Virtualization Adapted Adapting Business Processes for Virtual Infrastrcuture (and vice-versa)


List of log files VMware vSphere ESX Classic version 4

Filed under: virtualization — Tags: , , , , , , , , — iben @ 11:02
The following log files contain information that needs to be track on a VMware vSphere ESX 4 Classic Host to be in compliance with many security standards and best practices such as CIS Benchmark, PCI-DSS, SOX section 404, HIPPA, CPNI, COSO, ISO 20001, COBIT, and so on.
You can use syslog or splunk lightweight forwarders for this purpose.














Table with Explanation of files to log for VMware vSphere ESX Classic version 4






 Records activities related to the virtual machines and ESX

VMkernel warnings


Records activities with the virtual machines

VMkernel summary


Used to determine uptime and availability statistics for ESX; comma separated

VMkernel summary human readable


Used to determine uptime and availability statistics for ESX; human‐readable summary

ESX host agent log


Contains information on the agent that manages and configures the ESX host and its virtual machines

vCenter agent



Contains information on the agent that communicates with vCenter

Web access

Log all the files in the directory /var/log/vmware/webAccess/*.log
client.log, proxy.log, unitTest.log, viewhelper.log, objectMonitor.log, timer.log, updateThread.log

Records information on Web-based access to ESX
(service vmware-webAccess start on ESX host to enable this)

Authentication log


Contains records of connections that require authentication, such as VMware daemons and actions initiated by the xinetd.

Service Console


Contain all general log messages used to troubleshoot virtual machines or ESX

Virtual machines

The same directory as the affected virtual machine’s configuration files; named vmware.log and vmware‐*.log



Contain Virtual Machine Power Events, system crashes, Tools status and activity, Time Sync, Virtual Hardware changes, VMotion Migrations, Machine Clones,

Table  – List of ESX Host Files to Log




Number of ports to use for standard and distributed virtual switches

VMware just updated their KB: Reserved or overhead ports for virtual switches ( and we’ve run into this issue a number of times since upgrading to vSphere ESX 4. These new high memory hardware architectures allow an unprecedented number of virtual machine guests to be consolidated on a single ESX host.

By default a vswitch may not have enough ports to support the consolidation ratio your equipment can support. New ESX hosts can have 256 GB of RAM with 4 hex core processors and easily support 100 or more virtual machines. These virtual machines might have 1, 2, or more vNICs configured and each would need a port on the vswitch. One might imagine the need for 500 to 1000 ports needed per esx host. Why not just make it 2000 so we don’t have to worry about it later on?

Once you run out of vswitch ports you cannot power on any more vms on that host and even get errors about unplugged network cable.  Increasing the vSwitch port allocation seems easy enough, vmotion all workload off the host, put it in maintenance mode, change the vswitch config, reboot. Some system administrators run into this issue and decide to make the number of ports allocated to the vswitch really high to prevent this from ever being an issue. This can cause problems though.

There’s a limit of how many vswitch ports in total an ESX host has to hand out to it’s various vswitches. In addition, if security is a concern, you may start running firewall virtual appliances like vShield Zones or Catbird. WAN Accerators and Performance Monitoring tools like AppSpeed also require additional vSwitches to be created. Ports used on these vSwitches all take away from the total bucket of available ports.

Once 4096 ports are allocated to existing vSwitches you will not be able to add additional hosts to a vNetwork Distributed Switch either.

We also have the following Security Recommendation:

Only allocate vswitch ports to virtual machines on demand and as needed.

This will make it difficult if not impossible to “plug” a VM into the wrong network by accident. Testing for this can be done manually through the vSphere Client. If there are no ports available on a vSwitch then this is a positive test.

1. While connected to the vCenter Server Navigate to Home – Inventory – Networking in the vSphere Client and click on the vDS in question.
2. Click on the Ports Tab
3. If all of the ports in the list have a VM associated with it in the “connected”column then this is a positive test.

Deployment scenarios where a very large number of uplinks are teamed together on a single virtual switch might significantly impact the number of  ports on that virtual switch available for virtual machine use, and the overall size of the virtual switch might need to be adjusted accordingly.
The current port utilization data for virtual switches can be reviewed by using the esxcfg-vswitch –list command.
The current overhead utilization on a given virtual switch can be calculated by subtracting the Used Ports value for all PortGroups from the Used Ports value for that virtual switch.

Recommendation: Use VNDS vNetwork distributed Switches for all Virtual Machine traffic and limit the number of ports assigned to each standard vSwitch used for vmkernel and service console.

Standard vSwitch Procedure:

Note: A server reboot is required to apply the following configuration change.  Migrate the virtual machines off the ESX host to prevent any downtime.   On the vswitch there is an option to specify the number of ports the vswitch supports.  

To view this setting:

  1. Click the Configuration tab of the ESX host in the Virtual Infrastructure Client (VI Client).
  2. Click Networking.
  3. Click Properties.

  4. Click on vSwitch.
  5. Click Edit.

  6. On the General tab select the number of ports you want and click OK.


  • Reboot the ESX host for changes to take effect.
  • Reference Links


    vSphere Network Connections and Ports

    Filed under: virtualization — Tags: , , , , — iben @ 11:57
    esx network ports

    esx network ports

    The amazing Dudley Smith, from VMware’s Technical Account Manager team has release a larger version of his vSphere Network Connections and Ports for ESX diagram and an accompanying excel spreadsheet listing all the TCP/IP ports for various communication purposes.

    Get them directly from the VMware blog site here:


    HyTrust Appliance 2.0 Released

    Filed under: virtualization — Tags: , , , , , — iben @ 09:32

    HyTrust Appliance 2.0 is available. Building on the successes of 2009, which included our initial product launch and numerous awards, we’re happy to see the streak continue into 2010 by delivering a major new release that will empower enterprises to capitalize on the wave of datacenter virtualization and accelerate efforts to virtualize tier-one applications. The features available in HyTrust Appliance 2.0 deliver true enterprise-class policy management and access control capabilities to virtual infrastructure. New features include the following:

    * Root Password Vault: Locks down privileged host accounts and provides passwords for temporary use to enable time-limited privileged account access. Root accounts on hypervisors are extremely powerful and, as a consequence, can create a significant liability if not kept out of the wrong hands. With the aid of Root Password Vault, all root account access is attributable to an individual and every action is logged, providing far greater visibility and accountability.
    * Federated Deployment: Secure distributed system architecture allows for automated replication of policies and templates across multiple HyTrust Appliances as well as geographic boundaries. For larger enterprises with multiple datacenters and collocation facilities, Federated Deployment of HyTrust Appliances ensures consistency of controls across the entire infrastructure.
    * Virtual Infrastructure Search: Enables quick and easy accessibility to all virtual infrastructure objects, policies, and logs within HyTrust Appliance.
    * Remote API: Interface to remotely access and automate the administration of the HyTrust Appliance. Provides the greater scalability demanded by large, enterprise-wide deployments of virtualization.
    * Object Policy Labels: Creates a policy categorization structure, similar to “Web 2.0 tagging” for virtual infrastructure objects, which enables better organization and tighter, more consistent controls. Object Policy Labels enable access, network segment, and zoning policies, which allows administrators to dictate which virtual machines are allowed to connect to which network segments or hosts via RuleSets and Constraints.
    * Router-Mode: a deployment option where all VMware management traffic is forced to flow through the HyTrust Appliance. HyTrust Appliance acts as a router for the “protected” management subnet and ESX/ESXi hosts and vCenter Server use HyTrust Appliance as their default gateway. This adds yet another flexible deployment option to the other existing options, ensuring the HyTrust Appliance will easily adapt to any enterprise architecture.

    Along with the new capabilities delivered in 2.0, we’d like to introduce you to the new editions of HyTrust Appliance:

    * Community Edition is a free version of the product that supports up to three hosts.
    * Standard Edition supports an unlimited number of hosts and offers more flexible deployment options.
    * Enterprise Edition supports an unlimited number of hosts, offers more flexible deployment options, supports federation of multiple HyTrust Appliances, enables privileged account management via Root Password Vault, allows two-factor authentication, and offers a remote API for additional management flexibility.

    You can download the Community Edition of HyTrust Appliance at


    VMware ESX Patch Updates and Release Levels

    Filed under: virtualization — Tags: , , , , , , , — iben @ 11:11

    VMware makes periodic updates to the ESXi Installable version you can download. This page was created to help track and locate those.

    VMware Infrastructure Client
    VMware Infrastructure Client

    Use these numbers to determine when a system was patched last and to make sure the VMware Infrastructure Client is the right one.

    Best Practice:

    ESXi: Run the VMware Infrastructure Update tool from a windows management station with the VMware Infrastructure Client every month.

    ESX: Use vCenter Update Manager to scan and remediate ESX hosts when new security patches are available.

    How to Check the Version Numbers:

    1. Download the VMware Infrastructure Client from the Web User Interface.
      For example: https://ESX-HOST-IP-ADDRESS/client/VMware-viclient.exe
    2. Start the VMware Infrastructure Client
    3. Click the Help Menu
    4. Select “About”
    5. Note the Version and Build for both the Client and Server.
    6. Compare to list below to ensure they are at same release.
    7. If you update the Server you should connect to the Web User Interface and download the latest VMware Infrastructure Client.

    Latest Install ISO is VMware ESXi 3.5 Installable Update 4 Build Number: 153875
    Released: (2009.03.20)

    ESXe350-200907401-O-SG – PATCH Build 176894 (2009.05.28) – VIC 147633 – Tools 176894 <– Latest Patch

    ESXe350-200906401-O-BG – PATCH Build 169697 (2009.05.28) – VIC 147633 – Tools 169697

    ESXe350-200905401-O-BG – PATCH Build 163429 (2009.05.28) – VIC 147633 – Tools 158874
    ESXe350-200904401-O-SG – PATCH Build 158874 (2009.04.29) – VIC 147633 – Tools 158874
    ESXe350-200904201-O-SG – PATCH Build 158869 (2009.04.10) – VIC 147633 –
    ESXe350-200903201-O-UG – UPDATE Build 153875 (2009.03.30) – VIC 147633 <– Update 4
    ESXe350-200903411-O-BG – PATCH Build 153840 (2009.03.20) – VIC 119801
    ESXe350-200901401-O-SG – PATCH Build 143129 (2009.01.30) – VIC 143129
    ESXe350-200811401-O-SG – PATCH Build 130755 (2009.12.02) – VIC 119801
    ESXe350-200810401-O-UG – UPDATE Build 123629 (2008.11.17) – VIC 119801 Update 3

    The typical way to apply patches to ESXi hosts is through the VMware Update Manager. For details, see the VMware Update Manager Administration Guide.

    ESXi hosts can also be updated by downloading the most recent “O” (offline) patch bundle from and installing the bundle using VMware Infrastructure Update or by using the vihostupdate command through the Remote Command Line Interface (RCLI). For details, see the ESX Server 3i Configuration Guide and the ESX Server 3i Embedded Setup Guide (Chapter 10, Maintaining ESX Server 3i and the VI Client) or the ESX Server 3i Installable Setup Guide (Chapter 11, Maintaining ESX Server 3i and the VI Client).

    Note: ESXi hosts do not reboot automatically when you patch with the offline bundle.



    Free AntiVirus Tools for Windows

    Filed under: virtualization — Tags: , , — iben @ 13:36

    There are some good free AntiVirus tools you can use to scan and protect your Microsoft Windows based computers.

    Are there others you use? Let me know your feedback on these.


    Netapp Security Best Practices

    Filed under: virtualization — Tags: , , — iben @ 09:58

    Roles and RBAC on NetApp filers – or



    VMware Security Compliance Tools

    Filed under: virtualization — Tags: , , , , , , , , , — iben @ 10:37
    This is a short list of Tools and Documents concerning security in a Virtual Infrastructure.
    Tools – page 1
    Documents – page 2



    • Configuresoft’s Center for Policy and Compliance (CP&C) has led the industry in forming opinion and bringing together published security and compliance information to build a rich library of compliance toolkits that are available for download by Configuresoft customers from These CP&C Compliance Toolkits include:
    • VMware Infrastructure 3 Security Hardening Guidelines and VMware Virtual Center Best Practices
    • FISMA Compliance Toolkit for Virtual Computing
    • GLBA Compliance Toolkit for Virtual Computing
    • HIPAA Compliance Toolkit for Virtual Computing
    • Sarbanes-Oxley (404) Compliance Toolkit for Virtual Computing
    • DISA STIG Compliance Toolkit for Virtual Computing


    HyTrust Appliance –

    • The HyTrust™ Appliance offers IT managers and administrators of virtual
      infrastructure a centralized, single point of control and visibility for:
    • configuration management
    • compliance auditing
    • access management
    • best practices
    • process workflow
    • security controls



    • ConfigCheck rapidly assesses the security of ESX 3.0 and 3.5 hypervisors compared to the Virtual Infrastructure 3 Security Hardening Guidelines.
    • ConfigCheck assesses nearly 100 configurations of the ESX server, and most VI professionals who run the test find significant vulnerabilities. ConfigCheck’s remediation report provides detailed, step-by-step guidance to bring your virtual environment into a state that is secure. ConfigCheck helps you:
      • Ensure recommended ESX configurations
      • Discover possible vulnerabilities
      • Deploy virtualization safely and securely
      • Increase security posture of the entire enterprise
      • Reduce configuration drift


    • VMinformer is a security tool designed to check the security posture of your VMware environment. The tool comes with pre-defined policies that can be customized to suit your specific requirements and are based on industry best practices such as ‘VMware’s Security best practice hardening guide’ and the ‘DISA ESX STIG’ hardening guide. The policies also contain rules that have been based on extensive research and industry experience.
    • Features:
    • Connects to your ESX hosts or Virtual Center (v3.0, 3.5 and VC 2.5)
    • Pre-defined policies based on industry best practices (VMware security hardening guide)
    • Policies can be customized for your environment
    • Provides full visibility and monitoring of your ESX hosts and Virtual machines
    • Dashboard – Provides a graphical overview of VM’s and Security Posture
    • Reporting
    • Remediation guidance



    Cracking Cisco Passwords with John the Ripper

    Filed under: Uncategorized — Tags: , , , , — iben @ 19:12

    InfoSec Survival Guide: Cracking Cisco Passwords with John

    John the Ripper

    John the Ripper 1.7.2 for G4 PowerPC, G5 PowerPC and Intel Macs (Universal Binary) (released 11/30/07)

    Download the pre-patched (for OS X salted SHA1 hashes too) pre-compiled version of John the Ripper here:

    Unzip the archive.

    Open Terminal.

    Drag the file “john” from the folder “run” from within the unzipped “john-1.7.2-macosx-universal” folder to the Terminal window and let go.

    Type a space.

    Drag the text file containing your hash ( student:078D486A55E9922772C7F6F46113038E4800D6EDF4D31720 ) to the Terminal window and let go.

    Click back in the Terminal window and press the return key.
    Loaded 1 password hash (Salt SHA1 [salt-sha1])
    barlow (student)

    « Newer PostsOlder Posts »

    Powered by WordPress