Friday, August 15, 2008
Monday, June 23, 2008
ESX Ramcheck
Just found this over at xtravirt
A built in alternative to Memtest86 for ESX3
Instead of Memtest86 you also have the option of running 'ramcheck' which is a background memory tester built into ESX3. To start it, log into the ESX Service Console as root (or su / sudo) and run:
service ramcheck start
Check the link for more details....
A built in alternative to Memtest86 for ESX3
Instead of Memtest86 you also have the option of running 'ramcheck' which is a background memory tester built into ESX3. To start it, log into the ESX Service Console as root (or su / sudo) and run:
service ramcheck start
Check the link for more details....
Tuesday, June 10, 2008
Windows Server 2008
Am I the only person on the planet to have missed this? I remember the good old days where I waited with baited breath for the release date. Heck Windows 95 was released on my birthday for heaven's sake.... But I guess Longhorn Server was delayed soooooo much that I dont even care any more. I saw this post:
Windows Server 2008
And then go check at the M$ site and sure enough.... Win2k8 (boy that was weird) is out there.
So now I begin to download/install this new version as a VM so I dont loose my edge... But a part of me wonders.... Is it me that is loosing the edge or is is M$??? With all the new rage being going to Apple and the Mac (along with my unreasonable urge to by a Macbook Pro), is M$ loosing the edge?
Windows Server 2008
And then go check at the M$ site and sure enough.... Win2k8 (boy that was weird) is out there.
So now I begin to download/install this new version as a VM so I dont loose my edge... But a part of me wonders.... Is it me that is loosing the edge or is is M$??? With all the new rage being going to Apple and the Mac (along with my unreasonable urge to by a Macbook Pro), is M$ loosing the edge?
Wednesday, June 4, 2008
TMR-bt8ip Bluetooth iPod adapter

I got this little guy this weekend and I must say I am completely supprized. It works awesome with my Motorola S9 headset. Being new to the whole BT audio deal it freaked me out when the first phone call came in while listening to music. The iPod paused and I started hearing the ring alert in my left ear. :D
The best thing is now I have no wires at all so the appearance of "geek factor" is reduced...
DISA releases official ESX Security Technical Implementation Guide
ESX Server STIG Version 1, Release 1.0
Seems harmless enough on the first pass but if you read carefully you will see the following finding:
(ESX0010: CAT II) The IAO/SA will configure the ESX Server in accordance with the UNIX STIG and Checklist. This is not applicable to ESX Server 3i. The following open findings will NOT be applicable when running the UNIX SRR against the ESX Server service console:
What this means is that on top of all the configuration changes you have to make within VirtualCenter (configuring virtual switches, etc.) you have to make sure the host can pass the UNIX STIG.
UNIX STIG V5R1
Unix has been around a loooooong time and as such the STIG for Unix is freaking HUGE. There is already a Security Readiness Review Evaluation Script for Unix which will have to be run on each ESX host at a DOD facility.
Fortunately, a colleague and I have already been working on a shell script to help lock down ESX so that it can pass the UNIX SRR. While I am sure it is not full proof in protecting agains hackers it will at least bring the host to a level of security to gain approval from the FSO to be allowed to connect to the network.
If you are interested, there is a thread in the VMTN that talks about the script here.
ESX_SRRSecure - Script to allow ESX to pass a DISA Security Readiness Review
Seems harmless enough on the first pass but if you read carefully you will see the following finding:
(ESX0010: CAT II) The IAO/SA will configure the ESX Server in accordance with the UNIX STIG and Checklist. This is not applicable to ESX Server 3i. The following open findings will NOT be applicable when running the UNIX SRR against the ESX Server service console:
What this means is that on top of all the configuration changes you have to make within VirtualCenter (configuring virtual switches, etc.) you have to make sure the host can pass the UNIX STIG.
UNIX STIG V5R1
Unix has been around a loooooong time and as such the STIG for Unix is freaking HUGE. There is already a Security Readiness Review Evaluation Script for Unix which will have to be run on each ESX host at a DOD facility.
Fortunately, a colleague and I have already been working on a shell script to help lock down ESX so that it can pass the UNIX SRR. While I am sure it is not full proof in protecting agains hackers it will at least bring the host to a level of security to gain approval from the FSO to be allowed to connect to the network.
If you are interested, there is a thread in the VMTN that talks about the script here.
ESX_SRRSecure - Script to allow ESX to pass a DISA Security Readiness Review
Tuesday, May 13, 2008
Check this out
A friend of mine has a Home Engineering site where he sells his services as an engineer. Do me a favor and just click over and check it out. :)
MyHomeEngineer
MyHomeEngineer
Sunday, May 11, 2008
Script to allow ESX to pass a DISA Security Readiness Review
Just created a post on the VMTN but wanted to point it out here.
Script to allow ESX to pass a DISA Security Readiness Review
A co-worker and I have been hammering on this document for a few months and we are now to the point where we need other ESX admins to take a look at it. This might be a bit aggressive of a security lockdown for a commercial site but if you are wanting your ESX server to be as secure as possible... This would help quite a bit.
Hop over to the VMTN and take a read if you are interested. If you see something that can/needs to change post it either on the VMTN or here and I will take a look at it.
Decided to copy the text here as well. If you want to download the script though, go to the VMTN and take a look at it.
Background: taken from the DISA website: http://iase.disa.mil/stigs/index.html
In a DOD facility all systems must pass the Security Technical Implementation Guide (STIGs) for the host operating system. The STIG is the configuration standard for DOD IA and IA-enabled devices/systems.
A Security Checklist http://iase.disa.mil/stigs/checklist/index.html (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.
Security Readiness Review Scripts (SRRs) http://iase.disa.mil/stigs/SRR/index.html test products for STIG compliance. SRR Scripts are available for all operating systems and databases that have STIGs, and web servers using IIS. The SRR scripts are unlicensed tools developed by the Field Security Office (FSO) and the use of these tools on products is completely at the user's own risk.
The problem:
As of this writing there is no “official” VMware ESX STIG but it has been determined that since the ESX service console is *nix based it must conform to the latest Unix STIG.
The current Unix STIG is located here: http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf
The current Unix SRR is located here: http://iase.disa.mil/stigs/SRR/unix.html
When reviewing the results of the SRR, not all open issues are valid as the DISA SRR was written for UNIX, LINUX, and AIX. The ESX’s console operating system is based on the Linux Redhat Enterprise 4.5 version, but only contains a subset of the entire operating system and has been customized with specific functionality for interfacing the ESX kernel.
The solution:
Running the SRR will result in an open findings report. After remediating the open issues the SRR is re-run. The goal is to have as few open issues and to document the remaining items as either false findings or open issues with notes as to when they will be closed (patches from VMware) or why they need to be left open.
An example of an open issue is:
==========PDI=IAVA1115 Result========================
PDI Number: IAVA1115
Finding Category: CAT II
Reference: IAVA 2007-T-0042
Description: Sun JRE Web Start Multiple Remote
Vulnerabilities.
Status: Open – *will be fixed in a patch from VMware due
in June.*
For example:
IAVA1115: IAVA 2007-T-0042 - Sun JRE Web Start Multiple
Remote Vulnerabilities.
Outdated
/usr/lib/vmware/webAccess/java/jre1.5.0_12/bin/java, JAVA version 1.5.0.12
found on esx.philhome.dyndns.org.
Upgrade to JAVA version 1.5.0.13 on esx.philhome.dyndns.org.
=========================================================
An example of a false finding that will remain is:
==========PDI=IAVA0360 Result========================
PDI Number: IAVA0360
Finding Category: CAT I
Reference: IAVA 2003-A-0015
Description: There are multiple vulnerabilities in OpenSSL.
Status: Open – *This is a documented false finding as the
vulnerabilities were fixed but the version number was not updated.*
For example:
IAVA0360: IAVA 2003-A-0015
/usr/bin/openssl version 0.9.7a found on
esx.philhome.dyndns.org 2.4.21-47.0.1.ELvmnix.
==========PDI=IAVA0410 Result========================
The ESX SRR Secure script is a shell script which attempts to remediate all of the issues possible on an ESX 3.x host. Some prerequisites to running this script are as follows:
1. Must be run as root.
2.The host must be in maintenance mode.
3. Before beginning with the SRR its advised to install the LAuS library to increase auditing capabilities within the ESX service console, as by default there is limited auditing taking place within the service console itself. These libraries are located on the VMware ESX CD in the /vmware/RPM/ directory. (Note: It appears that this is installed by default in ESX 3.5 update 1)
4. Make sure that all passwords meet the complexity requirements. 7 characters with at least 1 number, 1 symbol, 1 upper case and 1 lower case. This needs to be done for root and any additional accounts installed manually. (Do not change any accounts created by adding a host to Virtual Center).
Once the system is ready, run the script as root and allow the host to be rebooted. Re-run the Unix SRR and compare the open findings report. Below is an example of the summary section both before and after running ESX SRR Secure:
Before:
CAT I = 3/541, CAT II = 55/541, CAT III = 3/541, CAT IV = 0/541
After:
CAT I = 1/139, CAT II = 9/345, CAT III = 1/57, CAT IV = 0/5
The remaining open issues should be documented and should be sufficient to present to the DISA FSO for approval.
Since this is the first “public” exposure for this script, please consider this an early release and test this in a NON-production environment until verification can be made that it does not break something. Also, please give feedback as we would love to see what the community thinks and are continuing to try and make this process better.
Script to allow ESX to pass a DISA Security Readiness Review
A co-worker and I have been hammering on this document for a few months and we are now to the point where we need other ESX admins to take a look at it. This might be a bit aggressive of a security lockdown for a commercial site but if you are wanting your ESX server to be as secure as possible... This would help quite a bit.
Hop over to the VMTN and take a read if you are interested. If you see something that can/needs to change post it either on the VMTN or here and I will take a look at it.
Decided to copy the text here as well. If you want to download the script though, go to the VMTN and take a look at it.
Background: taken from the DISA website: http://iase.disa.mil/stigs/index.html
In a DOD facility all systems must pass the Security Technical Implementation Guide (STIGs) for the host operating system. The STIG is the configuration standard for DOD IA and IA-enabled devices/systems.
A Security Checklist http://iase.disa.mil/stigs/checklist/index.html (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.
Security Readiness Review Scripts (SRRs) http://iase.disa.mil/stigs/SRR/index.html test products for STIG compliance. SRR Scripts are available for all operating systems and databases that have STIGs, and web servers using IIS. The SRR scripts are unlicensed tools developed by the Field Security Office (FSO) and the use of these tools on products is completely at the user's own risk.
The problem:
As of this writing there is no “official” VMware ESX STIG but it has been determined that since the ESX service console is *nix based it must conform to the latest Unix STIG.
The current Unix STIG is located here: http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf
The current Unix SRR is located here: http://iase.disa.mil/stigs/SRR/unix.html
When reviewing the results of the SRR, not all open issues are valid as the DISA SRR was written for UNIX, LINUX, and AIX. The ESX’s console operating system is based on the Linux Redhat Enterprise 4.5 version, but only contains a subset of the entire operating system and has been customized with specific functionality for interfacing the ESX kernel.
The solution:
Running the SRR will result in an open findings report. After remediating the open issues the SRR is re-run. The goal is to have as few open issues and to document the remaining items as either false findings or open issues with notes as to when they will be closed (patches from VMware) or why they need to be left open.
An example of an open issue is:
==========PDI=IAVA1115 Result========================
PDI Number: IAVA1115
Finding Category: CAT II
Reference: IAVA 2007-T-0042
Description: Sun JRE Web Start Multiple Remote
Vulnerabilities.
Status: Open – *will be fixed in a patch from VMware due
in June.*
For example:
IAVA1115: IAVA 2007-T-0042 - Sun JRE Web Start Multiple
Remote Vulnerabilities.
Outdated
/usr/lib/vmware/webAccess/java/jre1.5.0_12/bin/java, JAVA version 1.5.0.12
found on esx.philhome.dyndns.org.
Upgrade to JAVA version 1.5.0.13 on esx.philhome.dyndns.org.
=========================================================
An example of a false finding that will remain is:
==========PDI=IAVA0360 Result========================
PDI Number: IAVA0360
Finding Category: CAT I
Reference: IAVA 2003-A-0015
Description: There are multiple vulnerabilities in OpenSSL.
Status: Open – *This is a documented false finding as the
vulnerabilities were fixed but the version number was not updated.*
For example:
IAVA0360: IAVA 2003-A-0015
/usr/bin/openssl version 0.9.7a found on
esx.philhome.dyndns.org 2.4.21-47.0.1.ELvmnix.
==========PDI=IAVA0410 Result========================
The ESX SRR Secure script is a shell script which attempts to remediate all of the issues possible on an ESX 3.x host. Some prerequisites to running this script are as follows:
1. Must be run as root.
2.The host must be in maintenance mode.
3. Before beginning with the SRR its advised to install the LAuS library to increase auditing capabilities within the ESX service console, as by default there is limited auditing taking place within the service console itself. These libraries are located on the VMware ESX CD in the /vmware/RPM/ directory. (Note: It appears that this is installed by default in ESX 3.5 update 1)
4. Make sure that all passwords meet the complexity requirements. 7 characters with at least 1 number, 1 symbol, 1 upper case and 1 lower case. This needs to be done for root and any additional accounts installed manually. (Do not change any accounts created by adding a host to Virtual Center).
Once the system is ready, run the script as root and allow the host to be rebooted. Re-run the Unix SRR and compare the open findings report. Below is an example of the summary section both before and after running ESX SRR Secure:
Before:
CAT I = 3/541, CAT II = 55/541, CAT III = 3/541, CAT IV = 0/541
After:
CAT I = 1/139, CAT II = 9/345, CAT III = 1/57, CAT IV = 0/5
The remaining open issues should be documented and should be sufficient to present to the DISA FSO for approval.
Since this is the first “public” exposure for this script, please consider this an early release and test this in a NON-production environment until verification can be made that it does not break something. Also, please give feedback as we would love to see what the community thinks and are continuing to try and make this process better.
Subscribe to:
Posts (Atom)