Mondoo
Docs
CloudVMware

Secure VMware vSphere with cnspec

Scan a VMware vSphere environment against security and compliance best practices with cnspec.

Scan your VMware vSphere environment to find security risks before they become incidents. cnspec evaluates ESXi host hardening, NTP configuration, virtual machine settings, network switch security, and dozens of other vSphere controls.

Prerequisites

To scan vSphere with cnspec, you must have:

Authenticate

cnspec connects to vCenter Server or an ESXi host using a username and password. The connection string format is USER@DOMAIN@HOST.

For least-privilege access, create a dedicated read-only user in vCenter rather than using an administrator account:

  1. In the vSphere Client, select Administration > Roles and clone the Read-only role.
  2. Edit the cloned role to add the Global > Settings permission.
  3. Under Administration > Users and Groups, create a new user (for example, mondoo-read).
  4. Under Administration > Global Permissions, assign the cloned role to the new user with Propagate to children enabled.

Verify with a quick vSphere check

Confirm that cnspec can reach your vSphere environment by opening a cnspec shell:

cnspec shell vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-pass

If cnspec connects and shows a prompt, you're ready to scan.

Scan vSphere

To scan vCenter and its managed hosts:

cnspec scan vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-pass

To automatically discover and scan ESXi hosts (and skip VMs):

cnspec scan vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-pass --discover auto

To discover and scan everything, including VMs:

cnspec scan vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-pass --discover all

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure the SLP service is disabled on ESXi hosts
✕ Fail:  Ensure NTP is configured on ESXi hosts
✓ Pass:  Ensure default self-signed certificate for ESXi communication is not used

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

To assess your vSphere environment against Mondoo's security recommendations, enable the Mondoo VMware vSphere Security policy. To learn how to enable policies, read Manage Policies. You can also create your own policies or specify a particular policy bundle with --policy-bundle.

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks:

cnspec shell vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-pass

Count hosts and VMs per datacenter

cnspec> vsphere.datacenters { name hosts.length vms.length }

List clusters and their hosts

cnspec> vsphere.datacenter.clusters { name hosts { name } }

List VMs and their advanced settings

cnspec> vsphere.datacenter.vms { name advancedSettings }

List ESXi services and their status

cnspec> vsphere.host.services { key label running policy }

Example security checks

Ensure the SLP service is not running on ESXi hosts

cnspec> vsphere.host.services.none(key == "slpd" && running == true)
[ok] value: true

Check ESXi host NTP configuration

cnspec> vsphere.host.ntp { server }
vsphere.host.ntp: {
  server: ["0.pool.ntp.org", "1.pool.ntp.org"]
}

List installed VIBs on an ESXi host

cnspec> vsphere.host.packages { name acceptanceLevel }
vsphere.host.packages: [
  0: {
    name: "esx-base"
    acceptanceLevel: "VMwareCertified"
  }
  1: {
    name: "esx-update"
    acceptanceLevel: "VMwareCertified"
  }
]

Check VIB acceptance level on ESXi hosts

cnspec> vsphere.host.acceptanceLevel == "VMwareCertified"
[ok] value: true

List vSphere licenses

cnspec> vsphere.licenses { name total used }
vsphere.licenses: [
  0: {
    name: "VMware vSphere 8 Enterprise Plus"
    total: 16
    used: 8
  }
]

Learn more

Overview

Secure your VMware environment by scanning for vulnerabilities and misconfigurations with cnspec.

VMware Cloud Director

Scan a VMware Cloud Director environment against security and compliance best practices with cnspec.

On this page

PrerequisitesAuthenticateCreate a read-only user (recommended)Verify with a quick vSphere checkScan vSphereUnderstand scan outputExplore and test checks interactivelyCount hosts and VMs per datacenterList clusters and their hostsList VMs and their advanced settingsList ESXi services and their statusExample security checksEnsure the SLP service is not running on ESXi hostsCheck ESXi host NTP configurationList installed VIBs on an ESXi hostCheck VIB acceptance level on ESXi hostsList vSphere licensesLearn more