Mondoo
Docs
CloudVMware

Secure VMware Cloud Director with cnspec

Scan a VMware Cloud Director environment against security and compliance best practices with cnspec.

Scan your VMware Cloud Director (VCD) environment to find security risks before they become incidents. cnspec evaluates organization settings, LDAP configuration, virtual datacenter (VDC) quotas, role-based access controls, and more.

Prerequisites

To scan VCD with cnspec, you must have:

  • cnspec installed on your workstation
  • Network access to a VMware Cloud Director instance
  • A user account with at least read-only permissions (system administrator or organization administrator)

Authenticate

cnspec connects to the Cloud Director API using a username, organization domain, and host. The connection string format is USER@DOMAIN@HOST.

Verify with a quick VCD check

Confirm that cnspec can reach your VCD environment by opening a cnspec shell:

cnspec shell vcd admin@system@VCD_HOST --ask-pass

To connect as an organization administrator instead of a system administrator:

cnspec shell vcd orgadmin@ORG_NAME@VCD_HOST --ask-pass

If cnspec connects and shows a prompt, you're ready to scan.

Scan VCD

To scan your VCD environment:

cnspec scan vcd admin@system@VCD_HOST --ask-pass

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure all organizations have LDAP configured
✕ Fail:  Ensure unused organizations are disabled
✓ Pass:  Ensure VDC network quotas are set

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

You can also create your own policies or specify a particular policy bundle with --policy-bundle.

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks:

cnspec shell vcd admin@system@VCD_HOST --ask-pass

List all organizations

cnspec> vcd.organizations { name fullName isEnabled }
vcd.organizations: [
  0: {
    name: "production"
    fullName: "Production Organization"
    isEnabled: true
  }
  1: {
    name: "staging"
    fullName: "Staging Organization"
    isEnabled: true
  }
]

Example security checks

Ensure all organizations are enabled

cnspec> vcd.organizations.all( isEnabled == true )
[ok] value: true

Check organization LDAP configuration

cnspec> vcd.organization.ldapConfiguration
vcd.organization.ldapConfiguration: {
  hostname: "ldap.lunalectric.com"
  port: 636
}

List VDCs and their quotas

cnspec> vcd.organization.vdcs { name vmQuota networkQuota isEnabled }
vcd.organization.vdcs: [
  0: {
    name: "prod-vdc-01"
    vmQuota: 100
    networkQuota: 20
    isEnabled: true
  }
]

Ensure VDC network quotas are set

cnspec> vcd.organization.vdcs.all( networkQuota > 0 )
[ok] value: true

List roles in an organization

cnspec> vcd.organization.roles { name }
vcd.organization.roles: [
  0: {
    name: "Organization Administrator"
  }
  1: {
    name: "Catalog Author"
  }
  2: {
    name: "vApp Author"
  }
]

List connected vCenter server instances

cnspec> vcd.serverInstances { name }
vcd.serverInstances: [
  0: {
    name: "vcenter-01.lunalectric.com"
  }
]

Learn more

VMware vSphere

Scan a VMware vSphere environment against security and compliance best practices with cnspec.

Active Directory

Scan Active Directory domains against security and compliance best practices with cnspec.

On this page

PrerequisitesAuthenticateVerify with a quick VCD checkScan VCDUnderstand scan outputExplore and test checks interactivelyList all organizationsExample security checksEnsure all organizations are enabledCheck organization LDAP configurationList VDCs and their quotasEnsure VDC network quotas are setList roles in an organizationList connected vCenter server instancesLearn more