Last time I went into our deployment of the HyTrust Appliance (HTA), some configuration considerations, and setting up the appliance for centralized authentication using Active Directory. For this post I will talk a bit about our use of host compliance templates and, my favorite feature, root password vaulting.
Host compliance templates
The HTA’s host compliance templates are configuration guidelines that can be tuned to assess your protected ESX/ESXi hosts and, in some cases, remediate configuration errors that are found. If you’re familiar with Active Directory administration, think group policy for the hypervisor. There is some overlap here with the host profiles provided with higher-end VMware ESX/ESXi licensing, but HyTrust takes it a step further by providing templates based on VMware, PCI, SOX, and CIS recommendations.
I modeled the compliance template for our environment off of the provided “Vmw4-ESXi” template, editing a few parameters and changing some of the options from “Assess” to “Remediate.” Specifically, I added our organization’s ntp servers and internal syslog collection server to the appropriate items in the template. Also, I changed the option “Snaphot all virtual machines” to assess, as none of the other configuration items I was remediating on affected settings that required VM snapshots for rollback.
After running an assessment scan I found that, while most of the hosts were already 100% compliant, a handful of them were only at 86%. Going into the details link on each of those hosts, I was able to see that the hosts were still configured to point to a defunct syslog server. Selecting the offending hosts, I now chose to remediate any problems… and voila! 100% for all hosts in this datacenter.
Root password vaulting
I don’t like using shared passwords (as no sysadmin should), especially for root accounts. Out of the box, this is a necessity for ESX/ESXi, although more recent versions of VMware’s hypervisor can be joined to Active Directory, assuming you have a domain handy (see here and here for good tutorials). With root password vaulting, the HyTrust appliance provides a fairly straightforward method for eliminating the notion of the shared root password from your virtualization hosts.
Once you turn on root password vaulting for an ESX/ESXi host, it updates the root password on that host to something that only the appliance knows. If, for some reason, an administrator needs root access, there is a handy checkout tool for getting a new, randomly generated, root password.
This password is time-bombed, anywhere from 1 to 24 hours, at which point the HTA again randomly generates a new password and changes it on the host.
Before turning this feature on, it is definitely important to understand and practice the retrieval procedure for the case when root access is required on a host and the HTA is unavailable for some reason (network, storage failure, etc.) This procedure is well documented in the HyTrust Configuration Guide and the utility for recovery can be requested from HyTrust Support. A word of warning – part of the information needed for generating a lost root password is in the HTA logs, so I highly recommend sending those to a trusted syslog server with a good retention policy before turning this feature on.
Next time I will tackle the authorization features of the HTA.
All posts in this series:
Implementing the HyTrust Appliance – Part 1 (deployment, configuration considerations)
Implementing the HyTrust Appliance – Part 2 (compliance templates, root password vaulting)
Implementing the HyTrust Appliance – Part 3 (roles, rules, constraints, etc.)