A Couple of Tips or Tricks When Working With VMware ESX using Root

When working with VMware ESX there are some tips that I can share that can help you manage your environment. This tips are not anything really new or exciting but rather a reinforcement of some best practices to live by in order to improve auditing for compliance and troubleshooting.  Use of the following in conjunction with remote logging functionality will improve your compliance stance and improve your ability to troubleshoot over a period of time.

How you may ask? By using a tool that logs all local administrator actions to a remote logging host. There are two ways to do this today for ESX (SUDO and the HyTrust Appliance) and only one mechanism for ESXi and vCenter (the HyTrust Appliance).

SUDO

One of the first things to recommend is the use of SUDO in your environment.  Besides giving you accountability of who ran a privileged command, the use of SUDO will give you and extra step to help you think before entering commands.  Without going into to much detail, the use of SUDO will give the members of a certain group the ability to run  the privilege commands that root can run without having to log in as root.  By default, SUDO uses the wheel group and you can also choice whether or not you need to enter your password when entering those commands.  I encourage the use of passwords when using SUDO as an extra step that can force to admin to think about what he is doing before the command is executed. SUDO can also be configured to grant access to a subset of commands as well.

One of the biggest complaints that I have heard about SUDO is that you need to know the full path of the command to be able to execute the command.  Usually if you are logged into VMware ESX host as root you could just enter the command name and be on your way.

esxcfg-vswitch –l

When using SUDO to use that command, if you just type the command name you will get an error that the command was not found and would need to enter the full path with your command

sudo /usr/sbin/esxcfg-vswitch -l

The can be a real hassle and impractical if you do not know the exact location of all the commands that you could or would execute.  So a trick and issue fix is to add the same paths to your profile that the root account has associated with it.  Any easy way to do this automatically when an account is created is to run this command.

# Give new accounts the path variables to run esxcfg commands
sed -e “s/PATH=\$PATH:\$HOME\/bin/PATH=\$PATH:\/usr\/local\/sbin:\/sbin:\/usr\/sbin:\$HOME\/bin/g” /etc/skel/.bash_profile > /etc/skel/.bash_profile.new
mv -f /etc/skel/.bash_profile.new /etc/skel/.bash_profile

This command will add all the paths needed to any new accounts created and you will no longer need to use the full path and can just use the command itself.

sudo esxcfg-vswitch –l

When using SUDO you should not really need to log in as root or need to su to root.  For those environment where the need and ability to switch the users to root is in place then it is a good idea to make a change to show that you now have elevated privilege. One way to do this is to change the text color when the root account is used to log on or a user has used su to elevate to root.

# Help identify when logged in as root
echo “PS1=’\[\e[31m\]\u@\h:\w#\[\e[m\]‘” >> /root/.bashrc
echo “PS1=’\[\e[32m\]\u@\h:\w#\[\e[m\]‘” >> /etc/skel/.bashrc

This command will change the text color to red for the root account.  It does not change your ability to do anything just gives you a warning or visual cue that you are using elevated privilege and you should be careful when entering any commands.

HyTrust

The HyTrust appliance also provides mechanisms to log and impose per command controls similar to SUDO but through a remote mechanism as an SSH proxy without a need to configure SUDO per host. Even when using HyTrust I would configure the path and text color variables as described previously. While HyTrust alleviates the need to configure SUDO, being able to easily type in path-less commands simplifies an administrators work.

Additionally, HyTrust acts as a proxy between the vSphere Client and both ESX(i) and vCenter for a single unified log mechanism that will make it easier to determine who did what, when where and how.

Conclusion

Use of HyTrust or SUDO improves your compliance stance while the suggested changes will make using these tools less painful and more useful. For troubleshooting, you now have a log of all commands issue so you can determine who did what, when, where, and how. With HyTrust this is expanded to include all vSphere and other Client actions.