Principles
- Given an auditing scenario, determine where applicable log information can be located
- Differentiate permissions for auditing
- Differentiate common data security regulations supported by NSX Data Security
- Differentiate information available in audit logs
- Use flow monitoring to audit firewall rules
- Audit deleted users
- Audit infrastructure changes
- View NSX Manager audit logs and change data
- Configure NSX Data Security
- Create a Data Security policy
- Install Data Security
- Run a Data Security scan
- View and download compliance reports
- Create a regular expression
- Configure Guest Introspection (Install vShield Endpoint)
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- NSX Logging and System Events Guide
- NSX Data Security Guide
https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.2/nsx_62_reference.pdf
Given an auditing scenario, determine where applicable log information can be located
Component | Description |
ESXi Logs | These logs are collected as part of the VM support bundle generated from vCenter Server |
NSX Edge Logs | Use the show log [follow | reverse] command in the NSX Edge CLI |
NSX Manager Logs | Use the show log CLI command in the NSX Manager CLI |
Routing Logs | Controller Logs – /var/log:
API: Cloudnet/coudnet_java-vnet-controller.<start-time>.log Main Controller: cloudnet/coudnet.nsx-controller.log Clustering: cloudnet/cloudnet_cpp.log.nsx-controller.log Errors: cloudnet/cloudnet_cpp.log.ERROR ESXi Logs: VMkernel: /var/log/vmkernel.log |
Guest Introspection Logs | ESXi Logs:
/var/log/syslog /var/run/syslog.log |
Firewall Logs
Log Type | Description | Location |
Rules message logs | All access decisions (permit/deny) for each rule | ESXi:/var/log/dfwpktlogs.log |
Audit logs | Administration logs and DFW configuration changes | vCenter: /storage/log/vmware/vsm/vsm.log |
System event logs | Include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, and so on | vCenter: /storage/log/vmware/vsm/vsm.log |
Data Plane/VMKernel logs | Capture activities related to a firewall kernel module (VSIP). It includes log entries for messages generated by the system | ESXi: /var/log/vmkernel.log |
Message Bus Client/ VSFWD logs | Capture activities of a firewall agent | ESXi: /var/log/vsfwd.log |
Differentiate permissions for auditing
All user roles have read access to the audit log
NSX Manager retains 100,000 audit logs
Differentiate common data security regulations supported by NSX Data Security
Data Security is deprecated from 6.2.3
- NSX supports:
- PCI: Payment Card Industry
- PHI: Permanent Health Information
- PII: Personally Identifiable Information
Differentiate information available in audit logs
- The Audit Logs tab provides a view into the actions performed by all NSX Manager users
- Firewall: administration logs and Distributed Firewall configuration changes
Use flow monitoring to audit firewall rules
See Object 9.3
Audit deleted users
Audit records for deleted accounts are retained in the database and can be viewed in:
- NSX -> Events -> Monitor
Audit infrastructure changes
NSX -> Events -> Monitor
View NSX Manager audit logs and change data
- NSX Ticket Logger tracks infrastructure changes
- All operations are tagged with the ticket ID and included in the audit logs
- Log files for these operations are tagged with the same ticked ID
- Ticket logging is session based – logging out closes the ticket session
NSX -> System -> Events -> Manage: NSX Ticket Logger
Click Edit -> Enter a Ticket ID and Enable
The audit log in the example shows a Logical Switch named “test” being created.
Configure NSX Data Security
Data Security is deprecated from 6.2.3
Provides visibility into sensitive data stored on VMs
- Start a scan
Create a Data Security policy
- Select regulations:
- Service Deployments -> Data Security -> Manage
- Click Edit -> All to view available regulations
- Specify File Filters:
- Service Deployments -> Data Security -> Manage
- Click Edit next to “files to scan”
- Set file selection filter:
- All
- Size
- Last Modified Date
- Extension
Install Data Security
- Install Guest Introspection
- Deploy Data Security from: NSX -> Installation -> Service Deployments
- Use DHCP or IP Pool for Data Security VM IP
Run a Data Security scan
- Service Deployments -> Data Security -> Manage
- Click “Start” next to Screening
View and download compliance reports
- Service Deployments -> Data Security -> Manage
- Click Reports
Create a regular expression
Configured during policy creation
Configure Guest Introspection (Install vShield Endpoint)
- NSX -> Service Deployment -> Add
- Select “Guest Introspection”
- Use DHCP or IP Pool for Data Security VM IP
- Install VMware Tools on Windows Guest VMs
- Install vShield Drivers