Recently one of my previous customer asked me for tips on how to systematically control remote session timeouts to ESXi hosts. The context was around standardizing console sessions timeout across multiple ESXi hosts across an enterprise. This is a common requirement for enterprise environments with regulated security postures. I figured this may be useful, so I decided to share this information to a wider audience than just my customer and good friend Todd (@tdamore).
The security requirement can be satisfied by leveraging a new security advanced setting included in the new vSphere 5.1 platform called “ESXiShellInteractiveTimeOut”. Any vCenter user with elevated privileges (admin level) can leverage the use of an advanced setting called “ESXiShellInteractiveTimeOut” to address the ESXi host remote session timeout systematically. This advanced feature allows you implement a standardized timeout value for interactive session to ESXi hosts. The timeout values could be dictated by a standardized corporate security policies or whatever fits your organization. Overall, the use of this advanced setting could can facilitate automating the termination of idle sessions after a defined period of time (time definition is based in seconds).
Now getting to the Advanced Setting location is very simple, even if your new to the new vSphere Web Client. The screen shots below illustrate the location and configuration option.
Advanced Setting Location
ESXi Advanced Setting Configuration
From what the screen shots illustrate above, the advanced setting are located on a per host basis. Utilizing this setting in large environments can be a difficult to manage if utilized on a per hosts basis and not managed properly. I would recommend deploying this configuration as part of Host Profiles implementation. This would be a simplified, validated, and consistent approach.
The process for adding the “ESXiShellInteractiveTimeOut“ is listed below:
- Go to the advanced settings on ESXi and enter the adequate value for the ESXiShellInteractiveTimeOut
- Create a Host Profile referencing the hosts with the modified “ESXiShellInteractiveTimeOut” settings
- Verify the “ESXiShellInteractiveTimeOut” setting values is listed under the Advanced Configuration Option
- The UserVars.ESXiInteractiveTimeOut should be visible in the Host Profile as illustrated below
Host Profile with UserVars.ESXiShellInteractive
Hope everyone finds this useful and handy.
To get more information on my blog postings follow me on Twitter: @PunchingClouds
While at VMworld 2012 in Barcelona last week, I had the opportunity to participate in several conversations with customer discussing many topics and concerns regarding the vSphere 5.1 platform, and one of them was the forever important topic of Security. While there is a great deal of effort that goes into sustaining high security standards there are always concerns about access, auditing and traceability of any infrastructure.
With the release of the vSphere 5.1 platform, VMware introduced many security enhancements to the platform. Some of those efforts were around improving auditing and security capabilities and others are beyond the scope of what I’m trying to discuss in this post.
One of the many concerns organizations are obligate to deal with is focus around systems security and accessibility as it relates to accounts, passwords, and auditing capabilities. vSphere 5.1, adheres many of those concerns by improving the security framework in many areas of the platform. This facts are not some sort of well kept secret or anything like that as I was able to find a blog post on the vSphere Blog page by Kyle Gleed, the Sr. Technical Marketing Manager at VMware responsible for the ESXi platform. The article talks about the security enhancements as well as some other great details which I recommend reading.
My point here is to illustrate some of the security improvements made to ESXi 5.1 that were topics of discussion in some of my conversations at VMworld in Barcelona.
ESXi 5.1 allows the creation of individual local user accounts. Being able to creating individual local user accounts on ESXi hosts eliminates the need to share or use the “root” accounts and passwords. This approach helps mitigate one of the most common security risks. This approach facilitates better auditing and traceability capabilities of the ESXi hosts.
ESXi Hosts Multiple Local Accounts
Local ESXi accounts, and access roles need to be created and customized via the vSphere C# client, the new vSphere Web Client doesn’t connect to ESXi hosts directly.
ESXi Hosts Local Access Roles
Any local account granted the administrator role will automatically receive remote shell (SSH) and local DCUI access. The use of individual access accounts simplifies auditing as remote, local logins as well as the execution of individual tasks can be easily tracked.
DCUI Local User Access
The recommended approach for auditing and log parsing is to send all ESXi logs to a centralized syslog server better manageability and search capabilities. The new vSphere Web Client Log Browser is also a pretty handy tool for searching ESXi logs.
There are many topics and much ground to be cover in relation to the security enhancements introduced in vSphere 5.1 this is just one of them.