow (2)Patch not availableSTKU_PATCHNOTAVAIL2
Red (4)Patch not availableSTKU_PATCHNOTAVAIL3
Yellow (2)Patch not availableSTKU_PATCHNOTAVAIL4
Red (4)Patch not availableSTKU_PATCHNOTAVAIL5
SupersededThis check reports a patch and its superseding patches if a particular patch andits superseding patches are not installed on the host system.
Table 3-25 lists the messages for this check.
Table 3-25 Superseded messages
SeverityTitleMessage name
Yellow (2)Superseded patch notinstalled
ESM_SUPERSEDED_PATCH_NOT_INSTALLED
Yellow (2)Optional patch supersedesnothing
ESM_OPTIONAL_PATCH_NO_SUPERSEDE
Disable patch moduleWhen you select this check, no checks in the ESX patches module are executedand themodule reports amessage, Noproblems found. Enable this check to savetime, if you recently ran the ESX patches module.
In ESX Patches module there are a few dotted checks that are selected by defaultand cannot be disabled. When you run the ESX Patches module without selectingany checks, then the dotted checks, which are template based, compares the list
43ESM Modules for ESX and ESXi serversESX Patches
of installed patches on the host with the values that you specify in the template.If you disable the template, then an error message is reported. To avoid thissituation, you can use the Disable Patch module check.
Table 3-26 lists the messages for this check.
Table 3-26 Disable patch module message
SeverityTitleMessage name
Green (0)Disable patch moduleX
Patch results summaryThis check, when enabled, lists the following:
Includes the patches that apply to this operating system,architecture, and ESX server version.
Total number of availablepatches
Includes the patches that apply and have not been skipped.Patches canbe skippeddue to anunsatisfied sublist conditionor when they apply to an application that is not installed.
Checked patches
Includes the patches that were supposed to be installed onthe system, but are not present.
Missing patches
Includes the patches that are present, but are not allowed.Forbidden patches
Table 3-27 lists the messages for this check.
Table 3-27 Patch results summary messages
SeverityTitleMessage name
Green (0)Patch results summaryESM_PATCH_SUMMARY
Installed PatchesThis check lets you view all the installed patches that ESM checks.
Table 3-28 lists the messages for this check.
Table 3-28 Installed Patches messages
SeverityTitleMessage name
Green (0)Installed patchesESM_INSTALLED_PATCH
ESM Modules for ESX and ESXi serversESX Patches
44
ESXi updatesEnable this check to select the appropriate template to verify if the ESXi hostsystem is patched with the latest patch updates.
Table 3-29 lists the messages for this check.
Table 3-29 ESXi updates messages
SeverityTitleMessage name
Red (0)No applicable template filesspecified
ESM_NO_TEMPLATE_SPECIFIED
Red (4)ESXi patch not installedESM_ESXI_PATCH_NOT_INSTALLED
Green (0)Patch installedESM_INSTALLED_PATCH
Formore informationon the template see,Symantec™EnterpriseSecurityManagerModules for ESX and ESXi server Release Notes.
ESX SystemThe ESX System module reports information about the ESX and ESXi serversaccess configuration, server logs, and available storage space.
The properties that are referred by the ESM ESX modules for the ESX and ESXi3.5 or later versions along with their Managed Object Browser (MOB) paths havebeen provided for the individual checks.
Note:While processing the vCenter server, modules skip the host systems thatare in a disconnected state. This happens because queries from the vCenter serverto disconnected hosts system retrieve old data instead of live data, which isincorrect and does not reflect the correct values.
About reporting through the vCenter serverIn order to report through the vCenter server, youmust first register the ESX andESXi servers with it. You can configure the vCenter server with the applicationmodule in the same way you configure the ESX or ESXi servers. When you runthe ESX Applicationmodule on the agent where the vCenter server is configured,the module fetches the information of the hosts that are registered with thevCenter server. Certain information from the ESX/ ESXi hosts is not available atvCenter server, like local users etc. This information can be reported by the ESX
45ESM Modules for ESX and ESXi serversESX System
Application module only when the respective host is directly configured in theESX configuration file of ESM.
GRUB OS level passwordThis check verifies if theGRUBboot loader password is enabled on thehost systemfor every operating system that is present in the GRUB boot menu. This checkoperates only in the host-based mode.
Table 3-30 lists the messages for this check.
Table 3-30 GRUB OS level password messages
SeverityTitleMessage name
Yellow (2)GRUB OS level passwordSTKU_BOOTPASSWORD_GRUB_OSLEVEL
Boot loader passwordThis check verifies if theGRUBboot loader password is enabled on thehost system.This check operates only in the host-based mode.
Table 3-31 lists the messages for this check.
Table 3-31 Boot loader password messages
SeverityTitleMessage name
Yellow (2)Boot loader passwordSTKU_BOOTPASSWORD
Root file system fill upThis check reports the percentage of available disk space in every disk partitiononly if the value that you specify is zero.
In the Used% text box, if you specify a value, which is greater than zero, then thecheck reports the disk partitions that have more disk space than the value thatyou specify. This check operates only in the host-based mode.
Table 3-32 lists the messages for this check.
Table 3-32 Root file system fill up messages
SeverityTitleMessage name
Green (0)Disk freeSTKU_DISKFREE
ESM Modules for ESX and ESXi serversESX System
46
Table 3-32 Root file system fill up messages (continued)
SeverityTitleMessage name
Red (4)Low disk spaceSTKU_DISKSPACELOW
Roles and privilegesThis check reports the roles and privileges that are granted to a user or a group.Use the name list to include or exclude the users. This check does not reportthrough the vCenter servers.
Use the Managed Object Browser (MOB) to view the list of roles and privileges.You can use the managed object reference to Authorization Manager and invokeits RetrieveAllPermissions method with appropriate values. You can navigatethrough authorizationManager > Permission[] > RetrieveAllPermissions toview the property.
Table 3-33 lists the messages for this check.
Table 3-33 Roles and privileges messages
SeverityTitleMessage name
Green (0)Roles and privilegesSTKU_ROLESANDPRIV
Green (0)Role assigned to userSTKU_USERWITHROLE
Green (0)Role assigned to groupSTKU_GROUPWITHROLE
Green (0)User defined roleSTKU_USERDEFINEDROLE
SU PAM AuthenticationThis check reports whether non-wheel group members have 'su' access. It alsoreports if the wheel group members are trusted implicitly without passwords.This check operates only in the host-based mode.
Table 3-34 lists the messages for this check.
Table 3-34 SU PAM Authentication messages
SeverityTitleMessage name
Yellow (2)SU PAM AuthenticationSTKU_PAMAUTH
47ESM Modules for ESX and ESXi serversESX System
ESX log auditingThis check audits the ESX log files to report the match that it finds based on thevalue that you specify in the template. If you select the ExecuteonvCenter checkalong with the ESX Log auditing check, then the ESX Log auditing check alsoretrieves individual log files for the host systems that are registered with thevCenter server. However, it may affect the performance of the checks.
You can use the managed object reference to Diagnostic Manager and invoke itsBrowseDiagnosticLogmethodwith appropriate values. You cannavigate throughdiagnosticManager > DiagnosticManagerLogHeader BrowseDiagnosticLog toview the property.
Table 3-35 lists the messages for this check.
Table 3-35 ESX log auditing messages
SeverityTitleMessage name
Yellow (2)ESX log auditingSTKU_LOGAUDIT_Y
Green (0)ESX log auditingSTKU_LOGAUDIT_G
Red (4)ESX log auditingSTKU_LOGAUDIT_R
Red (4)No template specifiedSTKU_NOTEMPLATE
See “Templates” on page 10.
Execute on vCenterEnable this check to execute the supported checks on vCenter server. This checkmay increase the turnaround time of the policy execution.
Lockdown modeThis check verifies if the lockdownmode is enabled for an ESXi host system. Thischeck operates only on the vCenter server wherein the check reports on the ESXiserver's lockdownmode property if themodule is connected through the vCenterserver.
The check verifies if the config.adminDisabled property is set to true.
Use the Managed Object Browser (MOB) to view the config.adminDisabledproperty of the respective host system. You can navigate through [HostSystem]> config > adminDisabled to view the property.
ESM Modules for ESX and ESXi serversESX System
48
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-36 lists the messages for this check.
Table 3-36 Lockdown mode messages
SeverityTitleMessage name
Red (4)Lockdown mode not enabledSTKU_ESX_HOST_LOCKDOWN_MODE
Local accounts onlyThis check works only with the Shell access check. This check filters the NIS andthe LDAP users that are reported by the Shell access check when run on thehost-based mode. This check is supported only on ESX 3.0.2 or 3.0.3 servers.
Shell accessThis check reports if the option,Grantshellaccesstothisuser, is set for the user.Use the name list to include or exclude the users. This check also reports on theNIS and the LDAP users that are configured on the host. In the network-basedmode the check reports only on the local accounts that are present in the/etc/password file. When this check is run in the host-based mode along with theLocal accounts only check, then the Shell access check reports only on the localaccounts that are listed in the /etc/password file. This check does not reportthrough vCenter servers.
See “Local accounts only” on page 49.
You can use the managed object reference to User Directory and invoke itsRetrieveUserGroupsmethodwith appropriate values. You can navigate throughuserDirectory>UserSearchResult[]>RetrieveUserGroups to view theproperty.
Table 3-37 lists the messages for this check.
Table 3-37 Shell access messages
SeverityTitleMessage name
Yellow (2)Shell accessSTKU_SHELLACCESS
Maintenance modeThis check verifies if the Maintenance mode is disabled.
49ESM Modules for ESX and ESXi serversESX System
The check verifies if the runtime.inMaintenanceMode property is set to false.This check is not supported on ESX 3.0.2 and ESX 3.0.3 servers.
Use theManagedObjectBrowser(MOB) toviewthe runtime.inMaintenanceModeproperty of the respective host system. You can navigate through [HostSystem]> runtime > inMaintenanceMode to view the property.
Note: [HostSystem] is the Managed Object Reference to a host system.
Table 3-38 lists the messages for this check.
Table 3-38 Maintenance mode messages
SeverityTitleMessage name
Yellow (2)Maintenancemode is enabledSTKU_ESX_HOST_MAINTENANCE_MODE
List users and groupsThis check reports all the local users and groups that are present on the host. Usethe name list to include or exclude the users and the groups for the check to reporton. This check does not report through the vCenter servers.
Use the Managed Object Browser (MOB) to view the list of roles and privileges.You can use the managed object reference to User Directory and invoke itsRetrieveUserGroups method with appropriate values.
Table 3-39 lists the messages for this check.
Table 3-39 List users and groups messages
SeverityTitleMessage name
Green (0)Local userSTKU_ESX_LOCAL_USER
Yellow (2)Local groupSTKU_ESX_LOCAL_GROUP
ESM Modules for ESX and ESXi serversESX System
50