Assess VMware Cloud Director Security with cnspec
Secure and enforce policy for VMware Cloud Director environments
Rely on cnspec to ensure your VMware Cloud Director (VCD) environment follows recommended security and operational best practices, such as verifying organization settings, checking LDAP configuration, validating VDC quotas, and assessing role-based access controls.
Prerequisites
To test your VCD environment with cnspec, you must have:
- cnspec installed on your workstation
- Network access to a VMware Cloud Director instance
- A user account with at least read-only permissions (system administrator or organization administrator)
Give cnspec access to your VCD environment
To scan VCD, cnspec connects to the Cloud Director API using a username, organization domain, and host. The connection string format is USER@DOMAIN@HOST.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell vcd admin@system@VCD_HOST --ask-passTo connect as an organization administrator instead of a system administrator:
cnspec shell vcd orgadmin@ORG_NAME@VCD_HOST --ask-passIf cnspec connects successfully and shows a prompt, you're ready to scan.
Scan VCD
To scan your VCD environment:
cnspec scan vcd admin@system@VCD_HOST --ask-passUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure all organizations have LDAP configured
✕ Fail: Ensure unused organizations are disabled
✓ Pass: Ensure VDC network quotas are setAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your VCD environment:
cnspec shell vcd admin@system@VCD_HOST --ask-passBelow are some example checks you can run from the shell.
List all organizations
cnspec> vcd.organizations { name fullName isEnabled }
vcd.organizations: [
0: {
name: "production"
fullName: "Production Organization"
isEnabled: true
}
1: {
name: "staging"
fullName: "Staging Organization"
isEnabled: true
}
]Ensure all organizations are enabled
cnspec> vcd.organizations.all( isEnabled == true )
[ok] value: trueCheck organization LDAP configuration
cnspec> vcd.organization.ldapConfiguration
vcd.organization.ldapConfiguration: {
hostname: "ldap.lunalectric.com"
port: 636
}List VDCs and their quotas
cnspec> vcd.organization.vdcs { name vmQuota networkQuota isEnabled }
vcd.organization.vdcs: [
0: {
name: "prod-vdc-01"
vmQuota: 100
networkQuota: 20
isEnabled: true
}
]Ensure VDC network quotas are set
cnspec> vcd.organization.vdcs.all( networkQuota > 0 )
[ok] value: trueList roles in an organization
cnspec> vcd.organization.roles { name }
vcd.organization.roles: [
0: {
name: "Organization Administrator"
}
1: {
name: "Catalog Author"
}
2: {
name: "vApp Author"
}
]List connected vCenter server instances
cnspec> vcd.serverInstances { name }
vcd.serverInstances: [
0: {
name: "vcenter-01.lunalectric.com"
}
]Learn more
-
To learn about all the VCD resources and properties you can query, read the Mondoo VMware Cloud Director Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.