A. Mikkelsen

VMware ESX scripts, commands, tools and other nice to know things that will make your virtualization days easier!!!!

Browsing Posts in Security

In April VMware released their hardening guide for vSphere 4.1 (http://communities.vmware.com/docs/DOC-15413) , now the have also released a free tool to check your vSphere installations against their hardening guidelines.

The tool is called “VMware Compliance Checker for vSphere” – http://www.vmware.com/products/datacenter-virtualization/vsphere-compliance-checker/overview.html

Yesterday we upgraded one of our vSphere Clusters to 4.1 – it went smoothly 🙂

But today the users reported that they weren’t able to use cut % paste between the guest and their computer using the vSphere Client (Console).

After a quick google we found that VMware has tightened the vSphere security by disabling this feature. See VMware KB 1026437.

If you need the cut & paste functionality you can enable it again on the guest or host level.

For a single VM:

  • Using the vSpher Client logon to your vCenter server.
  • Poweroff the VM.
  • Edit the VM’s settings
  • Navigate to Options > Advanced > General
  • Click Configuration Parameters
  • Add the following rows, by using Add Row
    isolation.tools.copy.disable –  false
    isolation.tools.paste.disable  – false
    
  • Click OK twice to close the dialogs and save the changes.
  • PowerOn the VM

For all VM’s on a host ESX/ESXi

Must be done on all hosts, so you don’t loose the functionality when the VM is migrated to another host.

  • Open a SSH to the host ex. using Putty
  • Open /etc/vmware/config in your favorit editor .
  • Add these lines to the file

    isolation.tools.copy.disable="FALSE"
    isolation.tools.paste.disable="FALSE"
    
  • Save and close the config file. Cut & Paste will work after a VM powerson, reboots or resume.

VMware has released their hardening guide for vSphere 4.0.

There is more than 100 guidelines to choose from, divided between

  • Introduction
  • Virtual Machines
  • Host (both ESXi and ESX)
  • vNetwork
  • vCenter
  • Console OS (for ESX only)

http://blogs.vmware.com/security/2010/04/vsphere-40-hardening-guide-released.html

Have you ever needed to document how secure your ESX servers are.

If the answer is yes then take a look at these free fools (Compliance Checkers) from ConfigureSoft.com.
http://www.configuresoft.com/compliance-checker.aspx

If the answer is no I would sugest you took a look at the tools anyway……

Compliance Checker for VMware ESX, checks the compliance of VMware ESX hosts against VMware hardening guidelines and Center for Internet Security (CIS) benchmarks.

Compliance Checker for PCI DSS, checks the compliance of servers and desktops against PCI DSS v1.2 requirements as specified by PCI Security Standards Council.

Have you ever needed to verify the security or hardened state of you ESX hosts?

If yes, then these tools from ConfigureSoft.com or TripWire.com will help you make the process easier.
If no, take a look at the tools anyway – it’s always nice to know if your “babies” are safe ;-).

http://www.configuresoft.com/compliance-checker.aspx
Compliance Checker for VMware ESX, checks the compliance of VMware ESX hosts against VMware hardening guidelines and Center for Internet Security (CIS) benchmarks.

Compliance Checker for PCI DSS, checks the compliance of servers and desktops against PCI DSS v1.2 requirements as specified by PCI Security Standards Council.

TripWire ConfigCheck

http://tripwire.com/configcheck/download.cfm
Read a great how to.
http://searchvmware.techtarget.com/tip/0,289483,sid179_gci1344980,00.html

Today i came across an article from techtarget.com about securing and auditing VM’s and ESX hosts.

There are a few free tools that can help you audit your host servers. Tripwire’s ConfigCheck and Configuresoft’s Compliance Checker for ESX, both of which are lite versions of each company’s enterprise-level product.

Read the full article here.

TripWire is here….

Came accross this cool free tool to check your ESX 3.5 enviroment security against VMware hardening guide.

——————————–
Tripwire® ConfigCheckTM
is a free utility that rapidly assesses the security of VMware ESX 3.5 hypervisor configurations compared to the VMware Infrastructure 3 Security Hardening guidelines. Developed by Tripwire in cooperation with VMware, Tripwire ConfigCheck ensures ESX environments are properly configured—offering…… (Read More)
——————————–

I’m really looking forward to see what else they can come up with 🙂

Frane Borozan has created a automated script based on VMware Converter to take a physical server and make fresh replica of it on VMware Server.

It is worth a look.
http://www.p2vbackup.com

A. Mikkelsen

vRanger script

No comments

At work we use vRanger to take DR snapshots of all our VM’s (more than 370).

We decided that we would only snapshot drive 0 and use a TSM client to backup tha data in each VM and that the snapshots were only to be taken outside working hours.
These choices gave us some problems when running vRanger because we couldn’t schedule the snapshots from vRanger.

The solution was to make our own script that would handle the logic and just use vRanger to do the actual snapshotting.
We created a VBS script to hold the logic.
1.
Create a log file
2.
Delete snapshots from the day before (do to lack of storage space on the server)
3.
Call the .cmd file that holds the information on witch VM’s to snapshot (Based on weekday – one file for each day).
4.
Start TSM (send the VM’s snapshots to tape)
5.
Send a status mail

We then created 7 .cmd files (one for each weekday) in witch we add a line for each VM to snapshot that day.
(You have to use vRanger GUI to choose witch drives to snapshot – changed from 3.17 -> 3.20)

I know this solution isn’t very dynamic but i works.

I’m in the process of upgrading the script so that it dynamicly creates a list of witch VM’s to snapshot based on a custom field in VC.
Furthermore i also want to create a script to update the vRanger database with witch drives to snapshot based on a custom field in VC.

I will upload the updated script as soon as it is done.
You can download the current script here.

If you are looking for Security White Papers for VMware products take a closer look at
http://www.vmware.com/security/

A. Mikkelsen

Powered by WordPress Web Design by SRS Solutions © 2018 A. Mikkelsen Design by SRS Solutions