Skip to main content

VMware

This page covers how you can use Mondoo to assess VMware vSphere and ESXi hosts for advisories, vulnerabilities, and security misconfigurations.

Mondoo VMware appliance​

Mondoo's VMware appliance is a pre-configured standard Linux host that allows you to quickly launch a virtual machine designed to scan your VMware environment. It is built using the following components:

NOTE: It is not required to use the Mondoo VMware appliance. You could also spin-up your own hardened Linux instance, and install and configure the Mondoo Client.

Setup Steps

  1. Download the Mondoo OVA image
  2. Import the Mondoo OVA image
  3. Launch the Mondoo OVA image

Launch Appliance using vCenter Web User Interface​

  1. Right-click on your Datacenter, select Deploy OVF Template.

Deploy OVF Template

  1. Select an OVF template using URL or Local file and click Next.

Select OVF Template

  1. Select a name and folder where you want to deploy the Mondoo appliance and click Next.

Select folder

  1. Select any compute resource to run the Mondoo appliance and click Next.

  2. Review the details and click Next.

Review details

  1. Select the appropriate storage (e.g. "datastore2") and click Next.

Select Storage

  1. Select destination network (e.g. "VM Network") and click Next.

Select Network

  1. Review your complete configuration for the Mondoo appliance and click Next

Ready to complete

  1. Launch Mondoo appliance

SSH for Mondoo appliance​

The machine is configured with a mondoo user and mondoo password. After the first login, the user is required to change the password. By default, the hardened machine disables password login. To configure the authorized_keys, add your ssh public keys to /home/mondoo/.ssh/authorized_keys.

NOTE: Instead of setting /home/mondoo/.ssh/authorized_keys manually, you could configure Cloud-Init to configure the ssh key during boot up.

NOTE: If you are using GitHub, you can quickly fetch your public keys via mkdir ~/.ssh && curl https://github.com/{youruser}.keys > .ssh/authorized_keys

Now you can log in via your ssh key and you see the following welcome screen:


.-.
: :
,-.,-.,-. .--. ,-.,-. .-' : .--. .--. β„’
: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'

Mondoo VMware Appliance

mondoo@debian:~$

Configuration Mondoo Client on Appliance​

Register the Mondoo Client via:

sudo mondoo register -t <paste token here>

Verify that Mondoo Client is registered successfully with Mondoo Platform by running mondoo status:

β†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
β†’ Hostname: debian
β†’ IP: 192.168.51.139
β†’ Platform: debian
β†’ Release: 11.2
β†’ Time: 2021-12-29T16:16:33Z
β†’ Version: 5.19.1 (API Version: 5)
β†’ API ConnectionConfig: https://us.api.mondoo.com
β†’ API Status: SERVING
β†’ API Time: 2021-12-29T16:16:33Z
β†’ API Version: 5
β†’ Space: //captain.api.mondoo.app/spaces/relaxed-poincare-384428
β†’ Client: //agents.api.mondoo.app/spaces/relaxed-poincare-384428/agents/22vUq9U0gN9Uoy2c3UqCaKARSEg
β†’ Service Account: //agents.api.mondoo.app/spaces/relaxed-poincare-384428/serviceaccounts/22y0WDmHloyEvdJEteV5cEvsQTj
β†’ client is registered
β†’ client authenticated successfully

Next, test that the vSphere API is reachable:

# vSphere 6.x
mondoo scan --incognito --policy '//policy.api.mondoo.app/policies/vmware-esxi-6-7-level-1-l1' -t vsphere://user@host --ask-pass --discover host-machines

# vSphere 7.x
mondoo scan --incognito --policy '//policy.api.mondoo.app/policies/vmware-esxi-70-level-1' -t vsphere://user@host --ask-pass --discover host-machines

To activate the policies, go to your space and enable the VMware Platform Vulnerability Policy, CIS VMware ESXi 6.7 Benchmark Level 1 Profile, and CIS VMware ESXi 7.0 Benchmark Level 1 Profile.

Setup Mondoo Inventory​

Mondoo is able to leverage an inventory to scan multiple VMware assets at the same time. An inventory is a list of systems with their connection types and accounts.

Mondoo Inventory with embedded secrets

The following inventory.yaml illustrates the configuration for the vCenter connection:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-inventory
labels:
environment: production
spec:
assets:
- name: vsphere
connections:
- backend: vsphere
host: < ip of the ESXi or vCenter>
insecure: true
credentials:
- type: password
user: < username >
password: < password >
discover:
targets:
- host-machines

Store the content in /etc/opt/mondoo/inventory.yml to ensure the Mondoo Service is picking up the inventory automatically.

Test the inventory.yml is working:

mondoo@debian:~$ mondoo scan --inventory /etc/opt/mondoo/inventory.yml
β†’ load inventory inventory=/etc/opt/mondoo/inventory.yml
β†’ Mondoo 5.19.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account: "22y0WDmHloyEvdJEteV5cEvsQTj", Managed Client: "22vUq9U0gN9Uoy2c3UqCaKARSEg")
β†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
.-.
: :
,-.,-.,-. .--. ,-.,-. .-' : .--. .--. β„’
: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'

β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=4
β†’ execute policies
β†’ synchronize asset found=4
β†’ establish connection to asset 192.168.51.134 (VMware vCenter Server) (api)
β†’ established connection
β†’ run policies for asset asset=//assets.api.mondoo.app/spaces/relaxed-poincare-384428/assets/22y2gEXiZrRagoV5cPbVFjj0MSI
...

Restart the service, so that the new inventory is loaded:

sudo systemctl restart mondoo

Check if the inventory.yml is loaded:

sudo journalctl -u mondoo.service
-- Journal begins at Wed 2021-12-29 16:03:27 UTC, ends at Wed 2021-12-29 16:39:28 UTC. --
Dec 29 16:38:04 debian systemd[1]: Started Mondoo Service.
Dec 29 16:38:05 debian mondoo[1294]: β†’ load inventory inventory=/etc/opt/mondoo/inventory.yml
Dec 29 16:38:05 debian mondoo[1294]: β†’ Mondoo 5.19.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account>
Dec 29 16:38:05 debian mondoo[1294]: β†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
Dec 29 16:38:06 debian mondoo[1294]: β†’ start mondoo background service

Mondoo Inventory YAML with Linux Keyvault

Configure Mondoo’s vault to use the keyring mondoo-client-vault for secrets:

mondoo vault set mondoo-client-vault --type linux-kernel-keyring
β†’ set new vault configuration name=mondoo-client-vault
β†’ stored vault configuration successfully

Mondoo stores the vault configurations via Linux Kernel Key Management. The configuration is stored in mondoo-cli-keyring keyring and user-vaults key.

keyctl list @u
1 keys in keyring:
326886343: --alswrv 1000 1000 keyring: mondoo-cli-keyring

keyctl show 326886343
Keyring
326886343 --alswrv 1000 1000 keyring: mondoo-cli-keyring
162846258 --alswrv 1000 1000 \_ user: user-vaults

Add a secret for a VMware vSphere API.

keyctl add user 'vcenter' '{ "user": "administrator@vsphere.local", "password": "your_password", "type": "password" }' @u
722033593

Test that the Linux key vault is working:

keyctl list @u
2 keys in keyring:
326886343: --alswrv 1000 1000 keyring: mondoo-cli-keyring
722033593: --alswrv 1000 1000 user: vcenter

keyctl print 722033593
{ "user": "administrator@vsphere.local", "password": "your_password", "type": "password" }

Adjust the /etc/opt/mondoo/inventory.yml to use the Linux key vault functionality:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-inventory
labels:
environment: production
spec:
assets:
- name: vsphere
connections:
- backend: vsphere
host: 192.168.51.134
insecure: true
credentials:
- secret_id: vcenter
discover:
targets:
- host-machines
vault:
name: mondoo-client-vault
type: linux-kernel-keyring

Scan Virtual Machines via VMware Tools​

As the first step, we query for available virtual machines that have VMware Tools configured.

# open the shell to the vsphere api
mondoo shell -t vsphere://user@host --ask-pass

# select the platform id for api
mondoo shell -t vsphere://user@host --ask-pass --platform-id //platformid.api.mondoo.app/runtime/vsphere/instance/ha-host

Within the Mondoo Shell query the available VMs and their inventory Path.

mondoo> vsphere.datacenters { vms { inventoryPath name  } }
vsphere.datacenters: [..
0: {
vms: [
0: {
name: "mondoo-appliance"
inventoryPath: "/Mondoo Datacenter 2/vm/mondoo-appliance"
}
1: {
name: "vCenter"
inventoryPath: "/Mondoo Datacenter 2/vm/vCenter"
}
2: {
name: "windows 2022"
inventoryPath: "/Mondoo Datacenter 2/vm/windows 2022"
}
]
}
1: {
vms: [
0: {
name: "ubuntu-no-guest-tools"
inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu-no-guest-tools"
}
1: {
name: "ubuntu"
inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu"
}
]
}
]

Next, we query for all VMs and get check if the VMware Guest Tools are installed:

mondoo> vsphere.datacenters { vms { name inventoryPath properties["summary"]["guest"]["toolsStatus"] }}
vsphere.datacenters: [..
0: {
vms: [
0: {
name: "mondoo-appliance"
inventoryPath: "/Mondoo Datacenter 2/vm/mondoo-appliance"
properties[summary][guest][toolsStatus]: "toolsOk"
}
1: {
name: "vCenter"
inventoryPath: "/Mondoo Datacenter 2/vm/vCenter"
properties[summary][guest][toolsStatus]: "toolsOk"
}
2: {
name: "windows 2022"
inventoryPath: "/Mondoo Datacenter 2/vm/windows 2022"
properties[summary][guest][toolsStatus]: "toolsNotRunning"
}
]
}
1: {
vms: [
0: {
name: "ubuntu-no-guest-tools"
inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu-no-guest-tools"
properties[summary][guest][toolsStatus]: "toolsNotInstalled"
}
1: {
name: "ubuntu"
inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu"
properties[summary][guest][toolsStatus]: "toolsNotRunning"
}
]
}
]

With that information, we can connect to an individual virtual machine via VMware Tools:

mondoo scan -t vsphere+vm://user@host --password password --insecure --option 'inventoryPath=/Mondoo Datacenter 2/vm/mondoo-appliance' --option guestUser=mondoo --option guestPassword='changeme'

The result would look like the following:

mondoo scan -t vsphere+vm://administrator@vsphere.local@192.168.51.134 --password changeme --insecure --option 'inventoryPath=/Mondoo Datacenter 2/vm/mondoo-appliance' --option guestUser=mondoo --option guestPassword='changeme'
β†’ Mondoo 5.19.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account: "22y0WDmHloyEvdJEteV5cEvsQTj", Managed Client: "22vUq9U0gN9Uoy2c3UqCaKARSEg")
β†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
.-.
: :
,-.,-.,-. .--. ,-.,-. .-' : .--. .--. β„’
: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'

β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1
β†’ execute policies
β†’ synchronize asset found=1
β†’ establish connection to asset mondoo-appliance
β†’ established connection
β†’ run policies for asset asset=//assets.api.mondoo.app/spaces/relaxed-poincare-384428/assets/22y6EAkCdtKawukAEWGxoTezNGg

β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘ 50% mondoo-appliance

Scan vSphere and ESXi via Mondoo Client​

Scan vSphere API, ESXi, and VMs

mondoo scan -t vsphere://root@192.168.51.134 --ask-pass --discover host-machines

NOTE The --discover host-machines option will automatically discover all ESXi hosts.

Scan vSphere API, ESXi, and VMs

mondoo scan -t vsphere://root@192.168.51.134 --ask-pass --discover all

NOTE: The --discover all option will automatically discover all ESXi hosts and VMs.