Skip to main content

Getting Started with Mondoo and VMware

This page describes to use Mondoo to assess VMware vSphere and ESXi hosts for advisories, vulnerabilities and security misconfigurations.

Mondoo VMware appliance

Mondoo's VMware appliance is a pre-configured standard Linux host that allows you to quickly launch a virtual machine designed to scan your VMware environment. It is built using the following components:

NOTE: It is not required to use the Mondoo VMware appliance. You could also spin-up your own hardened Linux instance, and install and configure Mondoo Client.

Setup Steps

  1. Download the Mondoo OVA image
  2. Import the Mondoo OVA image
  3. Launch the Mondoo OVA image

Launch the appliance using vCenter web UI

  1. Right-click on your Datacenter, select Deploy OVF Template.

Deploy OVF Template

  1. Select an OVF template using URL or Local file and select Next.

Select OVF Template

  1. Select a name and folder where you want to deploy the Mondoo appliance and select Next.

Select folder

  1. Select any compute resource to run the Mondoo appliance and select Next.

  2. Review the details and select Next.

Review details

  1. Select the appropriate storage (e.g. "datastore2") and select Next.

Select Storage

  1. Select destination network (e.g. "VM Network") and select Next.

Select Network

  1. Review your complete configuration for the mondoo appliance and select Next

Ready to complete

  1. Launch mondoo appliance

SSH for Mondoo appliance

The machine is configured with a mondoo user and mondoo password. After the first login, the user is required to change the password. By default, the hardened machine disables password login. To configure the authorized_keys, add your ssh public keys to /home/mondoo/.ssh/authorized_keys.

NOTE: Instead of setting /home/mondoo/.ssh/authorized_keys manually, you could configure Cloud-Init to configure the ssh key during boot up.

NOTE: If you are using GitHub, you can quickly fetch your public keys via mkdir ~/.ssh && curl https://github.com/{youruser}.keys > .ssh/authorized_keys

Now you can log in via your ssh key and you see the following welcome screen:

                        .-.
: :
,-.,-.,-. .--. ,-.,-. .-' : .--. .--. ™
: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'

Mondoo VMware Appliance

mondoo@debian:~$

Configure Mondoo Client on the appliance

Register Mondoo Client via:

sudo mondoo register -t <paste token here>

Verify that Mondoo Client is registered successfully with Mondoo Platform by running mondoo status:

→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
→ Hostname: macbook
→ IP: 172.16.1.146
→ Platform: macos
→ Release: 12.3.1
→ Time: 2022-05-26T15:43:59-07:00
→ Version: 6.0.0 (API Version: 6)
→ API ConnectionConfig: https://us.api.mondoo.com
→ API Status: SERVING
→ API Time: 2022-05-26T22:44:00Z
→ API Version: 6
→ Space: //captain.api.mondoo.app/spaces/practical-foobar-957532
→ Client: //agents.api.mondoo.app/spaces/practical-foobar-957532/agents/26LiWl4wa4uMYv1MOFbnWkV123
→ Service Account: //agents.api.mondoo.app/spaces/practical-foobar-957532/serviceaccounts/26LiWc11lQThNBRs327HLFUK123
→ client is registered
→ client authenticated successfully

Next, test that the vSphere API is reachable:

# vSphere 6.x
mondoo scan --incognito --policy '//policy.api.mondoo.app/policies/vmware-esxi-6-7-level-1-l1' vsphere user@host --ask-pass --discover host-machines

# vSphere 7.x
mondoo scan --incognito --policy '//policy.api.mondoo.app/policies/vmware-esxi-70-level-1' vsphere user@host --ask-pass --discover host-machines

To activate the policies, go to your space and enable the VMware Platform Vulnerability Policy, CIS VMware ESXi 6.7 Benchmark Level 1 Profile, and CIS VMware ESXi 7.0 Benchmark Level 1 Profile.

Set up Mondoo inventory

Mondoo is able to leverage an inventory to scan multiple VMware assets at the same time. An inventory is a list of systems with their connection types and accounts.

Mondoo inventory with embedded secrets

The following inventory.yaml illustrates the configuration for the vCenter connection:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-inventory
labels:
environment: production
spec:
assets:
- name: vsphere
connections:
- backend: vsphere
host: < ip of the ESXi or vCenter>
insecure: true
credentials:
- type: password
user: < username >
password: < password >
discover:
targets:
- host-machines
annotations:
Owner: Mondoo

Store the content in /etc/opt/mondoo/inventory.yml to ensure the Mondoo Service is picking up the inventory automatically.

Test the inventory.yml is working:

mondoo@debian:~$ mondoo scan --inventory-file /etc/opt/mondoo/inventory.yml
→ load inventory inventory=/etc/opt/mondoo/inventory.yml
→ Mondoo 5.19.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account: "22y0WDmHloyEvdJEteV5cEvsQTj", Managed Client: "22vUq9U0gN9Uoy2c3UqCaKARSEg")
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
.-.
: :
,-.,-.,-. .--. ,-.,-. .-' : .--. .--. ™
: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'

→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=4
→ execute policies
→ synchronize asset found=4
→ establish connection to asset 192.168.51.134 (VMware vCenter Server) (api)
→ established connection
→ run policies for asset asset=//assets.api.mondoo.app/spaces/relaxed-poincare-384428/assets/22y2gEXiZrRagoV5cPbVFjj0MSI
...

Restart the service, so that the new inventory is loaded:

sudo systemctl restart mondoo

Check if the inventory.yml is loaded:

sudo journalctl -u mondoo.service
-- Journal begins at Wed 2021-12-29 16:03:27 UTC, ends at Wed 2021-12-29 16:39:28 UTC. --
Dec 29 16:38:04 debian systemd[1]: Started Mondoo Service.
Dec 29 16:38:05 debian mondoo[1294]: → load inventory inventory=/etc/opt/mondoo/inventory.yml
Dec 29 16:38:05 debian mondoo[1294]: → Mondoo 5.19.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account>
Dec 29 16:38:05 debian mondoo[1294]: → loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
Dec 29 16:38:06 debian mondoo[1294]: → start mondoo background service

Mondoo inventory YAML with Linux Keyvault

Configure Mondoo’s vault to use the keyring mondoo-client-vault for secrets:

mondoo vault set mondoo-client-vault --type linux-kernel-keyring
set new vault configuration name=mondoo-client-vault
→ stored vault configuration successfully

Mondoo stores the vault configurations via Linux Kernel Key Management. The configuration is stored in mondoo-cli-keyring keyring and user-vaults key.

keyctl list @u
1 keys in keyring:
326886343: --alswrv 1000 1000 keyring: mondoo-cli-keyring

keyctl show 326886343
Keyring
326886343 --alswrv 1000 1000 keyring: mondoo-cli-keyring
162846258 --alswrv 1000 1000 \_ user: user-vaults

Add a secret for a VMware vSphere API.

keyctl add user 'vcenter' '{ "user": "administrator@vsphere.local", "password": "your_password", "type": "password" }' @u
722033593

Test that the Linux key vault is working:

keyctl list @u
2 keys in keyring:
326886343: --alswrv 1000 1000 keyring: mondoo-cli-keyring
722033593: --alswrv 1000 1000 user: vcenter

keyctl print 722033593
{ "user": "administrator@vsphere.local", "password": "your_password", "type": "password" }

Adjust the /etc/opt/mondoo/inventory.yml to use the Linux key vault functionality:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-inventory
labels:
environment: production
spec:
assets:
- name: vsphere
connections:
- backend: vsphere
host: 192.168.51.134
insecure: true
credentials:
- secret_id: vcenter
discover:
targets:
- host-machines
vault:
name: mondoo-client-vault
type: linux-kernel-keyring

Scan virtual machines (VMs) using VMware Tools

As the first step, we query for available virtual machines that have VMware Tools configured.

# open the shell to the vsphere api
mondoo shell vsphere user@host --ask-pass

# select the platform id for api
mondoo shell vsphere user@host --ask-pass --platform-id //platformid.api.mondoo.app/runtime/vsphere/instance/ha-host

Within the Mondoo Shell query the available VMs and their inventory Path.

mondoo> vsphere.datacenters { vms { inventoryPath name  } }
vsphere.datacenters: [..
0: {
vms: [
0: {
name: "mondoo-appliance"
inventoryPath: "/Mondoo Datacenter 2/vm/mondoo-appliance"
}
1: {
name: "vCenter"
inventoryPath: "/Mondoo Datacenter 2/vm/vCenter"
}
2: {
name: "windows 2022"
inventoryPath: "/Mondoo Datacenter 2/vm/windows 2022"
}
]
}
1: {
vms: [
0: {
name: "ubuntu-no-guest-tools"
inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu-no-guest-tools"
}
1: {
name: "ubuntu"
inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu"
}
]
}
]

Next, we query for all VMs and get check if the VMware Guest Tools are installed:

mondoo> vsphere.datacenters { vms { name inventoryPath properties["summary"]["guest"]["toolsStatus"] }}
vsphere.datacenters: [..
0: {
vms: [
0: {
name: "mondoo-appliance"
inventoryPath: "/Mondoo Datacenter 2/vm/mondoo-appliance"
properties[summary][guest][toolsStatus]: "toolsOk"
}
1: {
name: "vCenter"
inventoryPath: "/Mondoo Datacenter 2/vm/vCenter"
properties[summary][guest][toolsStatus]: "toolsOk"
}
2: {
name: "windows 2022"
inventoryPath: "/Mondoo Datacenter 2/vm/windows 2022"
properties[summary][guest][toolsStatus]: "toolsNotRunning"
}
]
}
1: {
vms: [
0: {
name: "ubuntu-no-guest-tools"
inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu-no-guest-tools"
properties[summary][guest][toolsStatus]: "toolsNotInstalled"
}
1: {
name: "ubuntu"
inventoryPath: "/Mondoo Datacenter 1/vm/ubuntu"
properties[summary][guest][toolsStatus]: "toolsNotRunning"
}
]
}
]

With that information, we can connect to an individual virtual machine via VMware Tools:

mondoo scan vsphere vm user@host --password password --insecure --option 'inventoryPath=/Mondoo Datacenter 2/vm/mondoo-appliance' --option guestUser=mondoo --option guestPassword='changeme'

The result would look like the following:

mondoo scan vsphere vm administrator@vsphere.local@192.168.51.134 --password changeme --insecure --option 'inventoryPath=/Mondoo Datacenter 2/vm/mondoo-appliance' --option guestUser=mondoo --option guestPassword='changeme'
→ Mondoo 5.19.1 (Space: "//captain.api.mondoo.app/spaces/relaxed-poincare-384428", Service Account: "22y0WDmHloyEvdJEteV5cEvsQTj", Managed Client: "22vUq9U0gN9Uoy2c3UqCaKARSEg")
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source --config
.-.
: :
,-.,-.,-. .--. ,-.,-. .-' : .--. .--. ™
: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'

→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ execute policies
→ synchronize asset found=1
→ establish connection to asset mondoo-appliance
→ established connection
→ run policies for asset asset=//assets.api.mondoo.app/spaces/relaxed-poincare-384428/assets/22y6EAkCdtKawukAEWGxoTezNGg

█████████████████████████████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 50% mondoo-appliance

Scan vSphere and ESXi via Mondoo Client

Scan vSphere API, ESXi and VMs

mondoo scan vsphere root@192.168.51.134 --ask-pass --discover host-machines

NOTE The --discover host-machines option will automatically discover all ESXi hosts.

Scan vSphere API, ESXi and VMs

mondoo scan vsphere root@192.168.51.134 --ask-pass --discover all

NOTE: The --discover all option will automatically discover all ESXi hosts and VMs.