2,187
edits
(Added "Vmkernel Log Analysis") |
(Added "Build Notes") |
||
Line 1: | Line 1: | ||
{{TOC limit|3}} | |||
= Build Notes = | |||
== Security Hardening == | |||
=== Service Console === | |||
==== Disk Partitions ==== | |||
Suggesting partition sizing for Service Console on local disk to prevent Root partition being filled with user data | |||
part /boot --fstype ext3 --size 1024 --ondisk=sda --asprimary | |||
part / --fstype ext3 --size 5120 --ondisk=sda --asprimary | |||
part swap --size 2048 --ondisk=sda --asprimary | |||
part /var --fstype ext3 --size 5120 --ondisk=sda | |||
part /tmp --fstype ext3 --size 5120 --ondisk=sda | |||
part /home --fstype ext3 --size 2048 --ondisk=sda | |||
part None --fstype vmkcore --size 100 --ondisk sda | |||
==== Local Accounts ==== | |||
===== Password Policy ===== | |||
No policy is implemented by default, if not using AD Integration then its sensible to apply a policy on the ESX, using the PAMQC module. Its not particularly elegant. | |||
===== Active Directory Integration ===== | |||
Because service console authentication is Unix-based, it cannot use Active Directory to define user accounts. However, it can use Active Directory to authenticate users by matching local passwd file account name with Active directory with appropriate support of SFU (Services For Unix). | |||
See [http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/ Scott Lowe's blog] for further info | |||
===== Sudo ===== | |||
It is possible to limit the enhanced privileges that a user can gain by using sudo. This is most appropriate where there is a large number admins. However, in such an environment there is likely to be a large number of ESX's, managing the config on ESX is a headache. | |||
Example of possible sudo config (<code>/etc/sudoers</code>) | |||
... | |||
# Defaults specification | |||
Defaults logfile=/var/log/sudolog | |||
# User privilege specification | |||
root ALL=(ALL) ALL | |||
User_Alias VI_JR_ADMINS=esxoper, esxoper2 | |||
User_Alias VI_ADMINS=esxadmin | |||
Cmnd_Alias STOP=/usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/poweroff | |||
Cmnd_Alias REBOOT=/usr/sbin/reboot | |||
Cmnd_Alias KILL=/usr/bin/kill | |||
Cmnd_Alias NTP=/usr/sbin/ntpdate, /sbin/hwclock | |||
VI_JR_ADMINS ALL=STOP, REBOOT, KILL, NTP | |||
VI_ADMINS ALL=(ALL) ALL | |||
... | |||
= Procedures = | |||
== Password Complexity Override == | == Password Complexity Override == | ||
In order to be able to change a user (or root) password to one that breaches password complexity checking | In order to be able to change a user (or root) password to one that breaches password complexity checking | ||
Line 40: | Line 89: | ||
# Results can be found in <code>\emcgrab\outputs</code> folder | # Results can be found in <code>\emcgrab\outputs</code> folder | ||
= Troubleshooting = | |||
== Vmkernel Log Analysis == | == Vmkernel Log Analysis == | ||
=== Storage Monitor Log Entries === | === Storage Monitor Log Entries === |