Free Tool for Checking ESX Security
Security company Tripwire has released a limited, but very useful, utility
for checking the security of VMware's ESX hypervisor. Best of all, it's free.
The tool, ConfigCheck, looks for vulnerabilities in ESX, the kind that generally occur through misconfiguration of a server. The svelte, 11 MB download makes it easy to set up and try. After running the program, it compares data with VMware's published security guidelines and alerts admins if there's a problem.
ConfigCheck was developed in concert with VMware, and runs on Windows. In a press release, Raghu Raghuram, vice president, products and solutions for VMware, described the challenges virtualization administrators face with security:
"Two of the most important security issues customers should focus on are misconfiguration and patching. With VMware Update Manager which we introduced earlier this year, we have simplified the management of our customers' Virtual Infrastructure by automating the deployment of patches and updates. Tripwire ConfigCheck now adds to that capability by providing customers with a tool to proactively compare their VMware configurations with proven, hardening guidelines developed using best practices from the most business-critical VMware Infrastructure deployments."
A test results in one of three outcomes: "Passed", "Failed" or "Unavailable". Passed means that it meets the VMware guidelines for hardening the server. Failed, of course, means the opposite. Unavailable means that the test couldn't be completed for some reason.
Being free means there are also limitations to what it can do. For instance, only ESX 3.5 can be tested; you're out of luck if you have an earlier version, although Tripwire indicates on its Web site that it will be adding more versions in the future. Also, nothing beyond ESX can be tested -- no VMs, guest OSes, applications or other parts of the infrastructure. You'll need to get Tripwire Enterprise for that.
Tripwire says that it will be supporting ESXi, the embedded hypervisor, in a future release. If you've used ConfigCheck, or are going to, please let me know your experiences.
Posted by Keith Ward on 06/11/2008 at 12:48 PM