RSS Feed for This PostCurrent Article

ConfigCheck vs. Appliances

By Bob Plankers on Jun 18, 2008 in Featured, Virtualization

So I grabbed a copy of Tripwire’s ConfigCheck for ESX and ran it on one of my test ESX Servers. Sure enough, it found a bunch of defaults that haven’t been changed, and has made recommendations.

Now my question is: is ESX 3.5 an appliance or a host OS? Do I actually want to make the recommended changes? Will it mess up something in the future when a patch from VMware assumes something about my environment that isn’t true because I’ve changed it? Exactly how much do I want to go messing around with things like NTP settings when the recommended way to configure NTP is through VirtualCenter?

I look forward to a time when ESX 3i is on par with ESX 3.5, but in the interim do I change things to gain a little security and run the risk of problems later? Is ESX a Linux distribution or is it an appliance?

>> Comments | ShareThis

Trackback URL

  1. 5 Comment(s)

  2. By Chris Gregors on Jun 18, 2008 | Reply

    The difference between a Linux distribution and an appliance is the sysadmin.

    Consider:

    A Windows Administrator running ESX considers it an appliance with a gui that happens to have a command line similar to a Linux Distribution.

    A Unix Administrator running ESX considers it a Linux Distribution running a type 1 hypervisor that happens to have a cool windows management tool.

    Perspective is everything.

  3. By Bob Plankers on Jun 18, 2008 | Reply

    That’s a great way to put it. :-)

  4. By John Troyer on Jun 18, 2008 | Reply

    An appliance can come with many knobs and levers, and the ConfigCheck tool is simply indicating what are the most secure settings for those. These might not be what you want in a simple test/dev or other controlled environment because they might compromise on convenience or manageability, but they would be what you’d want in production.

  5. By Greg on Jun 23, 2008 | Reply

    The advice I’ve received is to treat it as an appliance. Bugfixes are fine to patch; new versions == nuke’n'rebuild time.

    If you need to make changes, automate and push them across all hosts, and add them to your automated build environment.

  6. By Derek Crawford on Jul 8, 2008 | Reply

    I wrote an IMHO response to this a couple of weeks ago on our Tripwire Virtualization Security blog: http://www.tripwire.org/?p=53

  1. 2 Trackback(s)

  2. Jun 19, 2008: Virtualization Security Blog
  3. Jul 3, 2008: Virtualization Security Blog

Post a Comment

 

Please note that while in principle I don't mind promotion of a non-personal web site or blog in the fields below, any comments that are off-topic, derogatory, or spam-like will likely be removed at my discretion.

 

Close
Powered by ShareThis