Is your VMware vSphere environment secure?
Assess your vSphere configuration in less than 10 minutes!
When is the last time you checked whether your ESXi hosts are properly patched? Or whether there are no unauthorized kernel modules hanging around in your infrastructure?
If you are like most organizations, you probably don’t know.
VMware vSphere is a complex environment, and it is hard to keep track of all the security settings and configurations. This is why, in this article we will go through how you can ensure that your vSphere environment is secure in less than 10 minutes!!!
CIS Benchmarks
But first, let’s go through what the CIS Benchmarks are. The Center for Internet Security (CIS) is a non-profit organization that provides security benchmarks for various technologies. The benchmarks are a set of best practices that are designed to help organizations secure their infrastructure.
The CIS Benchmarks for VMware vSphere are a set of 96 configuration recommendations that are designed to help you secure your vSphere environment. The benchmarks are divided into 8 categories:
1. Install : Recommendations for base ESXi installation.
2. Communication : Recommendations related to ESXi communications.
3. Logging : Recommendations related to ESXi’s logging capabilities.
4. Access : Recommendations related to ESXi’s access management.
5. Console : Recommendations related to ESXi’s consoles.
6. Storage : Recommendations related to ESXi disk and other storage-related settings.
7. vNetwork : Recommendations related to configuring vNetwork.
8. Virtual Machines : Recommendations for settings related to guest virtual machines.
You need to go through each of these categories and ensure that the recommendations are implemented. Or use the tool that we will discuss later in this article to automate this process.
Automated test with cis-vsphere 🦍
cis-vsphere is a tool that helps you check whether your vSphere environment is compliant with the CIS Benchmarks. It is a simple tool that you can run against your vCenter Server or ESXi host. It will then scan your environment and report any non-compliant settings.
The tool is written in Powershell and is available on Github.
To run the tests, follow these steps:
- Clone the repository and navigate to the folder :
git clone https://github.com/karimhabush/cis-vsphere.git
cd cis-vsphere2. Install VMware PowerCLI :
Install-Module -Name VMware.PowerCLI -Scope CurrentUser -Force3. Run the script :
.\src\cis-vsphere.ps14. Enter the vCenter Server or ESXi host IP address and credentials when prompted.
The tool will then scan your environment and report any non-compliant settings. The results should look something like this :
You’ve reached the end of this article. I hope you found it useful. If you have any questions or comments, please feel free to reach out to me on LinkedIn or Twitter.
