understanding csp vsphere prevention policiesvox.veritas.com/legacyfs/online/veritasdata/ic...
TRANSCRIPT
IC L04 How To Protect vSphere with CSP
Course Description: Securing your virtual environment using CSP 5.2.9
At the end of this lab, you should be able to:
Understand the different components of vSphere to protect
Understand the CSP vSphere prevention policies
Understand the CSP vSphere detection policies
Understand how to deploy the polices
How CSP can be used to help meet the Vmware Hardening Guidelines
Notes:
Username for windows box is admin password Symc4now!
Username for CSP collector node is root password Symc4now!
Username for Esxi server is root password Symc4now!
Username for CSP login is symadmin password Symc4now!
LAB AGENDA
Lab Exercise 1: Understanding CSP vSphere Prevention Policies
Topic 1:
CSP provides prevention policies that lock down the vSphere
components preventing unauthorized changes to configurations,
binaries and access to the SSL certificates
10 min
Lab Exercise 2: Protecting SSL Certificates
Topic 2:
The prevention policy out of the box protects the SSL certificates
from being tampered with or accessed by anyone who is not
authorized or by any application other than vSphere.
15 min
Lab Exercise 3: Protecting vCenter Configurations
Topic 3:
The prevention policy out of the box protects the vCenter
configuration files and logs from being tampered with by anyone
that is not authorized.
15 min
Lab Exercise 4: Monitoring configurations, host and log files on ESXi host
Topic 3:
2 of 16
CSP RFS monitors for changes and parse for critical events
occurring at the host level. It monitors ESX.conf and VMXD files
for changes as well as monitor log files for errors.
15 min
Lab Exercise 5: Monitoring vCenter Server Topic 3:
CSP provides a policy called vSphere Application Detection
Policy this policy is used to monitor binaries, SSL certificates,
configuration files and logs on the VCenter server
15 min
Lab Exercise 6: Monitoring vCenter Server System
Topic 3:
CSP provides a policy called vSphere Windows Baseline Policy
this policy is used to monitor activity on the vCenter system.
This policy will monitor user and system activity as well as
monitor critical OS files and registry keys for changes
30 min
Lab Exercise 5: vSphere Reporting Topic 3:
CSP provides a out of the box queries to report on events
generated by the vSphere policies.
15 min
3 of 16
Lab Exercise 1: Understanding CSP vSphere Prevention Policies Topic 1:
CSP provides prevention policies that lock down the vSphere
components preventing unauthorized changes to configurations,
binaries and access to the SSL certificates
10 min
Go to the Policy Tab and right click on the out of the box VSphere Protection Policy and click Edit Policy
Click on My Custom Programs under Policy Settings then click on Vsphere lists and Controls > ReadME > General and become familiar with what the prevention policy can do. This policy can be deployed on the vCenter Server, vCenter Client, vSphere client tools systems, vCenter database server
4 of 16
Lab Exercise 2: Protecting SSL Certificates
Topic 1:
The prevention policy out of the box protects the SSL certificates from being tampered with or accessed by anyone who is not authorized or by any application other than vSphere.
15 min
The prevention policy out of the box protects the SSL certificates from being tampered with or accessed by anyone who is not authorized or by any application other than vSphere. This will protect the certificates from being stolen and used to decrypt traffic.
To protect the SSL certificates In the CSP management console, click Polices Then click Prevention. In the Workspace pane, select VSphere Protection Policy, and then right-click and hit
Apply
Apply the policy to the vCenter Server Login to the vCenter Server using username Admin password Symc4now! Try and access one of the files under C:\ProgramData\VMware\VMware Virtual
Center\SSL Try and copy one of the files to the desktop In the CSP management console click Monitor View and choose Monitor Types
Prevention and look for events that indicate that someone tried to access the SSL certificates. CSP protects confidential data from falling into the wrong hands. CSP can be used to lock down any resource on the system from tampering or theft.
5 of 16
6 of 16
Lab Exercise 3: Protecting vCenter Configurations
Topic 1:
The prevention policy out of the box protects the vCenter configuration files and logs from being tampered with by anyone that is not authorized.
15 min
The prevention policy out of the box protects the vCenter configuration files and logs from being tampered with by anyone that is not authorized.
To protect the vCenter configuration files and logs Login to the vCenter Server using username Admin password Symc4now! Try and make changes to C:\ProgramData\VMware\VMware Virtual
Center\vpxd.cfg In the CSP management console click Monitor View and choose Monitor Types
Prevention and look for events that indicate that someone tried to modify the vpxd.cfg
CSP locks down configuration files preventing any sort of drift on the system even by someone who has Admin rights.
7 of 16
Lab Exercise 4: Monitoring configurations, host and log files on ESXi host
Topic 1:
CSP RFS tool uses VCLI running on a collector node to
synchronize critical configuration, host and log files down to the
collector node to monitor for changes and parse for critical
events occurring. The tool also configures Syslog on the ESXi host
to forward critical events to the agent for parsing and logging.
30 min
To setup file integrity monitoring and Syslog collection In the management console, click Policies.
Then click Detection
Go to the vSphere ESXi Detection Policy and then read the General Information by
clicking on About to become familiar with the policy
Click on vSphere ESXi Detection Policy and got to the Global Policy Settings
expand this and set the ESXi Host and VMware File Polling Interval to 3min
This option controls the interval of which the CSP agent will monitor the files for
changes
Expand each one of the sections to become more familiar with the policy
o ESXi Host File Integrity Monitor
8 of 16
o Virtual Machine Configuration Monitor
o ESXi Login Activity and Access Monitor
o ESXi Log Monitoring
Click Apply and OK.
Right mouse click on the policy and choose Apply >Policy>Linux> and choose the
CSP Collector Node system.
Choose Take the new option settings
To verify the policy has been deployed go to the Assets tab>Linux and click on the
CSP Collector Node system and click on Polices in the lower screen.
To Generate some events go to the ESXi VM and press F2 login with username root
and password Symc4now!
Press F2 again go to Troubleshooting Options
Toggle Disable ESXi Shell to disable it and then reenable
Toggle Disable SSH to disable it and then renable it
Wait a few minutes
9 of 16
Click on the Monitors tab and under Monitors Types click on Detection make sure
you are on the Detection View
You should see some Syslog and File Watch events coming in it might take a few min
before you start seeing File Watch events.
Scroll through the events
10 of 16
Lab Exercise 5: Monitoring vCenter Server
Topic 1:
CSP provides a policy called vSphere Application Detection
Policy this policy is used to monitor binaries, SSL certificates,
configuration files and logs on the VCenter server
30 min
To monitor vCenter Server In the management console, click Policies.
In the management console, click Detection.
Go to the vSphere Application Detection Policy right mouse click to edit the policy
then read the ReadMe to become familiar with the policy
Press OK and then right mouse click on the policy and hit Apply
Apply > Policies>VCenter hit next and choose Take the new option settings.
Verify the polices have been deployed
11 of 16
Go to the Asset tab>Prevention and right click on vCenter and edit the policy
Click on My Custom Programs Edit VSphere Trusted Users List
Edit the Reference list of items and add admin to the list and click OK
Press the green refresh arrow until the Flag disappears on the vCenter icon
Go to the vSphere vCenter Server VM
Login using username:admin password:Symc4now!
Go to the directory that contains the SSL certificates for vCenter
C:\ProgramData\VMware\VMware Virtual Center\SSL.
Click on the rui security certificate. Because admin is a trusted user, the certificate
should open
Go to the Monitor tab>Monitors Type>Detection to view events generated by the
policy.
12 of 16
To search for specific events use the search events function to search for events
specific to vCenter type in the name in the Source Machine field.
Go to the Monitor tab>Real-time Monitors and click on New Monitor
Monitor Name vCenter
Click on Filter Rules tab
Create a new filter rule
Create the filter to show only vCenter events
Choose Hostname>Equals>vCenter
Click Add and Click OK
Click Ok again
Click on the newly created vCenter monitor to only view events from vCenter
13 of 16
Lab Exercise 6: Monitoring vCenter Server System
Topic 1:
CSP provides a policy called vSphere Windows Baseline Policy
this policy is used to monitor activity on the vCenter system.
This policy will monitor user and system activity as well as
monitor critical OS files and registry keys for changes
30 min
To monitor vCenter Server System In the management console, click Policies.
Then click Detection.
Go to the vSphere Windows Baseline Policy right mouse click to edit the policy
then read the General section to become familiar with the policy
Expand each subsection of the policy to become familiar with the options that can
be set
Press Ok
Right mouse click and Apply > Policies>VCenter hit next and choose Take the new
option settings
Login to the vCenter server as username:admin password:Symc4now!
o Launch Computer Management
Create a new user
Assign the user to the administrator group
Go to the user properties and check Account is disabled
o Perform another task like clearing the security log
o Perform other administrative task
Go to the Monitor tab>Monitors Type>Detection to view events generated by the
policy.
14 of 16
To search for specific events use the search events function to search for events
specific to vCenter type in the name in the Source Machine field.
Go to the Monitor tab>Real-time Monitors and click on New Monitor
Monitor Name vCenter
Click on Filter Rules tab
Create a new filter rule
Create the filter to show only vCenter events
Choose Hostname>Equals>vCenter
Click Add and Click OK
Click Ok again
Click on the newly created vCenter monitor to only view events from vCenter
15 of 16
16 of 16
Lab Exercise 6: vSphere Reporting
Topic 1:
CSP provides a out of the box queries to report on events
generated by the vSphere policies.
15 min
CSP provides a out of the box queries to report on events generated by the vSphere policies.
To access these queries
In the management console, click Reports
Go to Queries>Symantec>5.2.9 2012 July 03 r1 vSphere expand the folder
Expand each subsection of the policy to become familiar with the queries
Right mouse click and choose Run Query or double click on the query to execute it
To create a report In the management console click Reports
Go to Reports>Symantec>5.2.9 2012 Jul 03 r1 vSphere right mouse click on the
reports folder and create a new report
Choose a layout and give the report a name
Click on Insert Query and browse to the location of the vSphere queries
Choose the query you want and click insert