esxi direct access and lockdown mode

In relation to lock-down mode, my understanding is that when hosts are in lockdown mode, you can only really manage the server from within vcenter, where all actions are audited. If you aren't managing a esxi host through vcenter, what other tools are used to manage the host directly?

And is there anyway to tell if an admin managed/accessed a host not through vcenter, and what activities they performed? if so where would such logs be present, and how can you access them?

also how easy is it for an admin to delete audit logs in vcenter? If the main issue in enabling lockdown mode is accountability, and an admin in vcenter could just delete the audit logs, its hard to say esxi lockdown mode provides any other major accountability controls.

what kind of "actions" taken on a host would be of most interest to say security admins - i.e. which kinds of activity and actions should they review from the logs? and are we saying if this is not done from within vcenter there is no easy way of telling.
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pma111Author Commented:
and finally - is there any reason you would need to manage an esxi host outside of vcenter, if so can you provide examples, and if there is, what compensating controls can be put in place for such activity outside of vcenter?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
SSH, if SSH is enabled.

PowerCLI, vCLI, VMA all have access to ESXi and vCenter if your have the correct access permissions.

if a user has the root account, they could log in and remove all the logs, no different to a Windows Server.

All the logs are stored in \var\logs, on the server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
>if a user has the root account

But you cant delete the audit logs from within vcenter itself?

And also - what kind of "actions" taken on a host would be of most interest to say security admins - i.e. which kinds of activity and actions should they review from the logs? and are we saying if this is not done from within vcenter there is no easy way of telling.  

I suspect from what you are saying, that say if you directly accessed a ESXi host via for example powercli, that the activity is not audited?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
who has logged in and from where, e.g. which IP Address.

and date and times.
0
pma111Author Commented:
can the hosts audit logs be deleted from within vcenter itself?

is activity performed outside vcenter logged at all on the server? - if it is, what is the problem, and major benefit of enforcing all management through vcenter.

are there any valid tasks that need to be performed outside of vcenter, if so can examples be provided.
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
can the hosts audit logs be deleted from within vcenter itself?

you would have to login as a root account on the server.

You can restrict access using vCenter Server, and audit more effectively.

Troubleshooting often requires access to the console.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.