IC L04 How To Protect vSphere with CSP

Course Description: Securing your virtual environment using CSP 5.2.9

At the end of this lab, you should be able to:

Understand the different components of vSphere to protect

Understand the CSP vSphere prevention policies

Understand the CSP vSphere detection policies

Understand how to deploy the polices

How CSP can be used to help meet the Vmware Hardening Guidelines

Notes:

Username for windows box is admin password Symc4now!

Username for CSP collector node is root password Symc4now!

Username for Esxi server is root password Symc4now!

Username for CSP login is symadmin password Symc4now!

LAB AGENDA

Lab Exercise 1: Understanding CSP vSphere Prevention Policies

Topic 1:

CSP provides prevention policies that lock down the vSphere

components preventing unauthorized changes to configurations,

binaries and access to the SSL certificates

10 min

Lab Exercise 2: Protecting SSL Certificates

Topic 2:

The prevention policy out of the box protects the SSL certificates

from being tampered with or accessed by anyone who is not

authorized or by any application other than vSphere.

15 min

Lab Exercise 3: Protecting vCenter Configurations

Topic 3:

The prevention policy out of the box protects the vCenter

configuration files and logs from being tampered with by anyone

that is not authorized.

15 min

Lab Exercise 4: Monitoring configurations, host and log files on ESXi host

Topic 3:

2 of 16

CSP RFS monitors for changes and parse for critical events

occurring at the host level. It monitors ESX.conf and VMXD files

for changes as well as monitor log files for errors.

15 min

Lab Exercise 5: Monitoring vCenter Server Topic 3:

CSP provides a policy called vSphere Application Detection

Policy this policy is used to monitor binaries, SSL certificates,

configuration files and logs on the VCenter server

15 min

Lab Exercise 6: Monitoring vCenter Server System

Topic 3:

CSP provides a policy called vSphere Windows Baseline Policy

this policy is used to monitor activity on the vCenter system.

This policy will monitor user and system activity as well as

monitor critical OS files and registry keys for changes

30 min

Lab Exercise 5: vSphere Reporting Topic 3:

CSP provides a out of the box queries to report on events

generated by the vSphere policies.

15 min

3 of 16

Lab Exercise 1: Understanding CSP vSphere Prevention Policies Topic 1:

CSP provides prevention policies that lock down the vSphere

components preventing unauthorized changes to configurations,

binaries and access to the SSL certificates

10 min

Go to the Policy Tab and right click on the out of the box VSphere Protection Policy and click Edit Policy

Click on My Custom Programs under Policy Settings then click on Vsphere lists and Controls > ReadME > General and become familiar with what the prevention policy can do. This policy can be deployed on the vCenter Server, vCenter Client, vSphere client tools systems, vCenter database server

4 of 16

Lab Exercise 2: Protecting SSL Certificates

Topic 1:

The prevention policy out of the box protects the SSL certificates from being tampered with or accessed by anyone who is not authorized or by any application other than vSphere.

15 min

The prevention policy out of the box protects the SSL certificates from being tampered with or accessed by anyone who is not authorized or by any application other than vSphere. This will protect the certificates from being stolen and used to decrypt traffic.

To protect the SSL certificates In the CSP management console, click Polices Then click Prevention. In the Workspace pane, select VSphere Protection Policy, and then right-click and hit

Apply

Apply the policy to the vCenter Server Login to the vCenter Server using username Admin password Symc4now! Try and access one of the files under C:\ProgramData\VMware\VMware Virtual

Center\SSL Try and copy one of the files to the desktop In the CSP management console click Monitor View and choose Monitor Types

Prevention and look for events that indicate that someone tried to access the SSL certificates. CSP protects confidential data from falling into the wrong hands. CSP can be used to lock down any resource on the system from tampering or theft.

5 of 16

6 of 16

Lab Exercise 3: Protecting vCenter Configurations

Topic 1:

The prevention policy out of the box protects the vCenter configuration files and logs from being tampered with by anyone that is not authorized.

15 min

The prevention policy out of the box protects the vCenter configuration files and logs from being tampered with by anyone that is not authorized.

To protect the vCenter configuration files and logs Login to the vCenter Server using username Admin password Symc4now! Try and make changes to C:\ProgramData\VMware\VMware Virtual

Center\vpxd.cfg In the CSP management console click Monitor View and choose Monitor Types

Prevention and look for events that indicate that someone tried to modify the vpxd.cfg

CSP locks down configuration files preventing any sort of drift on the system even by someone who has Admin rights.

7 of 16

Lab Exercise 4: Monitoring configurations, host and log files on ESXi host

Topic 1:

CSP RFS tool uses VCLI running on a collector node to

synchronize critical configuration, host and log files down to the

collector node to monitor for changes and parse for critical

events occurring. The tool also configures Syslog on the ESXi host

to forward critical events to the agent for parsing and logging.

30 min

To setup file integrity monitoring and Syslog collection In the management console, click Policies.

Then click Detection

Go to the vSphere ESXi Detection Policy and then read the General Information by

clicking on About to become familiar with the policy

Click on vSphere ESXi Detection Policy and got to the Global Policy Settings

expand this and set the ESXi Host and VMware File Polling Interval to 3min

This option controls the interval of which the CSP agent will monitor the files for

changes

Expand each one of the sections to become more familiar with the policy

o ESXi Host File Integrity Monitor

8 of 16

o Virtual Machine Configuration Monitor

o ESXi Login Activity and Access Monitor

o ESXi Log Monitoring

Click Apply and OK.

Right mouse click on the policy and choose Apply >Policy>Linux> and choose the

CSP Collector Node system.

Choose Take the new option settings

To verify the policy has been deployed go to the Assets tab>Linux and click on the

CSP Collector Node system and click on Polices in the lower screen.

To Generate some events go to the ESXi VM and press F2 login with username root

and password Symc4now!

Press F2 again go to Troubleshooting Options

Toggle Disable ESXi Shell to disable it and then reenable

Toggle Disable SSH to disable it and then renable it

Wait a few minutes

9 of 16

Click on the Monitors tab and under Monitors Types click on Detection make sure

you are on the Detection View

You should see some Syslog and File Watch events coming in it might take a few min

before you start seeing File Watch events.

Scroll through the events

10 of 16

Lab Exercise 5: Monitoring vCenter Server

Topic 1:

CSP provides a policy called vSphere Application Detection

Policy this policy is used to monitor binaries, SSL certificates,

configuration files and logs on the VCenter server

30 min

To monitor vCenter Server In the management console, click Policies.

In the management console, click Detection.

Go to the vSphere Application Detection Policy right mouse click to edit the policy

then read the ReadMe to become familiar with the policy

Press OK and then right mouse click on the policy and hit Apply

Apply > Policies>VCenter hit next and choose Take the new option settings.

Verify the polices have been deployed

11 of 16

Go to the Asset tab>Prevention and right click on vCenter and edit the policy

Click on My Custom Programs Edit VSphere Trusted Users List

Edit the Reference list of items and add admin to the list and click OK

Press the green refresh arrow until the Flag disappears on the vCenter icon

Go to the vSphere vCenter Server VM

Login using username:admin password:Symc4now!

Go to the directory that contains the SSL certificates for vCenter

C:\ProgramData\VMware\VMware Virtual Center\SSL.

Click on the rui security certificate. Because admin is a trusted user, the certificate

should open

Go to the Monitor tab>Monitors Type>Detection to view events generated by the

policy.

12 of 16

To search for specific events use the search events function to search for events

specific to vCenter type in the name in the Source Machine field.

Go to the Monitor tab>Real-time Monitors and click on New Monitor

Monitor Name vCenter

Click on Filter Rules tab

Create a new filter rule

Create the filter to show only vCenter events

Choose Hostname>Equals>vCenter

Click Add and Click OK

Click Ok again

Click on the newly created vCenter monitor to only view events from vCenter

13 of 16

Lab Exercise 6: Monitoring vCenter Server System

Topic 1:

CSP provides a policy called vSphere Windows Baseline Policy

this policy is used to monitor activity on the vCenter system.

This policy will monitor user and system activity as well as

monitor critical OS files and registry keys for changes

30 min

To monitor vCenter Server System In the management console, click Policies.

Then click Detection.

Go to the vSphere Windows Baseline Policy right mouse click to edit the policy

then read the General section to become familiar with the policy

Expand each subsection of the policy to become familiar with the options that can

be set

Press Ok

Right mouse click and Apply > Policies>VCenter hit next and choose Take the new

option settings

Login to the vCenter server as username:admin password:Symc4now!

o Launch Computer Management

Create a new user

Assign the user to the administrator group

Go to the user properties and check Account is disabled

o Perform another task like clearing the security log

o Perform other administrative task

Go to the Monitor tab>Monitors Type>Detection to view events generated by the

policy.

14 of 16

To search for specific events use the search events function to search for events

specific to vCenter type in the name in the Source Machine field.

Go to the Monitor tab>Real-time Monitors and click on New Monitor

Monitor Name vCenter

Click on Filter Rules tab

Create a new filter rule

Create the filter to show only vCenter events

Choose Hostname>Equals>vCenter

Click Add and Click OK

Click Ok again

Click on the newly created vCenter monitor to only view events from vCenter

15 of 16

16 of 16

Lab Exercise 6: vSphere Reporting

Topic 1:

CSP provides a out of the box queries to report on events

generated by the vSphere policies.

15 min

CSP provides a out of the box queries to report on events generated by the vSphere policies.

To access these queries

In the management console, click Reports

Go to Queries>Symantec>5.2.9 2012 July 03 r1 vSphere expand the folder

Expand each subsection of the policy to become familiar with the queries

Right mouse click and choose Run Query or double click on the query to execute it

To create a report In the management console click Reports

Go to Reports>Symantec>5.2.9 2012 Jul 03 r1 vSphere right mouse click on the

reports folder and create a new report

Choose a layout and give the report a name

Click on Insert Query and browse to the location of the vSphere queries

Choose the query you want and click insert