Tag Archives: security

INF-SEC1840 – ESXi Hardening Guide and Security Practices

The ESXi Hardening guide started in the 2.x days.  It was originally a best practices document around security.  In the 4.x, VMware started breaking it into categories of information.   Improvements over the years.   Some feedback on the 4.x guide is that it was presented in PDF, limited ways on how to resolve it and mitigate the listed risk and was not usable in a programmatic format.

The new format in 5.0 is a spreadsheet guide with categorization by component and sub-components.  Now this spreadsheet includes techniques to implement and apply these recommendations.  Look at http://vmware.com/go/securityguides for more information.

Automating these solutions and suggestions is the next obvious step in addressing the security concerns.   As such the SCAP standard from NIST which allows security audit and validation.    This Standard allows you to do checklist validation style approaches and how it is setup.  XCCDF is the primary XML rule based system for validation around testing and assessment.  XCCDF is the setup of the checklist approach and then OVAL designates a fixtext area which can be programmatic or just manual steps.  Together these two things will help by having standardized approach to building and utilization of security information and validation.

OVAL is the Open Vulnerability Assessment Language. Today there are over 13,500 definitions made that include different versions of all OS platforms.  This is open and community driven and significant amount of information being created every day.  This standard links with CVE to show vulnerability scoring which is more timely and updated reasonably quickly.