Formerly known as the Hardening Guide, the Security Configuration Guide (SGC) provides a set of guidelines aimed at helping you secure your environment. The guide comes in the form of an Excel spreadsheet and offers 3 levels of security settings called Risk Profiles ranging from 1 (Ultra-sensitive environment – 3 digits agencies) to 3 (Everyone should implement them).

You can find the guide here. Once you download the guide, have a look at the different guidelines and define a Risk Profile to comply with. You may have to have a chat with your security officer. You can then look for the guidelines that don’t apply to your environment. For instance, you may not care that your ESXi host is not in AD and disregard this guideline when establishing compliance.

When you have defined the list of all the guidelines your environment must comply with, you need to verify what settings are configured in your environment. This is where vRops 6.7 comes in handy. The Security Compliance dashboard helps you monitor the level of security compliance of you environment. A great addition for you and your IT manager.

Enable SCG compliance

  1. First off start by logging in vRops as an administrator and browse to Home > Troubleshoot > vSphere Compliance
  2. security-configuration-guide-vrops

  3. Click on Enable to enable the Security Configuration Guide
  4. security-configuration-guide-vrops

    Download Banner
  5. Now we need to add it to the monitoring goals. Go to Administration > Solutions > Select VMware vSphere > Click the icon to edit its properties
  6. security-configuration-guide-vrops

  7. Click on Define Monitoring goals
  8. security-configuration-guide-vrops

  9. Check Yes under Enable vSphere Hardening Guide Alerts and click Save
  10. security-configuration-guide-vrops

    Configure and tune the monitoring of SGC compliance

    Now that the monitoring of the hardening guide is enabled, we are going to configure it to fit our needs by choosing a Risk Profile for VMs and disabling the checks that we don’t want to monitor (as discussed in the introduction).

  11. Go to Administration > Policies > Active Policies. Take note of which policy is currently being used. In my case, it is the one from “11:54:07 AM”. It was created when we defined the monitoring goal
  12. security-configuration-guide-vrops

  13. Click on Policy Library, Select the active policy and click the edit button
  14. security-configuration-guide-vrops

  15. Click on Alert / Symptoms Definitions > Type “Security Configuration” in the filter field and press Enter
  16. security-configuration-guide-vrops

  17. Only the SCG alerts are displayed. Select a Risk Profile for virtual machines by setting the more restrictive alerts to the state Local (disabled) and leave the less restrictive ones set to Inherit. In the example below I chose Risk Profile 2
  18. security-configuration-guide-vrops

  19. You can now see the vSphere Security Compliance dashboard. It takes a few minutes to refresh after making changes so be patient. From here you can see how compliant you are and the different levels of risk where a guideline is violated based on the Symptom metrics
  20. security-configuration-guide-vrops

  21. At the bottom of the dashboard if you expand the view next to Today you will display the alerts per object. Let’s click on the alert of a host for the purpose of the example
  22. security-configuration-guide-vrops

  23. We now see the Security Guide alerts. Out of these alerts, there are maybe a few that you don’t want to monitor. For instance, I don’t want to monitor Non-Compliant DCUI service startup policy because it was a part of the 5.5 hardening guide and disappeared in later versions. Though you may simply not want to monitor a given guideline because your internal security policies don’t require you to do it
  24. security-configuration-guide-vrops

  25. To disable it, we need to remove the Symptom from the Alert Definition of the ESXi SGC. Go to Alerts > Alert Definition > Select the ESXi SCG alert and click the Clone button to save the default one
  26. security-configuration-guide-vrops

  27. Prepend Original – to its name and click Save
  28. security-configuration-guide-vrops

  29. Now Select the ESXi SCG alert again (not the clone), and click the Edit button
  30. security-configuration-guide-vrops

  31. Click on Name and Description > Find the Symptoms you want to remove and click the cross icon on the right then click Save. Apply the same method to the Virtual machine Risk Profile alerts (11 to 16)
  32. security-configuration-guide-vrops

  33. Click on Name and Description > Find the Symptoms you want to remove and click the cross icon on the right then click Save. Apply the same method to the Virtual machine Risk Profile alerts (11 to 16)
  34. security-configuration-guide-vrops

  35. Go back to Alert / Symptoms Definition > type Original in the filter field > Disable them all and click Save. You can see in the screenshot below that I also edited the alert definitions of virtual machine Risk profiles 1 and 2
  36. security-configuration-guide-vrops

  37. After a few moments, when the changes have been taken into account, you can display the Security Compliance display again that will only show the violated guidelines that you care about
  38. security-configuration-guide-vrops

  39. In my case, I have a few VM settings to add on my virtual machines for them to be compliant
  40. security-configuration-guide-vrops

Conclusion

The dashboard dedicated to the Security Configuration Guide is a really useful addition to an administrator’s tool belt, especially in a sensitive environment. It makes it a lot easier to report to higher-ups on the compliance of the environment to defined security guidelines and to quickly detect what is not compliant.

Like what you read? Rate us
Monitoring compliance with the Security Configuration Guide (SCG) using vRops 6.7
5 (100%) 5 votes