Книга: Mastering VMware® Infrastructure3

Auditing and Monitoring Important Files

Auditing and Monitoring Important Files

There are several files on an ESX Server that tell a lot about the server and how it was configured. Thankfully, with VI3, the job of tracking your ESX Server's configuration has become much easier with the advent of the VI Client. In many instances, though, auditing and monitoring several files directly from the Service Console is warranted because they are stored on the ESX Server itself.

Why do you need to audit these files on a regular basis? For starters, good security on any server begins with knowing how the server is configured. If the configuration has changed, unbeknownst to the administrator, then any security-related decisions could be flawed. Worse, if the change is significant, your virtual machines could suffer or someone who doesn't have your best interests in mind could sabotage your hosting platform. That person won't take down one server — they'll take down many servers.

The files that we'll cover in this section deal with how the server is configured and ultimately set up to provide certain services. VMware provides a tool to make the collection of these files easy. As a matter of fact, you can use either the VI Client or the Service Console command vm-support. This command is usually used to troubleshoot problems with your ESX Server, but you can also use this command to audit and to monitor the same server.

vm-support as Documentation

One way to document any changes to the ESX Server's configuration is to run vm-support any time a change has been made. In this way, all changes can be tracked over time and compared with specific setups. In a security audit, using the output from this command is vital to comply with regulatory guidelines for server documentation. By running vm-support at least once a month, you also capture logs files and other critical files for archive purposes.

Let's look at what you can collect using the Service Console. You'll need to log in as root to run vm-support. Figure 12.34 shows that we ran the command vm-support and shows the resulting file. As a good practice, use the /tmp directory as the temporary location for the support files.


Figure 12.34 After running the vm-support command, check to see the end result.

After creating the .tgz file, you can copy the file to an archive location, preferably on another server, or extract the file in the current directory.

Perform the following steps to run the vm-support command and extract the files into a temporary directory:

1. Log into the Service Console as root.

2. Switch to the /tmp directory.

3. Run the vm-support command as shown in Figures 12.35 and 12.36.


Figure 12.35 The vm-support command collects diagnostic data about the server configuration.


Figure 12.36 Running the vm-support command

4. Extract the resulting .tgz file as shown in Figure 12.37.


Figure 12.37 Extracting the .tgz file for analysis

This method captures many files, but one in particular of great importance for auditing is /etc/vmware/esx.conf. This is important, as any changes to the overall configuration of the ESX Server are documented in this file, and we can see the time when it was last changed as shown in Figure 12.38.


Figure 12.38 Auditing esx.conf is very important.

In this case, the file has a timestamp of September 17, 06:49a.m. If we compare this output with the current file, the outputs should match if there hasn't been a scheduled maintenance on the server. But in Figure 12.39, we see that the timestamp on the file has changed. The live file has a timestamp of September 17, 07:35a.m.


Figure 12.39 Comparing a live file to one captured with vm-support

Since the timestamps do not match, how could we compare the captured file, using vm-support, with the current version? Using a Linux command known as diff, we can compare two files to see if any changes have occurred as shown in Figure 12.40.


Figure 12.40 After auditing esx.conf, we saw it had changed. Using diff, we can easily see what was changed.

Someone has changed the firewall to allow a VNC server to run on the ESX Server's Service Console. Many times, though, you will discover changes to the network configuration, storage, or even services that have been implemented due to changes on the firewall to allow the traffic in or out. The techniques we've discussed give you an easy way to monitor and to audit changes to files on the ESX Server. Scripting these steps is not difficult and would make the process even faster, especially if you have dozens of ESX Servers to audit.

Оглавление книги


Генерация: 0.061. Запросов К БД/Cache: 0 / 0
поделиться
Вверх Вниз