Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Purpose

The goal of this document is to describe how to configure VMware infrastructure and especially VMware vCenter in order to use VMware Auto-Discovery and Clone&Scan features in EWP.

Introduction

The Auto-Discovery feature of EWP allows you to specify a VMware vCenter account and then automatically retrieve the virtual machines (VMs) that are running in your VMware infrastructure. Thus you can maintain an up-to-date inventory of your VMware infrastructure at no cost.

The Clone&Scan feature of EWP allows you to run a vulnerability scan on a Clone of your virtual machine (VM) with a deep inspection (authenticated like vulnerability scanning) without having to specify any credentials to access the VM. EWP clones the select VM, reconfigure it to get administration access, isolates the VM on a specific network or datastore (according to configuration) and then start the VM. Then EWP detects the Cloned VM and start a vulnerability scan targeting the Cloned VM. Once the scan has finished, EWP deletes the Cloned VM and reports the findings (vulnerabilities) to the VM.

Note

CIS benchmark for VMware ESXi permissions is not covered by this document.


Create a New User

To add a new user, complete the following steps.

  1. From Administration menu, navigate to Single Sign-on > Users and Groups.

    ElasticDetector01

  2. Click the green + sign to open the New User form.
  3. Create the EWP user by filling in the New User form and click OK.

    ElasticDetector02

  4. Check that the user has been properly created.

    ElasticDetector03


Create a New Role

To create roles to assign to users, complete the following steps.

  1. From Administration menu, navigate to Access Control > Roles.

    ElasticDetector04

  2. Click the green + sign to start creating a new role.
  3. Name the new role EWP and configure it as follow:

    ElasticDetector05
    ElasticDetector06
    ElasticDetector07
    ElasticDetector08

Assign Role to User

To assign roles to users, complete the following steps.

  1. Go to Permissions tab of vSphere.

    ElasticDetector09

  2. Click on the green + sign to add a role to the user.

    ElasticDetector10

  3. Click on the Add button and select EWP user.

    ElasticDetector11

  4. Click on the Add button and then on the OK button to save the selection.

    ElasticDetector12
    ElasticDetector13
    The user is now added to the main panel.

  5. Select the EWP role.

    ElasticDetector14

  6. View and check that the user/role assignment has been properly added.

    ElasticDetector15


Restrict Access to VMs

If Elastic Workload Protector (EWP) should have access to a limited list of VMS, select the folder you would like to exclude and from Permissions tab, start again as above but select No Access role.

ElasticDetector16

Configuration Testing

From Elastic Workload Protector (EWP) GUI, go to Configuration menu, Credentials and create a vSphere connector.

ElasticDetector17

As soon as this configuration completed, click on Inventory refresh to return to the dashboard to launch a scan. If no VMs have been discovered, refresh the page by pressing Ctrl + F5.

White List Method

(Access => EWP rights)

  • Give access to vCenter without rights propagation.

    ElasticDetector18

  • Give access to Datacenter without rights propagation.

    ElasticDetector19

  • Give access to the folder containing your VMs with rights propagation.  The folders containing allowed VMs needs to be accessed with propagated rights, since clones are created in these folders. Our user needs inherited rights on clones. If the folder contains VMs we do not want to give access to, we can add No Access role to those VMs. This will be taken into accounts against propagated rights to children from the folder.

    ElasticDetector20

  • Give access to Networks without rights propagation.

    ElasticDetector21

  • Give access to Datastores without rights propagation.

    ElasticDetector22