As the virtual infrastructure administrator for your company, you must ensure that your vSphere objects comply with the compliance rules in the vSphere Security Configuration Guide. You use the compliance alerts in vRealize Operations Manager to monitor your objects for violations to your compliance standards. When a compliance alert triggers on your vCenter Server instance, hosts, virtual machines, distributed port groups, or distributed switches, you investigate the compliance violation.
To enforce and report on the compliance of your vSphere objects, you enable the compliance rules in the vSphere Security Configuration Guide. Then, you enable the appropriate alerts, and apply a risk profile to your virtual machines.
The Alert definitions provided with vRealize Operations Manager are based on object types instead of the specific versions of the Security Configuration guides. To use these alerts, you no longer must create a custom group and apply the policy to that group.
Verify that the current version of vRealize Operations Manager is installed and running.
- In vRealize Operations Manager, enable the compliance rules.
- Click Administration, and click Solutions.
- Click the VMware vSphere solution, and click Configure.
- In the Manage Solution dialog box, click Define Monitoring Goals.
- Under Enable vSphere Hardening Guide Alerts, click Yes and click Save.
- When vRealize Operations Manager reports that the default policy is configured to collect compliance data on your objects, click OK, Save Settings and then click Close.
vRealize Operations Manager modifies the current default policy and enables the alert definitions. By default, the Virtual Machine is violating Risk Profile 1 in vSphere Security Configuration Guide alert definition is enabled.
- Verify or change the compliance alert definitions in the default policy.
- In the menu, click Administration, and then on the left pane click Policies and then click the Active Policies tab. Note the name of the current default policy.
- In the Policy Library tab, select the current default policy and click Edit Selected Policy.
- To edit the alert definitions for the vSphere Security Configuration Guide, do the following:
In the Edit Monitoring Policy workspace on the left, click Alert / Symptom Definitions.
In the Alert Definitions pane, enter Security Configuration in the Filter search box. Several alert definitions appear, which you use to enforce compliance on your objects. Each alert displays the number of symptoms and the object type to which the alert applies. You can see the alert definitions for risk profiles 1, 2, and 3, which you use to ensure high, medium, or low security on your virtual machines.
Select an alert.
In the State column, click the down arrow, and select Local for either one of the base security configuration policy, or for any one of the risk profiles. Do not enable more than one risk profile.
- To enable vSphere Security Configuration Guide alerts by specifying the base policy, do the following:
In the Edit Monitoring Policy workspace on the left, click Select Base Policy.
From the Select drop down list, select the vSphere Security Configuration Guide policy.
- To enable compliance alerts on your virtual machines, distributed port groups, and distributed switches, enable the other alert definitions, and click Save.
- View the symptom set in the alert definition.
- In the menu, click Alerts and then in the left pane, click Alert Definitions.
- In the filter text box, enter Security Configuration.
- In the lower pane, locate the alert impact, criticality, and symptom set.
- Scroll through the symptom set and examine the symptoms, which can trigger an alert, for the host.
- Below the symptom set, examine the recommendation to fix the problem if this alert triggers on your host.
- Click the link to the vSphere Security Configuration Guide.
The Web page opens a link to VMware Security Hardening Guides.
You have ensured that the compliance rules, are enforced on the objects in your vCenter Server instances, according to the VMware vSphere Security Configuration Guide.
What to do next
Analyze compliance rule violations in the Object summary page in the Compliance tab.