Self Driving Operations - vSphere Security Guide - Virtual Machines - vRO MP 3.0

Description
This is the evolution of this package
In this release we're leveraging the new abilities offered from the vRO MP 3.0

This package covers the following vSphere Security Guide recommendations and STIG Findings

vRealize Operations Symptom SymptomDefinition                               STIG Finding

SymptomDefinition-VMWARE-AutoLogonNotDisabled                            V-1145
Description: Allowing a system to automatically log on when the machine is booted could give access to any unauthorized individual who restarts the computer. Automatic logon with administrator privileges would give full access to an unauthorized individual.

SymptomDefinition-VMWARE-ConsoleCopyDisabled                             V-64043        
Description: Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.

SymptomDefinition-VMWARE-ConsoleDragDropNotDisabled               V-64041        
Description: Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.

SymptomDefinition-VMWARE-ConsolePasteNotDisabled                      V-64045        
Description: Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.

SymptomDefinition-VMWARE-ConsoleVNCAccessNotDisabled           V-64105        
Description: The VM console enables you to connect to the console of a virtual machine, in effect seeing what a monitor on a physical server would show. This console is also available via the Virtual Network Computing (VNC) protocol and should be disabled.

SymptomDefinition-VMWARE-HGFSServerSetNotDisabled                 V-64053        
Description: Setting isolation.tools.hgfsServerSet.disable to true disables registration of the guest's HGFS server with the host. APIs that use HGFS to transfer files to and from the guest operating system, such as some VIX commands, will not function. An attacker could potentially use this to transfer files inside the guest OS.

SymptomDefinition-VMWARE-MemsFssNotDisabled                           V-64063        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.

SymptomDefinition-VMWARE-NoncompliantMaxVMXSize                 V-64109        
Description: The configuration file containing these name-value pairs is limited to a size of 1MB. If not limited, VMware tools in the guest OS are capable of sending a large and continuous data stream to the host. This 1MB capacity should be sufficient for most cases, but this value can change if necessary. The value can be increased if large amounts of custom information are being stored in the configuration file. The default limit is 1MB.

SymptomDefinition-VMWARE-ProtocolhandlerNotDisabled              V-64065     
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.

SymptomDefinition-VMWARE-ShellactionNotDisabled                      V-64067        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.

SymptomDefinition-VMWARE-ShrinkVDiskNotDisabled                    V-64047        
Description: Shrinking a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes-that is, users and processes without root or administrator privileges-within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to shrink is available to non-administrative users operating within the VMs guest OS.

SymptomDefinition-VMWARE-ShrinkVirtualDiskNotDisabled            V-64049        
Description: Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes - that is, users and processes without root or administrator privileges - within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to wipe (erase) is available to non-administrative users operating within the VMs guest OS.

SymptomDefinition-VMWARE-ToporequestNotDisabled                   V-64069        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.  

SymptomDefinition-VMWARE-TrayiconNotDisabled                          V-64073        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.  

SymptomDefinition-VMWARE-UnauthorizedConnectDisconnectDevice    V-64111        
Description: In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with nonadministrator privileges in a virtual machine can: 1. Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive 2. Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service 3. Modify settings on a device  

SymptomDefinition-VMWARE-UnauthorizedDeviceModification      V-64113        
Description: In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from within the guest operating system. By default, a rogue user with nonadministrator privileges in a virtual machine can: 1. Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive 2. Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service 3. Modify settings on a device  

SymptomDefinition-VMWARE-Unity-InterlockNotDisabled               V-64077        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.  

SymptomDefinition-VMWARE-UnityNotDisabled                               V-64075        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.  

SymptomDefinition-VMWARE-UnityPushNotDisabled                      V-64079        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.  

SymptomDefinition-VMWARE-Unity-TaskbarNotDisabled                V-64081        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.  

SymptomDefinition-VMWARE-Unity-UnityactiveNotDisabled           V-64083        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.  

SymptomDefinition-VMWARE-Unity-WindowcontentsNotDisabled  V-64085        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.  

SymptomDefinition-VMWARE-VersiongetNotDisabled                      V-64087        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.  

SymptomDefinition-VMWARE-VersionsetNotDisabled                      V-64089        
Description: Some virtual machine advanced settings parameters do not apply on vSphere because VMware virtual machines work on both vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest can affect the host.      

SymptomDefinition-VMWARE-VGAOnlyModeNotEnabled                                 
Description: Disable all but VGA mode on specific virtual machines

SymptomDefinition-VMWARE-VMConsoleGuiRP123                        V-64043        
Description: Copy and paste operations are disabled by default; however, by explicitly disabling this feature it will enable audit controls to check that this setting is correct. Copy, paste, drag and drop, or GUI copy/paste operations between the guest OS and the remote console could provide the means for an attacker to compromise the VM.  

SymptomDefinition-VMWARE-VMDisableNonEssential3DFeatures                       
Description: Disable 3D features on Server and desktop virtual machines     

SymptomDefinition-VMWARE-VMObtainInfoFromHost                   V-64115        
Description: If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host.   

Before executing any of these workflow(s), make sure you've read the description for any potential service interruption that some of theses settings may require.

All workflow(s) are executed on a single virtual machine object.

Before performing a modification, validation is performed before, the setting will be applied only if required.

Requirements
VMware vRealize Operations Management Pack for vRealize Orchestrator 3.0 installed and configured

supported version of vRealize Orchestrator
supported version of vRealize Operations Manager
supported version of vSphere

Environment
This is my test environment which was used to test the vRealize Orchestrator workflow(s)

vRealize Operations Manager 7.5
vRealize Orchestrator 7.6
vCenter Server 6.7 U2
ESXi 6.5 - 6.7

Setup Instructions
Import vRealize Orchestrator package
Modify the following elements in the Configuration Elements tab

Custom > Cofniguration > vRealize Operations Manager

username         - user name with API rights in vRealize Operations Manager
password          - password for the user
restHostURL     - URL for the vRealize Operations Manager API https://[IP|FQDN]/suite-api

Map the workflow as per documentation

To take full advantage of this integration, perform the following actions

create new recommendations and map the newly creation action

Example
Fix the virtual Machine Security Configuration Guide Rules Violations according to the recommendations available at vSphere Security Configuration Guide.

edit the Virtual Machine is violating Risk Profile 1 in VMware vSphere Security Configuration Guide for vSphere version [VC Version] alert and modify the recommendation with the one created previously
* Please note, in the Virtual Machine is violating Risk Profile 1 in VMware vSphere Security Configuration Guide for vSphere version 6.7 you will need to replace the following symptom VM.Enable-VGA-Only-Mode Configure system security parameters - Disable all but VGA mode on specific virtual machines with RP 1,2,3 - VM.Enable-VGA-Only-Mode - VGA only mode is not enabled (5.5/6.5 Security Configuration Guide)

Although the workflows included in this sample have been tested on the environment above, these should work on previous supported versions as well.
 

If you have any comments, issues or requests, please let me know!

Update (05-21-2019)

Fix error handling for action getConfigurationElementAttribute

Update (12-03-2019)

As pointed by Lesley Kimmel, package was missing the alert definition configuration element, added them back into the package


Sign in to be able to add comments.

Comments 3


RobGoodworth 3 months ago
Thanks, I appreciate the work you have put into this, i'll try it out and provide you feedback.
RobGoodworth 2 months ago
Hi crenaudtam, I'm having issues getting this to work. I'm using the same environment as you but using esxi 6.7u3. I think i've mapped the workflow properly. vROPS creates an alert based on the vSphere security guide for 6.7 for a VM, when i open the alert, i see the action to run your vco workflow, i click run now that eventually fails. in vRO i see it ran the first work flow "STIG - VM - Virtual Machine Advanced Settings" however in the workflow log (debug) it shows "Unable to find configuration setting and /or value, please validate Configuration Element symptom definition, skipping reconfigure task" . where is this Configuration Element ?? have I mapped it to the wrong alert/action?? This is very different to the way vRO MP workflows are configured for the hosts which works. any help will be greatly appreciated.
ljkimmel99 13 days ago
Mr. @crenaudtam, could you explain your architectural approach on this? For the most part you seem to be creating a workflow for each individual control. Each workflow contains static attributes for the key and value which are then passed to a common workflow that validates and applies the setting. It seems to me that you could use a configuration element to store all of the key-value pairs, retrieve the element and values in a scriptable task, and then use a foreach workflow element (tied to the common workflow) to apply each value. Did you consider that approach? If not, can you share your reasoning? Good work, though. I'm definitely using the main workflow and associated functions.
;