VMware Aria Operations continuously monitors your infrastructure to ensure that it remains in compliance. Compliance is an ongoing process. VMware Aria Operations evaluates the collected data against the defined policies. It assigns a compliance score to each object or group based on how well they adhere to the policies. The compliance score is typically represented as a percentage.

How Compliance Benchmarks Work

Compliance is used to monitor the vCenter Server instances, hosts, virtual machines, distributed port groups, and distributed switches in your environment to ensure that the settings on your objects meet the defined standards. Compliance benchmarks display score cards that help you proactively detect compliance problems in VMware Aria Operations. The compliance benchmarks are measured against a set of standard rules, regulatory best practices, or custom alert definitions.

All the compliance standards in VMware Aria Operations, including any standards that you define, are based on alert definitions. Only alert definitions of the Compliance subtype are counted. Custom score cards can monitor user-defined alerts. The alerts and symptom definitions are based on the properties and metrics of the underlying object.

When VMware Aria Operations detects non-compliance with a policy, it can generate alerts or notifications. Depending on the severity of the non-compliance, you can configure automated remediation actions to bring the object back into compliance.

You can manage all compliance related tasks from the Optimize > Compliance page. The data sources are displayed in a carousel on the top of the page. To see a compliance score card, you must first configure the data source that VMware Aria Operations can monitor, and then activate the benchmarks for those types of data sources. When you activate a benchmark for a data source, you select an applicable policy. VMware Aria Operations then activates the appropriate alert definitions in the policy to measure compliance.

Data Sources for Calculating Compliance

VMware Aria Operations can measure compliance from different data sources to ensure that your virtualized environment adheres to predefined policies and standards. These data sources provide the information necessary to evaluate the compliance of your infrastructure. The data sources that VMware Aria Operations can use for compliance measurement are as follows:
  • VMware Self-Managed Cloud (SDDC) environment, including DC and Edge environments
  • VMware Managed Cloud (VMC SDDC) environment
  • VMware Cloud Foundation Domains
  • VMware Cloud on Dell EMC SDDC
  • Oracle Cloud VMware Solution SDDC
  • Azure VMware Solution
  • Google Cloud VMware Engine
  • Private Cloud
Note: For VMware Aria Operations to measure compliance against these data sources, you must first configure them. See the relevant topic in the Integrating Data Sources with VMware Aria Operations chapter of the Configuring VMware Aria Operations guide.
Note: In version 8.16, the symptom set for the FISMA Security Standards, DISA Security Standards and vSphere compliance pack were updated to generate an alert when the following conditions are false:
  • Block Override Allowed should be true
  • Port Config Reset at Disconnect should be true
Note: In version 8.16, a bug involving DVPG symptoms on Promiscuous mode, MAC address changes, Forged transmits not considering the uplink/non-uplink state was fixed.
The symptoms on DVPG properties allow_promiscuous, forged_transmits and mac_changes are defined in the following compliance packs:
  • CIS Security Standards
  • DISA Security Standards
  • FISMA Security Standards
  • ISO Security Standards
  • PCI DSS Compliance Standards
  • vSphere Security Configuration Guide

Compliance benchmarks on VMware Cloud on AWS, VMware Cloud Foundation, VMware Cloud on Dell EMC, Oracle Cloud VMware Solution, Azure VMware Solution, and Google Cloud VMware Engine are applicable only on customer VMs that you have deployed in the respective data centers.

You can automate the remediation of some of the alerts by installing the Management Pack for VMware Aria Automation Orchestrator. See the management pack documentation in the VMware Aria Operations for Integrations Product Documentation for more details.

Compliance Benchmarks

VMware SDDC and Benchmarks
Displays score cards based on alerts which are measured against the latest hardening guides:
  • vSphere Security Configuration Guide
  • vSAN Security Configuration Guide
  • NSX Security Configuration Guide

For more details, see VMware SDDC Benchmark Details.

VMware Cloud Foundation Benchmarks
Displays score cards based on alerts which are measured in VMware Cloud Foundation domains based on the following audit guides:
  • VCF 4.2 Audit Guide
  • VCF 4.3 Audit Guide
  • VCF 4.4 Audit Guide
  • VCF 4.5 Audit Guide
The alerts are based on objects in your VMware Cloud Foundation environment.

For more details, see the topic, VMware Cloud Foundation Benchmarks based on VMware Cloud Foundation Compliance Kits.

Custom Benchmarks
Displays benchmarks that you define. Use compliance alerts from vSphere and regulatory management packs, or define your own alerts to monitor. You can define up to five custom score cards. You can import custom benchmarks from other instances of VMware Aria Operations.
Regulatory Benchmarks
Displays benchmarks for industry standard regulatory compliance requirements. You can install compliance packs for the following regulatory standards:
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry Data Security Standard (PCI DSS) Compliance Standards
  • CIS Security Standards
  • Defense Information Systems Agency (DISA) Security Standards
  • The Federal Information Security Management Act (FISMA) Security Standards
  • International Organization for Standardization (ISO) Security Standards

For more details, see Regulatory Benchmark Details.

For instructions on installing these compliance packs, see Install a Regulatory Benchmark.