Assess VMware vSphere Security with cnspec
Secure and enforce policy for VMware vSphere and ESXi hosts
Rely on cnspec to ensure your VMware vSphere environment follows recommended security and operational best practices, such as verifying ESXi host hardening, checking NTP configuration, validating virtual machine settings, and assessing network switch security.
Prerequisites
To test your vSphere environment with cnspec, you must have:
- cnspec installed on your workstation
- Network access to a vCenter Server or standalone ESXi host
- A user account with at least read-only permissions
Give cnspec access to your vSphere environment
To scan vSphere, cnspec connects to the vCenter Server or ESXi host API using a username and password. The connection string format is USER@DOMAIN@HOST.
Create a read-only user (recommended)
For security, create a dedicated read-only user in vCenter rather than using an administrator account:
- In the vSphere Client, select Administration > Roles and clone the Read-only role.
- Edit the cloned role to add Global > Settings permission.
- Under Administration > Users and Groups, create a new user (for example,
mondoo-read). - Under Administration > Global Permissions, assign the read-only role to the new user with Propagate to children enabled.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-passIf cnspec connects successfully and shows a prompt, you're ready to scan.
Scan vSphere
To scan your vCenter and its managed hosts:
cnspec scan vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-passTo automatically discover and scan all ESXi hosts and VMs:
cnspec scan vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-pass --discover autoTo discover and scan everything, including VMs:
cnspec scan vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-pass --discover allUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure the SLP service is disabled on ESXi hosts
✕ Fail: Ensure NTP is configured on ESXi hosts
✓ Pass: Ensure default self-signed certificate for ESXi communication is not usedAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
To assess your vSphere environment against Mondoo's security recommendations, enable the Mondoo VMware vSphere Security policy. To learn how to enable policies, read Manage Policies. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your vSphere environment:
cnspec shell vsphere mondoo-read@vsphere.local@VCENTER_IP --ask-passBelow are some example checks you can run from the shell.
Ensure the SLP service is not running on ESXi hosts
cnspec> vsphere.host.services.none(key == "slpd" && running == true)
[ok] value: trueList all datacenters
cnspec> vsphere.datacenters { name }
vsphere.datacenters: [
0: {
name: "dc-01"
}
]Check ESXi host NTP configuration
cnspec> vsphere.host.ntp { server }
vsphere.host.ntp: {
server: ["0.pool.ntp.org", "1.pool.ntp.org"]
}List installed VIBs on an ESXi host
cnspec> vsphere.host.packages { name acceptanceLevel }
vsphere.host.packages: [
0: {
name: "esx-base"
acceptanceLevel: "VMwareCertified"
}
1: {
name: "esx-update"
acceptanceLevel: "VMwareCertified"
}
]Check VIB acceptance level on ESXi hosts
cnspec> vsphere.host.acceptanceLevel == "VMwareCertified"
[ok] value: trueList vSphere licenses
cnspec> vsphere.licenses { name total used }
vsphere.licenses: [
0: {
name: "VMware vSphere 8 Enterprise Plus"
total: 16
used: 8
}
]Learn more
-
To learn about all the vSphere resources and properties you can query, read the Mondoo vSphere Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.