2 Replies Latest reply: Oct 14, 2014 1:39 PM by Mehul RSS

Auditing VMware vCenter/vSphere Compliance with Nessus

Mehul

Today we released a new compliance check plugin in the Nessus feed, which allows users to audit VMware vCenter/vSphere installs via the

VMWare SOAP API. This post provides details about the plugin, and helps users understand its capabilities.


Background :


Nessus has had the ability to perform compliance audits against  VMware ESX for quite some time now. However, the methods used SSH credentials

to  log into the VMware platform and perform the audit checks. SSH has been  disabled by default on newer versions of ESX/ESXi, and hence our solution

was not ideal for auditing VMware vCenter/vSphere installs. Tenable has now implemented new checks using the VMware SOAP API

(which is already being used by existing plugins to pull information about VMware systems). Tenable has developed APIs  for both ESXi

(the interface available free of charge to manage virtual  machines (VMs) on ESX/ESXi) and vCenter (an add-on product available  from VMware

at some cost to manage one or more ESX/ESXi servers).

 

Scan Requirements:

 

- Admin credentials for VMware vCenter or ESXi.

- Audit policy for VMware vCenter/vSphere Compliance Checks.

  - The .audit can be downloaded from here or here

- Plugin ID #64455 (VMware vCenter/vSphere Compliance Checks)

 

Setting up the scan :

 

- Create a New Policy

- Enter vCenter and/or vSphere Credentials.

vcenter.png

and/or

soap.png

 

- Enable Plugin #64455

 

Untitled.png

 

- Apply .audit Policy

 

pref.png

- Save the policy and run the scan.


Supported Versions :


ESXi 4.x, 5.x and vCenter 4.x, 5.x

 

VMware vSphere/vCenter .audit syntax

 

 

The VMware vSphere/vCenter audits support three types of checks.

 

AUDIT_VM :

 

  Audits VM settings

 

AUDIT_ESX :

 

  Audits ESX/ESXi server settings.

 

AUDIT_VCENTER :

 

  Audits vCenter server settings.

 

Sample Result :

results.png

 

pass.png


fail.png

 

List of supported keywords :


type :


This  keyword describes the type of check that is being performed by a given  item in an  audit file. VMware audits can be performed

with the following three types of .audit checks.


- AUDIT_VM

- AUDIT_ESX

- AUDIT_VCENTER

 

e.g.

type: AUDIT_VM

type: AUDIT_ESX

type: AUDIT_VCENTER

 

description :

 

This keyword gives a brief description of the check that is being performed. It is required that description field be unique and no two checks

should have the same description field. This is required because Security Center uses this field to auto generate a plugin ID number based

on the description field.


e.g.

description: "Disconnect unauthorized devices - 'floppyX.present = false''"

 

info:

 

This keyword allows users to add a more detailed description to the check that is being performed. Multiple info fields

are allowed with no preset limit. The info content should be enclosed in double-quotes.


e.g.

info          : "Make sure floppy drive is not attached"

 

regex:

 

This keyword allows searching items that match a particular regex expression.


e.g.

regex: "floppy([Xx]|[0-9]+)\\.present :"

 

If a check has 'regex' keyword set, but no 'expect' or 'not_expect' keyword is set, then the check simply reports

all lines matching the regex.


Compliance Testing Keywords


The compliance of a check can be determined by comparing the output of the check to either 'expect' or 'not_expect' keyword.

There cannot be more than one compliance testing tags i.e. either 'expect' or 'not_expect' can exist but not 'expect' and

'not_expect' and so on.

 

expect:

 

This  keyword allows auditing the config item matched by the 'regex' keyword  or if the 'regex' keyword is not used it looks for the 'expect'

string in the entire config.

 

The  check passes as long as the config line found by 'regex' matches the  'expect' string or in the case where 'regex' is not set, it passes if

the 'expect' string is found in the config.

regex: "floppy([Xx]|[0-9]+)\\.present :"

expect: floppy([Xx]|[0-9]+)\\.present : false"

or

expect: floppy([Xx]|[0-9]+)\\.present : false"

 

In the above cases, the 'expect' keyword ensures that the floppy drive is not present.

 

not_expect:

 

This keyword allows searching the configuration items that should not be in the configuration.

 

It  acts as the opposite of 'expect'. The check passes as long as the  config line found by 'regex' does not match the 'not_expect' string

or if the 'regex' keyword is not set, it passes as long as 'not_expect' string is not found in the config.

 

e.g

regex : floppy([Xx]|[0-9]+)\\.present : "

not_expect: floppy([Xx]|[0-9]+)\\.present : false"

or

not_expect: floppy([Xx]|[0-9]+)\\.present : false"

 

In the above cases, the 'expect' keyword ensures that the floppy drive is present.

 

Additional Notes :


- If a check passes, this plugin reports all the VMs/ESXi's that matched the policy.

-  The .audit supplied by Tenable will report both the VM name and IP of  the target. However, note that the IP address for a VM is not available  unless VMware tools is installed.

   If VMware tools are not installed, then we report toolsNotInstalled instead of the IP. If VMware tools are installed, but the VM is suspended, we report toolOk.

   Here's how the reports will show up :

Test VM 2, poweredOff (toolsNotInstalled) - vmsafe.enable : NOT found

Test VM Audit (172.26.23.123) - vmsafe.enable : NOT found

Test VM 1 Audit (toolsOk) - vmsafe.enable : NOT found

 

- Both ESX/ESXi and vCenter can be  scanned with the same policy. Although note that vCenter checks run  against ESX/ESXi hosts will be skipped.

 

skipped.png

 

- SC is not supported, and will be supported in v4.7. I know it looks fine in the UI, but its not supported by the backend.

 

- vSphere and ESXi are one and the same w.r.t these plugins. vSphere is the product name,  and ESXi is the name of the OS. Kind of what iOS is to iPhone.

 

-  If scanning vCenter, customers should use "VMware vCenter SOAP API  Settings", and for vSphere/ESXi they should use "VMware SOAP API  Settings" preference tab. 

 

-  Customers can scan either vCenter or vSphere/ESXi or both at the same  time from GUI. But if scanning vCenter only, only  provide vCenter credentials in VMware vCenter SOAP API Settings.  If you are scanning only vSphere/ESXi, then you should only provide credentials under "VMware SOAP API Settings".

 

- Verify the credentials are correct, by trying to log in with those credentials here :

 

https://vcenter_ip/mob

or 

https://vsphere_ip/mob

 

- The scans can also be run from command line.

 

   For vCenter

/opt/bin/nessus/nasl -Xt vcenter_ip vmware_compliance_check.nbin

 

 

  For vSphere/ESXi.

 

/opt/bin/nessus/nasl -Xt vsphere_ip vmware_compliance_check.nbin -k vmw.kb

  where vmw.kb contains just this line

 

1234 3 Transports/TCP/443=5

 

- If the SSL certificate is not signed by a known CA, make sure the 'Verify SSL certificate' is unchecked in "VMware vCenter SOAP API Settings", and "Ignore SSL certificate" is checked in "VMware SOAP API Settings".

 

- If nothing works, try rebuilding the plugins (nessus-service -R), create a new policy and try again.

 

That wraps up our today's discussion on the VMware vCenter/vSphere Compliance checks. If you have questions or comments, please feel to open a support ticket with Tenable's support team.


-Mehul