Skip to content

Configuration Analysis

This section includes several views of configuration issues that were detected from scanning the entire virtual infrastructure and by analyzing the configuration settings. Each view provides the capability to Export (at the top-right of the screen) the issues shown in the table. You also have the option to include affected objects which will output each affected object and the objects’ findings values.

Config KBs Discovered

This view lists all detected issues within the scanned virtual infrastructure that were derived from VMware Knowledge Base articles.

Best Practices

This view includes industry best practices related to VMware’s recommendations. Each best practice is checked against the configuration items from the scanned virtual infrastructure. If a specific best practice is followed for all related objects, the best practice item is marked as Pass. If it is not followed for at least one of the affected objects, then it is marked as Fail. Expanding the best practice section will show details on affected objects and provide the settings that do not align with the best practice.

Security Compliance

This section contains security and compliance policies related to VMware’s guidelines, DISA STIG, PCI DSS, HIPAA, BSI IT-Grundschutz, CIS, NIST, GDPR, Cyber Essentials, Essential Eight and ISO 27001.

VMware Guidelines

The security rules displayed in this view are taken from the official VMware Security Hardening guides. Their severity differs based on the type of security check:

  • Low Severity: Security hardening that is intended for highly secure environments only.

  • Medium Severity: Security hardening that relates to common environments.

  • Major Severity: Security hardening that can relate to any environment and is related to a host or a network configuration item.

Regardless of the original severity, some security rules may not be required for your organization’s security policy. You might need to customize the displayed security checks by filtering those that are not included in your organization’s security policy. For more information, see Filters.

Every security check can either Pass or Fail. In cases where there is at least one object in your infrastructure that is not compliant with a specific security check, this check will be marked as Fail. The list of non-compliant objects can be viewed in the details of the affected objects section.

DISA STIG 6

The security rules displayed in this view are taken from the official Information Assurance Support Environment (IASE) website. Their severity differs based on the type of security check:

  • Low Severity: Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.

  • Medium Severity: Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.

  • High Severity: Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity.

Regardless of the original severity, some security rules may not be required for your organization’s security policy. You might need to customize the displayed security checks by filtering those that are not included in your organization’s security policy. For more information, see Filters.

Analysis results can display the following states:

  • Fail: will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. No Manual check is involved.

  • Pass: will be displayed in case that no object is found to be non-compliant. No Manual check is involved.

  • Manual: An answer to Manual check is required.

  • Fail (M): will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. A Manual check is involved.

  • Pass (M): will be displayed where no object is found to be non-compliant. A Manual check is involved.

On DISA STIG profile, additional report is available under the Export button. The STIG Checklist export(CKL format) is offering a .zip file which can be imported in the STIG Viewer.

PCI DSS

The requirements and controls cited in the profile are taken from PCI DSS v3.2.1 (May 2018). The milestones displayed in this view are taken from the PCI DSS “Prioritized Approach”. The Prioritized Approach provides six security milestones that help merchants and other organizations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance. Milestones range from 1-6, with 1 being the highest priority and 6 being the lowest:

  • 1 - Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised.

  • 2 - Protect the perimeter, internal, and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point.

  • 3 - Secure payment card applications. This milestone targets controls for applications, application processes, and application servers.

  • 4 - Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning and who is accessing your network and cardholder data environment.

  • 5 - Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protections mechanisms for that stored data.

  • 6 - Finalize remaining compliance efforts and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.

Regardless of the original severity, some security rules may not be required for your organization’s interpretation of the security policy. You might need to customize the displayed security checks by filtering those that are not required. For more information, see Filters.

PCI DSS contains two types of rules (Customizable and Non-customizable). The main difference between them is that Customizable rules allows the user to change the parameters default values, used by the checks, to the desired ones. Additional filter tab named Customizable can be used to quickly select one of the two types. To change the default values, expand the rule marked as Customizable and navigate to Customize tab. A short note describing the setting purpose and its default value is available. Click on the Add Custom Value button, insert the custom value on the dedicated field and select an inventory object which will be evaluated against new value. By selecting a parent object, the value will be propagated to its children. After pressing the Save button you will be able to see a new line presenting the object in scope, the custom value, the username and the time when he updated the value. Multiple values can be added to different inventory objects. A value set to children object will rewrite the value set on parent level. After customization is done don't forget to Analyze the environment so the new values are considered. Each one of the customized rules will be flagged with a C mark in the Result status column.

Every security check can either return a result of Fail or Configured. In cases where there is at least one object in your infrastructure that is not compliant with a specific security check, this check will be marked as Fail. The list of non-compliant objects can be viewed in the details of the affected objects section. A result of Configured means there are no objects failing for the specific check, but this does not mean you are fully compliant against the whole PCI DSS requirement or control.

On PCI DSS profile, additional report is available under the Export button. The Consolidated host report is offering a better overview of all the PCI DSS rules failed or passed for each vCenter, on Cluster and ESXI level.

HIPAA

This profile relates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) published by the Secretary of the U.S. Department of Health and Human Services (HHS).

Organizations (called “covered entities”) must put in place technical safeguards to secure individuals’ “electronic protected health information” (e-PHI). The profile lists relevant technical safeguards in the virtual infrastructure that are automatically checked and compared against the requirements of the HIPAA Security Standards for the Protection of Electronic Protected Health Information (the Security Rule).

Every security check can either return a result of Fail or Configured. In cases where there is at least one object in your infrastructure that is not compliant with a specific security check, this check will be marked as Fail. The list of non-compliant objects can be viewed in the details of the affected objects section. A result of Configured means there are no objects failing for the specific check.

Regardless of the original severity, some security rules may not be required for your organization’s interpretation of the security policy. You might need to customize the displayed security checks by filtering those that are not required. For more information, see Filters.

BSI IT-Grundschutz

IT-Grundschutz - the basis for information security. The IT-Grundschutz developed by the BSI makes it possible to identify and implement necessary security measures through a systematic procedure. The BSI standards provide best practices, the IT-Grundschutz Compendium concrete requirements.

Every security check can either return a result of Fail or Configured. In cases where there is at least one object in your infrastructure that is not compliant with a specific security check, this check will be marked as Fail. The list of non-compliant objects can be viewed in the details of the affected objects section. A result of Configured means there are no objects failing for the specific check.

Regardless of the original severity, some security rules may not be required for your organization’s interpretation of the security policy. You might need to customize the displayed security checks by filtering those that are not required. For more information, see Filters.

CIS

CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

CIS VMware ESXi Benchmarks are documents intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate VMware ESXi.

The Benchmarks define the following configuration profiles:

  • Level 1 (L1) - Corporate/Enterprise Environment (general use)

  • Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)

A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score. The following scoring statuses are used in this benchmark:

  • Scored: Failure to comply with Scored recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score.

  • Not Score: Failure to comply with Not Scored recommendations will not decrease the final benchmark score. Compliance with Not Scored recommendations will not increase the final benchmark score.

Analysis results can display the following states:

  • Fail: will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. No Manual check is involved.

  • Pass: will be displayed in case that no object is found to be non-compliant. No Manual check is involved.

  • Manual: An answer to Manual check is required.

  • Fail (M): will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. A Manual check is involved.

  • Pass (M): will be displayed where no object is found to be non-compliant. A Manual check is involved.

Regardless of the original severity, some security rules may not be required for your organization’s interpretation of the security policy. You might need to customize the displayed security checks by filtering those that are not required. For more information, see Filters.

NIST

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories.

From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.

Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations—from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.

The NIST SP 800-53 database represents the security controls and associated assessment procedures defined in NIST SP 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations.

Organizations can use the recommended priority code designation associated with each program management control to assist in making sequencing decisions for implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; and a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control, and a Priority Code 0 [P0] indicates the security control is not selected in any baseline). This recommended sequencing prioritization helps to ensure that the foundational security controls upon which other controls depend are implemented first, thus enabling organizations to deploy controls in a more structured and timely manner in accordance with available resources.

Analysis results can display the following states:

  • Fail: will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. No Manual check is involved.

  • Configured: will be displayed in case that no object is found to be non-compliant. No Manual check is involved.

  • Manual: An answer to Manual check is required.

  • Fail (M): will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. A Manual check is involved.

  • Configured (M): will be displayed where no object is found to be non-compliant. A Manual check is involved.

Regardless of the original severity, some security rules may not be required for your organization’s interpretation of the security policy. You might need to customize the displayed security checks by filtering those that are not required. For more information, see Filters.

GDPR

The General Data Protection Regulation (GDPR) is a European privacy law intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each EU member state. GDPR profile currently covers only Amazon Web Services and focuses on:

  • Data Access: Article 25 of the GDPR states that the controller “shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.

  • Data Protection: Article 32 of the GDPR requires that organizations must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including …the pseudonymization and encryption of personal data…”. In addition, organizations must safeguard against the unauthorized disclosure of or access to personal data.

  • Monitoring and Logging: Article 30 of the GDPR states that “each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility”.

Analysis results can display the following states:

  • Fail: will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. No Manual check is involved.

  • Configured: will be displayed in case that no object is found to be non-compliant. No Manual check is involved.

  • Manual: An answer to Manual check is required.

  • Fail (M): will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. A Manual check is involved.

  • Configured (M): will be displayed where no object is found to be non-compliant. A Manual check is involved.

ISO 27001

Published by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC), the ISO 27001 was developed to help organizations, of any size or any industry, make the information assets they hold more secure. ISO-27001 is part of a set of standards in the ISO/IEC 27000 family.

Analysis results can display the following states:

  • Fail: will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. No Manual check is involved.

  • Configured: will be displayed in case that no object is found to be non-compliant. No Manual check is involved.

  • Manual: An answer to Manual check is required.

  • Fail (M): will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. A Manual check is involved.

  • Configured (M): will be displayed where no object is found to be non-compliant. A Manual check is involved.

Regardless of the original severity, some security rules may not be required for your organization’s interpretation of the security policy. You might need to customize the displayed security checks by filtering those that are not required. For more information, see Filters.

Cyber Essentials

Cyber Essentials is a United Kingdom government backed scheme that helps organizations adopt good practices in information security.

Analysis results can display the following states:

  • Fail: will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. No Manual check is involved.

  • Configured: will be displayed in case that no object is found to be non-compliant. No Manual check is involved.

  • Manual: An answer to Manual check is required.

  • Fail (M): will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. A Manual check is involved.

  • Configured (M): will be displayed where no object is found to be non-compliant. A Manual check is involved.

Regardless of the original severity, some security rules may not be required for your organization’s interpretation of the security policy. You might need to customize the displayed security checks by filtering those that are not required. For more information, see Filters.

Essential Eight

The Essential Eight is a series of baseline mitigation strategies defined by the Australian Cyber Security Centre. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.

Analysis results can display the following states:

  • Fail: will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. No Manual check is involved.

  • Configured: will be displayed in case that no object is found to be non-compliant. No Manual check is involved.

  • Manual: An answer to Manual check is required.

  • Fail (M): will be displayed where there is at least one object in your infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of the affected objects section. A Manual check is involved.

  • Configured (M): will be displayed where no object is found to be non-compliant. A Manual check is involved.

Regardless of the original severity, some security rules may not be required for your organization’s interpretation of the security policy. You might need to customize the displayed security checks by filtering those that are not required. For more information, see Filters.

HW Compatibility

In this section the Analyzer shows you the compliance status of your hardware against VMware Hardware Compatibility List (HCL). Keeping your vSphere hardware aligned with VMware HCL is critical for the health and support of your virtual environment.

N.B. ESXi 6.0 and above are supported for this feature. Ensure you have the minimum required permissions specified in System Requirements.

The feature is accessed by clicking the HW Compatibility button from the sidebar:

On selection, the Hardware Compatibility Overview screen will be shown in the main panel:

  • On the left-hand side are available the information about definitions, a compatibility simulator, and an inventory filter.

    • The definitions’ age is presented in hours or days and indicates the time that has elapsed since the last update. The exact day is displayed on hover.

    • The ESXi Compatibility Simulation component is offering the ability to show if your current hardware would have compatibility with other ESXi versions available (6.0 and above), simulating possible upgrade/downgrade based on the version selected. Choose the desired version from the revealed drop-down list. Initiate the compatibility analysis by pressing the Simulate button. The results are displayed on the right-hand side. The icons, or located before the ESXi Release indicate if your selected ESXi version for simulation will be an upgrade or downgrade from the present version. A detailed description of the right-hand side panel is described in the next paragraph. Turn off to return to current version and results.

    • The inventory filter component provides an inventory tree, showing all vCenter Servers, and includes nested Datacenters and Clusters (N.B. Hosts that are not part of any cluster are grouped into an area entitled Standalone Hosts). This allows you to select appropriate objects as desired. By default, all vCenters monitored by the Analyzer and their licensed hosts are displayed. If you want to focus attention on specific Datacenter(s) or Cluster(s) you can tick the corresponding checkboxes which will filter the view based on your selection.

  • On the right-hand side all Hosts are presented in a table, offering a breakdown of configuration and the compatibility evaluation. Cross-checks between the Host’s system Data and the HCL industry knowledge will produce an overall state for the host:

    • Compatible - the Server and all I/O devices were marked as compatible automatically after the evaluation. No override applied.

    • Compatible (Override applied) - the Server and all I/O devices were marked as compatible after the evaluation. The override functionality was applied to at least one object.

    • Possibly Incompatible - the Server and all I/O devices were marked as incompatible automatically after the evaluation.

  • Possibly Incompatible (Override applied) ). the Server and all I/O devices were marked as incompatible after the evaluation. Even if the override functionality was applied at least once, there are still remaining objects which are identified as not compatible.

    In case of incompatibility, the parameter that contributed to this status will be indicated by the red color.

    Optionally, you can switch between views of all Hosts or just those with issues by toggling the ON/OFF button found in the top bar. Same applied to the hosts with overrides.

    The option to export the report in .csv format is available by using the Export button.

    For each Host, the name, Partner, Model, CPU, ESXi release, BIOS and the number of I/O devices are each displayed in separate columns. By clicking on a row, an additional detail panel will appear providing more data.

    The detail panel is divided into tabs:

  • Server - contains a summary of the data retrieved from the ESXi host (Host Data) and data found in the HCL (HCL Data) against multiple categories. Evaluation is done sequentially starting with Partner data and continuing with Model, CPU series, down to BIOS. On a mismatch between Host Data and HCL Data the evaluation process will stop, and a red exclamation symbol will be displayed to indicate a possible incompatibility. The data also provides other known/supported options if these are available from the HCL. Information collected from the Host will still be shown for all categories.

    If you want to see detail directly from the VMware HCL webpage you can click on the button labelled HCL online which will open a new browser tab linked to the specific server selected (if an internet connection is not available a message will be displayed).

    The override functionality provides the ability to enforce the result to any of the devices, to pass the evaluation criteria. Once the override has been applied, all the devices matching the same properties will inherit the new status. The device will be then marked as Compatible (Override applied) .

  • I/O Devices – contains a list of all I/O devices present on the server selected. Compatibility states are shown using a green (compatible) or red (possibly incompatible) symbol. For each device, specific information about the PCI address and other technical IDs are shown. If you want to see the detail on the VMware HCL webpage you can click on the button to open a new browser tab linked specifically for the device.

    To expand a specific device to view its detail, click on the name or symbol. You will be shown evaluation results concerning the HCL Data. The evaluation sequence uses categories starting with IDs, Brand Name, Model, Device Type and continuing with ESXi Release and Driver, Firmware. If there is a mismatch between Host Data and HCL Data the evaluation will stop, showing a red symbol to indicate a possible incompatibility. You will also be shown known/supported options if these are available (information collected from the Host will still be shown for all categories).

  • vSAN Controllers – this tab will be available only when vSAN is configured. Compatibility states are shown using a green (compatible) or red (possibly incompatible) symbol. For each controller, specific information about name, type and other technical IDs are shown. If you want to see the detail on the VMware HCL webpage you can click on the button to open a new browser tab linked specifically for the device.

    To expand a specific device to view its detail, click on the name or symbol. You will be shown evaluation results concerning the HCL Data. The evaluation sequence uses categories starting with IDs, Brand Name, Model, Device Type and continuing with ESXi Release and vSAN Type, Driver, Firmware. If there is a mismatch between Host Data and HCL Data the evaluation will stop, showing a red symbol to indicate a possible incompatibility. You will also be shown known/supported options if these are available (information collected from the Host will still be shown for all categories).

  • vSAN Disks – are displayed without any compatibility evaluation and are providing informative data about each group and its disks.

On all detail tabs, the far right-hand side of each category contains a button showing a loud-speaker icon which appears on hover:

The button is available for both states – compatible or possibly incompatible and gives you the option to report an issue if a match was not made as expected, or a mismatch occurred. If an internet connection is available, clicking the loud-speaker icon will present a window showing the (anonymized) data collected. The button to send the data can then be used to submit. If an internet connection is not available, the window will provide steps to download the file and e-mail to the support team. We very much welcome any feedback.

Custom Profiles

Allows you to create your own baseline by copying existing issues to a custom profile.

This feature will become available under the Configuration Analysis part after being enabled in Settings > Knowledge Profiles > Custom Profiles.

In the Profiles Management view you can either create a new profile or modify the existing ones.

To create a new profile press on the button located on the top right corner. In the new pop-up window, add the Profile Name, the Code, and the Description. Press the Create a new profile button to generate the profile. The default Profile status after creation is Disabled. Change the status to Enabled to start using it and to allow it to be displayed under the Custom Profiles section.

Adding any rule to custom profiles can be easily done by pressing the button Copy to Custom Profile, available under each rule once is expanded. Before the rule being copied, you can select the desired Profile and optional you can change the Severity or provide a new Title. Press Copy issue to complete the action.

Both initial and custom rules are considered during the scan. If the initial rule is not needed anymore, it can be filtered out – see Filters.

Note

Just the configuration rules can be copied to Custom Profile. Exceptions are done by the log rules, marked as LOG on the Profile column in the Definition Database.