Secure VMware with Mondoo

This page describes how to use Mondoo to assess VMware vSphere and ESXi hosts for advisories, vulnerabilities, and security misconfigurations.

Create a read-only user for Mondoo in vCenter

For Mondoo to scan assets, it requires read-only user access to the vCenter. To provide this, you must first create a new, read-only role. Then you create a new user and assign it the role you created.

1. On the vSphere Client main menu, select Administration and then select Roles.

2. Select the Read-only role and then select CLONE.

3. Type the name Mondoo read-only role and select OK.

   

4. In the list of roles, select the Mondoo read-only role you just created and select EDIT.

5. In the left-side list, select Global, and in the right-side list, check Settings. Then select SAVE.

   

6. On the Administration menu, select Users and Groups.

7. Under Users, select the Domain vsphere.local, and select ADD.

8. Type the name mondoo-read and assign it a password, then select ADD.

   

9. On the Administration menu, select Global Permissions and select ADD.

10. Assign the new role to the new user:

a. Select the user you created, mondoo-read.

b. Select the role you created, Mondoo Read-only role.

c. Check Propagate to children.

d. Select OK.

Mondoo VMware appliance

Mondoo's VMware appliance is a pre-configured standard Linux host that allows you to quickly launch a virtual machine designed to scan your VMware environment using cnspec. It is built using these components:

• Debian 12
• dev-sec.io's Ansible os and ssh role
• VMware tools
• Cloud-Init and cloud-init-vmware-guestinfo
• cnspec
• cnquery

info

It is not required to use the Mondoo VMware appliance. Instead, you can provision your own hardened Linux instance and install and configure cnspec to scan your VMware infrastructure.

Setup

1. Download the Mondoo OVA image.
2. Import the Mondoo OVA image.
3. Launch the Mondoo OVA image.

Launch the appliance using the vCenter web UI

1. Right-click on your Datacenter and select Deploy OVF Template.

2. Select an OVF template using URL or Local file and select Next.

3. Select a name and folder where you want to deploy the Mondoo appliance and select Next.

4. Select any compute resource to run the Mondoo appliance and select Next.

5. Review the details and select Next.

6. Select the appropriate storage (such as datastore2) and select Next.

7. Select destination network (such as VM Network) and select Next.

8. Review your complete configuration for the Mondoo appliance and select Next.

9. Launch the Mondoo appliance.

SSH for Mondoo appliance

The virtual machine is configured with a mondoo user and mondoo password. After the first login, you must change the password.

By default, the hardened machine disables password login. To configure the authorized_keys, add your ssh public keys to /home/mondoo/.ssh/authorized_keys.

note

Instead of setting /home/mondoo/.ssh/authorized_keys manually, you can configure Cloud-Init to configure the ssh key when during boot time.

tip

If you are using GitHub, you can quickly fetch your public keys with this command: mkdir ~/.ssh && curl https://github.com/{youruser}.keys > .ssh/authorized_keys

When you log in using your ssh key, you see this welcome screen:

                        .-.
                        : :
,-.,-.,-. .--. ,-.,-. .-' : .--.  .--. ™
: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'

Mondoo VMware Appliance

mondoo@debian:~$

Enable SSH password authentication

If you can't copy the SSH key using the curl command, you can allow SSH password authentication during deployment.

1. After the SSH public keys are deployed, enable SSH password authentication by modifying these lines in /etc/ssh/sshd_config:

AuthenticationMethods password
PasswordAuthentication yes

2. Restart the sshd service using systemctl restart sshd.service.

3. Log in with your user name and password.

Configure a static IP address (optional)

If you choose, you can configure a static IP address (using a root user shell).

1. In the editor of your choice, open the /etc/network/interfaces file and rewrite the block that defines your primary network interface. For example, this block adds the static IP 192.168.1.100 to the interface ens32 in a Class C private network with the network gateway and the name server both housed at 192.168.1.1:

# The primary network interface
auto ens32
iface ens32 inet static
address 192.168.1.100
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1 8.8.8.8

2. Make sure to comment out these lines in the file /etc/network/interfaces.d/50-cloud-init:

#auto lo
#iface lo inet loopback

#auto ens32
#iface ens32 inet dhcp

3. Create the file /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following content:

network: {config: disabled}

4. Make sure to set the correct name server(s) in the file /etc/resolv.conf:

nameserver 192.168.1.1
nameserver 192.168.1.2

5. Now restart the networking service:

systemctl restart networking

note

If the static IP you chose is different then the current IP address of the VM, you will lose the current shell connection to the Mondoo Appliance and need to reconnect to the new, static IP address.

Configure cnspec

Mondoo's cross-platform scanning engine, cnspec, assesses your VMware. To return results to Mondoo for monitoring, reporting, and measuring improvements, you must register cnspec with Mondoo Platform.

1. Enter this command:

sudo cnspec login -t <paste token here> --config /etc/opt/mondoo/mondoo.yml

2. Verify that cnspec is registered successfully with Mondoo Platform by running cnspec status:

→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
→ Hostname:     debian
→ IP:           192.168.51.139
→ Platform:     debian
→ Release:      11.2
→ Time:         2022-05-26T15:43:59-07:00
→ Version:      6.0.0 (API Version: 6)
→ API ConnectionConfig: https://us.api.mondoo.com
→ API Status:   SERVING
→ API Time:     2022-05-26T22:44:00Z
→ API Version:  6
→ Space:        //captain.api.mondoo.app/spaces/relaxed-poincare-384428
→ Client:       //agents.api.mondoo.app/spaces/relaxed-poincare-384428/agents/22vUq9U0gN9Uoy2c3UqCaKARSEg
→ Service Account:      //agents.api.mondoo.app/spaces/relaxed-poincare-384428/serviceaccounts/22y0WDmHloyEvdJEteV5cEvsQTj
→ client is registered
→ client authenticated successfully

3. Test that cnspec can reach the vSphere API. The command below runs the two default Mondoo policies:
   • The Platform End-of-Life Policy
   • The Platform Vulnerability Policy

As their names suggest, they scan the vSphere and determine if it has reached its end-of-life and if there are any known vulnerabilities.

Use the --incognito switch to disable sending the results to the Mondoo Console.

# vSphere 6.x / 7.x
cnspec scan vsphere user@host --ask-pass

4. Activate the policies against which Mondoo assesses your VMware.

To learn more, read Manage Policies.

A good place to start scanning is the VMware vSphere ESXi Security Baseline by Mondoo policy.

5. Now, with the policy of your choice activated, scan again:

cnspec scan vsphere user@host --ask-pass

Since we did not pass the --incognito switch, the command output will also include a link to the Mondoo Console, where you can review the scan results.

Set up cnspec inventory

cnspec is able to leverage an inventory to scan multiple VMware assets at the same time. An inventory is a list of systems with their connection types and accounts.

cnspec inventory with embedded secrets

This inventory.yml illustrates the configuration for the vCenter connection:

apiVersion: v1
kind: Inventory
metadata:
  name: cnspec-inventory
  labels:
    environment: production
spec:
  assets:
    - name:
      connections:
        - type: vsphere
          host: < ip of the ESXi or vCenter >
          insecure: true
          credentials:
            - type: password
              user: < username >
              password: < password >
          discover:
            targets:
              - host-machines

Using a user account with root privileges, store the content in /etc/opt/mondoo/inventory.yml to ensure that cnspec picks up the inventory automatically.

Test that the inventory.yml is working:

mondoo@debian:~$ sudo cnspec scan --inventory-file /etc/opt/mondoo/inventory.yml
→ load inventory inventory=/etc/opt/mondoo/inventory.yml
→ cnspec 7.15.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account: "22y0WDmHloyEvdJEteV5cEvsQTj", Managed Client: "22vUq9U0gN9Uoy2c3UqCaKARSEg")
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config

→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=4
→ execute policies
→ synchronize asset found=4
→ establish connection to asset 192.168.51.134 (VMware vCenter Server) (api)
→ established connection
→ run policies for asset asset=//assets.api.mondoo.app/spaces/relaxed-poincare-384428/assets/22y2gEXiZrRagoV5cPbVFjj0MSI
...

Restart the service, so that the new inventory is loaded:

sudo systemctl restart cnspec

Check if the inventory.yml is loaded:

sudo journalctl -u cnspec.service

-- Journal begins at Wed 2021-12-29 16:03:27 UTC, ends at Wed 2021-12-29 16:39:28 UTC. --
Dec 29 16:38:04 debian systemd[1]: Started cnspec Service.
Dec 29 16:38:05 debian cnspec[1294]: → load inventory inventory=/etc/opt/mondoo/inventory.yml
Dec 29 16:38:05 debian cnspec[1294]: → cnspec 7.15.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account>
Dec 29 16:38:05 debian cnspec[1294]: → loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
Dec 29 16:38:06 debian cnspec[1294]: → start cnspec background service

Enable the service so that after the VM restarts, the service starts automatically:

sudo systemctl enable cnspec

cnspec inventory YAML with encrypted file vault

Configure cnspec's vault to use the encrypted file vault. Execute the following commands as mondoo user (not as root user). Run the following command to create the vault configuration:

cnspec vault configure mondoo-client-vault --type encrypted-file --option=password='changeme' --option path='/etc/opt/mondoo/vault.enc'
→ add the following vault configuration to your inventory file
spec:
  vault:
    name: mondoo-client-vault
    options:
      password: changeme
      path: /etc/opt/mondoo/vault.enc
    type: encrypted-file

Adjust the /etc/opt/mondoo/inventory.yml with the proposed configuration to use the encrypted file vault functionality:

apiVersion: v1
kind: Inventory
metadata:
  name: cnspec-inventory
  labels:
    environment: production
spec:
  assets:
    - name:
      connections:
        - type: vsphere
          host: 192.168.51.134
          insecure: true
          credentials:
            - secret_id: vcenter
          discover:
            targets:
              - host-machines
  vault:
    name: mondoo-client-vault
    options:
      password: changeme
      path: /etc/opt/mondoo/vault.enc
    type: encrypted-file

To store the vSphere login credentials into the encrypted file vault, execute the following command:

cnspec vault add-secret vcenter '{   "type": "password",   "user": "chris@vsphere.local",   "password": "password" }' --inventory-file /etc/opt/mondoo/inventory.yml

Now, you can scan the vSphere using the encrypted file vault:

# Note that you need to run this as root user, as the vault is stored in /etc/opt/mondoo/vault.enc
sudo cnspec scan --inventory-file /etc/opt/mondoo/inventory.yml

Once you have verified that the encrypted file vault is working, you can restart the cnspec service:

systemctl restart cnspec

Scan virtual machines using VMware tools

As the first step, we query for available virtual machines that have VMware Tools configured.

# open the shell to the vsphere api
cnspec shell vsphere user@host --ask-pass

# select the platform id for api
cnspec shell vsphere user@host --ask-pass --platform-id /platformid.api.mondoo.app/runtime/vsphere/instance/ha-host

Within the cnspec shell query the available VMs and their inventory Path.

cnspec> vsphere.datacenters { vms { inventoryPath name  } }
vsphere.datacenters: [..
  0: {
    vms: [
      0: {
        name: "mondoo-appliance"
        inventoryPath: "/Mondoo Datacenter 2/vm/mondoo-appliance"
      }
      1: {
        name: "vCenter"
        inventoryPath: "/Mondoo Datacenter 2/vm/vCenter"
      }
      2: {
        name: "windows 2022"
        inventoryPath: "/Mondoo Datacenter 2/vm/windows 2022"
      }
    ]
  }
  1: {
    vms: [
      0: {
        name: "ubuntu-no-guest-tools"
        inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu-no-guest-tools"
      }
      1: {
        name: "ubuntu"
        inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu"
      }
    ]
  }
]

Next, we query for all VMs and get check if the VMware Guest Tools are installed:

cnspec> vsphere.datacenters { vms { name inventoryPath properties["summary"]["guest"]["toolsStatus"] }}
vsphere.datacenters: [..
  0: {
    vms: [
      0: {
        name: "mondoo-appliance"
        inventoryPath: "/Mondoo Datacenter 2/vm/mondoo-appliance"
        properties[summary][guest][toolsStatus]: "toolsOk"
      }
      1: {
        name: "vCenter"
        inventoryPath: "/Mondoo Datacenter 2/vm/vCenter"
        properties[summary][guest][toolsStatus]: "toolsOk"
      }
      2: {
        name: "windows 2022"
        inventoryPath: "/Mondoo Datacenter 2/vm/windows 2022"
        properties[summary][guest][toolsStatus]: "toolsNotRunning"
      }
    ]
  }
  1: {
    vms: [
      0: {
        name: "ubuntu-no-guest-tools"
        inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu-no-guest-tools"
        properties[summary][guest][toolsStatus]: "toolsNotInstalled"
      }
      1: {
        name: "ubuntu"
        inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu"
        properties[summary][guest][toolsStatus]: "toolsNotRunning"
      }
    ]
  }
]

With that information, we can connect to an individual virtual machine via VMware Tools:

cnspec scan vsphere vm user@host --password password --insecure --option 'inventoryPath=/Mondoo Datacenter 2/vm/mondoo-appliance' --option guestUser=mondoo --option guestPassword='changeme'

The result would look like this:

cnspec scan vsphere vm mondoo-read@vsphere.local@192.168.51.134 --password changeme --insecure --option 'inventoryPath=/Mondoo Datacenter 2/vm/mondoo-appliance' --option guestUser=mondoo --option guestPassword='changeme'
→ cnspec 7.15.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account: "22y0WDmHloyEvdJEteV5cEvsQTj", Managed Client: "22vUq9U0gN9Uoy2c3UqCaKARSEg")
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config

→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ execute policies
→ synchronize asset found=1
→ establish connection to asset mondoo-appliance
→ established connection
→ run policies for asset asset=//assets.api.mondoo.app/spaces/relaxed-poincare-384428/assets/22y6EAkCdtKawukAEWGxoTezNGg

█████████████████████████████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  50% mondoo-appliance

Scan vSphere and ESXi using cnspec

Scan vSphere API, ESXi, and VMs

cnspec scan vsphere mondoo-read@vsphere.local@192.168.51.134 --ask-pass --discover auto

info

The --discover auto option will automatically discover all ESXi hosts and the vCenter.

Scan vSphere API, ESXi, and VMs

cnspec scan vsphere mondoo-read@vsphere.local@192.168.51.134 --ask-pass --discover all

info

The --discover all option automatically discovers all ESXi hosts and VMs.