In relation to lock-down mode, my understanding is that when hosts are in lockdown mode, you can only really manage the server from within vcenter, where all actions are audited. If you aren't managing a esxi host through vcenter, what other tools are used to manage the host directly?
And is there anyway to tell if an admin managed/accessed a host not through vcenter, and what activities they performed? if so where would such logs be present, and how can you access them?
also how easy is it for an admin to delete audit logs in vcenter? If the main issue in enabling lockdown mode is accountability, and an admin in vcenter could just delete the audit logs, its hard to say esxi lockdown mode provides any other major accountability controls.
what kind of "actions" taken on a host would be of most interest to say security admins - i.e. which kinds of activity and actions should they review from the logs? and are we saying if this is not done from within vcenter there is no easy way of telling.