VMware vSphere hardening for virtual machine security with Puppet

If you plan to security-harden your VMware virtual machines there are major benefits to automating the process with Puppet. There really isn’t an easier way to be sure your VMware vSphere environment is secure and compliant.

VMware publishes detailed instructions on how to deploy and operate VMware products in a secure manner, available as an easy-to-consume spreadsheet format for each available VMware vSphere version at the VMware Security Hardening Guides. There are also script examples available for how to enable the security automation. All of the described security settings for virtual machines are Advanced Attributes.

Using a script to force the advanced parameters is a good start if you plan to configure vSphere hardening settings just once. But what happens if the advanced parameter was changed during the lifetime of your virtual machines? Maybe someone tested some configurations and forgot to reset them to your security hardening default settings? Without continuous checking of the attributes, you could have a possible security issue without knowing it.

Security hardening requirements should be enforced on your vSphere VMs all the time, and continuously checked to make sure they are still configured. The best way to do this is by using a modelling language like Puppet, where you simply describe the desired state of all of your vSphere advanced parameters.

Puppet uses an idempotent way of managing these settings to your virtual machines, so it will only change them if there is a configuration drift (due to manual change or script etc.). It also informs you about such intentional changes, and you can trigger alarms, or raise incidents if they happen.

Sure, you could do the same by simply triggering a PowerCLI script or a vRO Workflow. But compared to the idempotent way in which Puppet works, using a script will trigger reconfigure VM tasks independent of the current settings, and push all configurations all to each VM all the time. That creates a Reconfigure VM task on your vCenter instance, even if they are already configured as you desire (in compliance). This imperative configuration management method also creates a lot of load on CPUs, RAM, network and storage on the vCenter instance — a load your systems don't need, and that can easily be avoided. If you do try to avoid the extra load by extending your PowerCLI script or vRO scriptable task, it will make both of them more complex, requiring more lines of code. Furthermore, if you are not familiar with them, you first need to understand what is going on inside the script or workflow. So adoption of both is pretty difficult.

Puppet makes perfect sense for continuously enforcing the required advanced configuration parameters, as it runs by default every 30 minutes. Puppet will only change the configuration if your nodes are not configured correctly. So besides the benefit of simplification and abstraction in the Puppet modelling language, you can also be sure that each hardening configuration is configured exactly as you described in your desired state. This simplifies your regular security audits.

To simplify configuration of the vSphere hardening, advanced parameters for virtual machines and to show you how easy it is to define the desired state with Puppet, I created a simple Puppet module that’s easy to read, use and understand. See how easy it is to define the desired state of the advanced parameters with Puppet:

bash
class vsphere_vm_hardening (
 $virtualmachines   = ['/datacenter/vm/folder/subfolder/vm1.puppet.com', '/datacenter/vm/folder/subfolder2/vm2.puppet.com'],
 $hardening_config  = { 'isolation.tools.copy.disable' => 'true' , 'isolation.tools.paste.disable' => 'true' },
){
 validate_hash($hardening_config)
 $virtualmachines.each |String $vm| {
 vsphere_vm { "${vm}":
  extra_config => $hardening_config,
 }
}

As you can see in this example, the class requires only that you apply a Puppet array and the vSphere hardening configuration settings as a Puppet hash to your virtual machines. It uses only 10 lines of Puppet declarative code that’s easy to understand and read. To define the desired state of virtual machines with the vsphere_vm Puppet resource, you have to install the Puppet Enterprise module for vSphere from the Puppet Forge. The module describes all of the possible parameters and configuration settings for virtual machines.

To set up this module, I recommend using my vsphere_conf module, which is also available for download from the Puppet Forge

I recommend using Hiera to specify the necessary parameters to separate code from data. Besides making things simpler, using Hiera also makes it possible for you to use the module for as many virtual machines and hardening configurations as you need:

 bash
vsphere_vm_hardening::virtualmachines:
 - /mydatacenter/vm/myfolder/mysubfolder/myvm1
 - /mydatacenter/vm/myfolder/mysubfolder/myvm2
vsphere_vm_hardening::hardening_config:
    isolation.tools.copy.disable: 'true'
    isolation.tools.paste.disable: 'true'

The module is available on the Puppet Forge. Please note: The vsphere_vm_hardening module requires the Puppet Enterprise vSphere module, which is available to Puppet Enterprise customers only.

Happy security hardening of your vSphere environment!

Andreas Wilke is a senior technical solutions engineer at Puppet.

Learn more

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.