So I grabbed a copy of Tripwire’s ConfigCheck for ESX and ran it on one of my test ESX Servers. Sure enough, it found a bunch of defaults that haven’t been changed, and has made recommendations.
Now my question is: is ESX 3.5 an appliance or a host OS? Do I actually want to make the recommended changes? Will it mess up something in the future when a patch from VMware assumes something about my environment that isn’t true because I’ve changed it? Exactly how much do I want to go messing around with things like NTP settings when the recommended way to configure NTP is through VirtualCenter?
I look forward to a time when ESX 3i is on par with ESX 3.5, but in the interim do I change things to gain a little security and run the risk of problems later? Is ESX a Linux distribution or is it an appliance?
The difference between a Linux distribution and an appliance is the sysadmin.
Consider:
A Windows Administrator running ESX considers it an appliance with a gui that happens to have a command line similar to a Linux Distribution.
A Unix Administrator running ESX considers it a Linux Distribution running a type 1 hypervisor that happens to have a cool windows management tool.
Perspective is everything.
That’s a great way to put it. 🙂
An appliance can come with many knobs and levers, and the ConfigCheck tool is simply indicating what are the most secure settings for those. These might not be what you want in a simple test/dev or other controlled environment because they might compromise on convenience or manageability, but they would be what you’d want in production.
The advice I’ve received is to treat it as an appliance. Bugfixes are fine to patch; new versions == nuke’n’rebuild time.
If you need to make changes, automate and push them across all hosts, and add them to your automated build environment.
I wrote an IMHO response to this a couple of weeks ago on our Tripwire Virtualization Security blog: http://www.tripwire.org/?p=53