Pau Lo
asked on
esxi direct access and lockdown mode
In relation to lock-down mode, my understanding is that when hosts are in lockdown mode, you can only really manage the server from within vcenter, where all actions are audited. If you aren't managing a esxi host through vcenter, what other tools are used to manage the host directly?
And is there anyway to tell if an admin managed/accessed a host not through vcenter, and what activities they performed? if so where would such logs be present, and how can you access them?
also how easy is it for an admin to delete audit logs in vcenter? If the main issue in enabling lockdown mode is accountability, and an admin in vcenter could just delete the audit logs, its hard to say esxi lockdown mode provides any other major accountability controls.
what kind of "actions" taken on a host would be of most interest to say security admins - i.e. which kinds of activity and actions should they review from the logs? and are we saying if this is not done from within vcenter there is no easy way of telling.
And is there anyway to tell if an admin managed/accessed a host not through vcenter, and what activities they performed? if so where would such logs be present, and how can you access them?
also how easy is it for an admin to delete audit logs in vcenter? If the main issue in enabling lockdown mode is accountability, and an admin in vcenter could just delete the audit logs, its hard to say esxi lockdown mode provides any other major accountability controls.
what kind of "actions" taken on a host would be of most interest to say security admins - i.e. which kinds of activity and actions should they review from the logs? and are we saying if this is not done from within vcenter there is no easy way of telling.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>if a user has the root account
But you cant delete the audit logs from within vcenter itself?
And also - what kind of "actions" taken on a host would be of most interest to say security admins - i.e. which kinds of activity and actions should they review from the logs? and are we saying if this is not done from within vcenter there is no easy way of telling.
I suspect from what you are saying, that say if you directly accessed a ESXi host via for example powercli, that the activity is not audited?
But you cant delete the audit logs from within vcenter itself?
And also - what kind of "actions" taken on a host would be of most interest to say security admins - i.e. which kinds of activity and actions should they review from the logs? and are we saying if this is not done from within vcenter there is no easy way of telling.
I suspect from what you are saying, that say if you directly accessed a ESXi host via for example powercli, that the activity is not audited?
who has logged in and from where, e.g. which IP Address.
and date and times.
and date and times.
ASKER
can the hosts audit logs be deleted from within vcenter itself?
is activity performed outside vcenter logged at all on the server? - if it is, what is the problem, and major benefit of enforcing all management through vcenter.
are there any valid tasks that need to be performed outside of vcenter, if so can examples be provided.
is activity performed outside vcenter logged at all on the server? - if it is, what is the problem, and major benefit of enforcing all management through vcenter.
are there any valid tasks that need to be performed outside of vcenter, if so can examples be provided.
can the hosts audit logs be deleted from within vcenter itself?
you would have to login as a root account on the server.
You can restrict access using vCenter Server, and audit more effectively.
Troubleshooting often requires access to the console.
ASKER