Pau Lo
asked on
Audit of vcenter and hosts
We have an ambition to create an audit and monitoring system specific to vmware systems to identify
a) unauthorised access
b) data theft
Specific to esxi hosts and vcenter, is there perhaps a "top 10" events/actions that you'd (or perhaps you do) audit, and are there built in tools within esxi and vcenter to report on these events? I appreciate with IT administration you need a degree of trust but thats where I see the audit / monitoring system to fill the gap to ensure nobody is abusing that trust. I know guests i.e. guest OS/ guest apps also need considering, but based on how easy you told me it is to just pick up a server from within vcenter or within the host, then I'd like to focus on that area..
a) unauthorised access
b) data theft
Specific to esxi hosts and vcenter, is there perhaps a "top 10" events/actions that you'd (or perhaps you do) audit, and are there built in tools within esxi and vcenter to report on these events? I appreciate with IT administration you need a degree of trust but thats where I see the audit / monitoring system to fill the gap to ensure nobody is abusing that trust. I know guests i.e. guest OS/ guest apps also need considering, but based on how easy you told me it is to just pick up a server from within vcenter or within the host, then I'd like to focus on that area..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. all events when connecting to vCenter are logged. You should NOT allow direct connection to the host, because events are over written. Unless you setup additional logging. But vCenter access is what should be setup. Access can be controlled better with vCenter, that is what it is designed to do.
2. I think the events displayed are self evident, user has deleted a virtual machine is this misuse?
adding a floppy drive or usb drive, is this an example of data theft, although it would track devices have been added, you would need auditing enabled in the OS to track data copy.
this is outside Virtual vCenter software
2. I think the events displayed are self evident, user has deleted a virtual machine is this misuse?
adding a floppy drive or usb drive, is this an example of data theft, although it would track devices have been added, you would need auditing enabled in the OS to track data copy.
this is outside Virtual vCenter software
ASKER
How long are events maintained for by default?
Are logins/connections to vcenter logged?
Are logins/connections to vcenter logged?
ASKER
>>You should NOT allow direct connection to the host, because events are over written
Via documented policy? or can you enforce this technically, if so can you provide details on how..
Via documented policy? or can you enforce this technically, if so can you provide details on how..
you can enforce this, do not create any other accounts, document the root accounts password, leave in the safe, and no admin should connect as root, unless allowed by policy.
logins to vCenter are recorded.
All events and tasks are recorded and stored in the database.
logins to vCenter are recorded.
All events and tasks are recorded and stored in the database.
ASKER
>>Secondly, all tasks and events are logged in the vCenter database.
1) Does this mean all events logged within vcenter, or by accessing the host directly? I.e. you dont need to use vcenter to access the host.
2) And in terms of "events" are there a top 10 that would indicate potential misuse or data theft that reports could be created on, as some events wont be of interest based on the reasons behind the auditing policy....