Compliance is used to monitor the vCenter Server instances, hosts, virtual machines, distributed port groups, and distributed switches in your environment to ensure that the settings on your objects meet the defined standards.

vRealize Operations Manager includes alerts for VMware vSphere Hardening Guide versions 6.5, 6.0 and 5.5. Hardening guides for regulatory standards are delivered as management packs (PAK files) that you upload, license, and install.

You can install management packs for the following regulatory standards:

  • Health Insurance Portability and Accountability Act (HIPAA)

  • Payment Card Industry Data Security Standard (PCI DSS) compliance standards

  • CIS Security Standards

  • Defense Information Systems Agency (DISA) Security Standards

  • The Federal Information Security Management Act (FISMA) Security Standards

  • International Organization for Standardization Security Standards

vRealize Operations Manager generates compliance alerts when symptoms trigger on your vCenter Server instances, hosts, virtual machines, distributed port groups, and distributed switches. After vRealize Operations Manager collects the compliance data from your objects, you resolve any rule violations that occurred, and create a report of the compliance results.

To enforce vSphere Security Configuration Guide compliance on virtual machines, vRealize Operations Manager includes several compliance risk profiles. You apply the risk profiles to groups of virtual machines based on whether you must ensure a high, medium, or low level of security in your environment.

  • Risk Profile 1 includes all available compliance rules as symptoms, and enforces the highest level of security for your virtual machines. This profile is enabled by default.

  • Risk Profile 2 enforces a medium level of security for your environment, and includes fewer symptoms than Risk Profile 1. This profile is disabled by default.

  • Risk Profile 3 enforces a low level of security, and includes fewer symptoms than Risk Profile 2. This profile is disabled by default.

All the compliance standards in vRealize Operations Manager, including any standards that you define, are based on alert definitions. You can view score cards of each available hardening guide in the Home > Troubleshoot > vSphere Compliance page and the Environment > Object > Compliance tab. A score card is a compliance visualization term.

In the Home > Troubleshoot > vSphere Compliance summary page, vRealize Operations Manager displays score cards for vSphere Security Configuration Guide, HIPAA Hardening Guide, PCI DSS Hardening Guide, CIS Security Standards, DISA Security Standards, FISMA Security Standards, ISO Security Standards based on resources. The score cards display the number of compliant resources, number of non-compliant resources, and the total number of resources affected by the each hardening guide. In addition, you can see the breakdown of total number of objects that are compliant and non-compliant.

In the Environment > Object > Compliance tab, vRealize Operations Manager displays score cards for vSphere Security Configuration Guide, HIPAA Hardening Guide, PCI DSS Hardening Guide, CIS Security Standards, DISA Security Standards, FISMA Security Standards, ISO Security Standards based on the number of symptoms. The score cards display the total number of rules and the number non-compliant rules based on symptoms for each hardening guide.

You can find the vSphere Hardening Guides at http://www.vmware.com/security/hardening-guides.html.