Objective 9.4 – Perform Auditing and Compliance

Principles

  1. Given an auditing scenario, determine where applicable log information can be located
  2. Differentiate permissions for auditing
  3. Differentiate common data security regulations supported by NSX Data Security
  4. Differentiate information available in audit logs
  5. Use flow monitoring to audit firewall rules
  6. Audit deleted users
  7. Audit infrastructure changes
  8. View NSX Manager audit logs and change data
  9. Configure NSX Data Security
  10. Create a Data Security policy
  11. Install Data Security
  12. Run a Data Security scan
  13. View and download compliance reports
  14. Create a regular expression
  15. Configure Guest Introspection (Install vShield Endpoint)

References

  1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

  1. NSX Logging and System Events Guide

https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.logging.doc/GUID-3F08DC2E-2D82-4C89-8829-EF1EA0160B13.html

  1. NSX Data Security Guide

https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.2/nsx_62_reference.pdf

Given an auditing scenario, determine where applicable log information can be located

Component Description
ESXi Logs These logs are collected as part of the VM support bundle generated from vCenter Server
NSX Edge Logs Use the show log [follow | reverse] command in the NSX Edge CLI
NSX Manager Logs Use the show log CLI command in the NSX Manager CLI
Routing Logs Controller Logs – /var/log:

API: Cloudnet/coudnet_java-vnet-controller.<start-time>.log

Main Controller: cloudnet/coudnet.nsx-controller.log

Clustering: cloudnet/cloudnet_cpp.log.nsx-controller.log

Errors: cloudnet/cloudnet_cpp.log.ERROR

ESXi Logs:

VMkernel: /var/log/vmkernel.log
Control Plane Agent: /var/log/netcpa.log
Message Bus Client: /var/log/vsfwd.log

Guest Introspection Logs ESXi Logs:

/var/log/syslog

/var/run/syslog.log

Firewall Logs

Log Type Description Location
Rules message logs All access decisions (permit/deny) for each rule ESXi:/var/log/dfwpktlogs.log
Audit logs Administration logs and DFW configuration changes vCenter: /storage/log/vmware/vsm/vsm.log
System event logs Include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, and so on vCenter: /storage/log/vmware/vsm/vsm.log
Data Plane/VMKernel logs Capture activities related to a firewall kernel module (VSIP). It includes log entries for messages generated by the system ESXi: /var/log/vmkernel.log
Message Bus Client/ VSFWD logs Capture activities of a firewall agent ESXi: /var/log/vsfwd.log

Differentiate permissions for auditing

All user roles have read access to the audit log

NSX Manager retains 100,000 audit logs

Differentiate common data security regulations supported by NSX Data Security

Data Security is deprecated from 6.2.3

  • NSX supports:
    • PCI: Payment Card Industry
    • PHI: Permanent Health Information
    • PII: Personally Identifiable Information

Differentiate information available in audit logs

  • The Audit Logs tab provides a view into the actions performed by all NSX Manager users
  • Firewall: administration logs and Distributed Firewall configuration changes

Use flow monitoring to audit firewall rules

See Object 9.3

Audit deleted users

Audit records for deleted accounts are retained in the database and can be viewed in:

  • NSX -> Events -> Monitor

Audit infrastructure changes

NSX -> Events -> Monitor

View NSX Manager audit logs and change data

  • NSX Ticket Logger tracks infrastructure changes
  • All operations are tagged with the ticket ID and included in the audit logs
  • Log files for these operations are tagged with the same ticked ID
  • Ticket logging is session based – logging out closes the ticket session

NSX -> System -> Events -> Manage: NSX Ticket Logger

Click Edit -> Enter a Ticket ID and Enable

The audit log in the example shows a Logical Switch named “test” being created.

Configure NSX Data Security

Data Security is deprecated from 6.2.3

Provides visibility into sensitive data stored on VMs

  1. Start a scan

Create a Data Security policy

  1. Select regulations:
    1. Service Deployments -> Data Security -> Manage
    2. Click Edit -> All to view available regulations
  2. Specify File Filters:
    1. Service Deployments -> Data Security -> Manage
    2. Click Edit next to “files to scan”
    3. Set file selection filter:
      1. All
      2. Size
      3. Last Modified Date
      4. Extension

Install Data Security

  1. Install Guest Introspection
  2. Deploy Data Security from: NSX -> Installation -> Service Deployments
  3. Use DHCP or IP Pool for Data Security VM IP

Run a Data Security scan

  1. Service Deployments -> Data Security -> Manage
  2. Click “Start” next to Screening

View and download compliance reports

  1. Service Deployments -> Data Security -> Manage
  2. Click Reports

Create a regular expression

Configured during policy creation

Configure Guest Introspection (Install vShield Endpoint)

  1. NSX -> Service Deployment -> Add
  2. Select “Guest Introspection”
  3. Use DHCP or IP Pool for Data Security VM IP
  4. Install VMware Tools on Windows Guest VMs
    1. Install vShield Drivers