Tripwire ConfigCheck is a free, downloadable tool that provides an assessment of VMware ESX 3.0/3.5 configurations from a security standpoint. The tool operates by connecting to a specified VMware ESX server and comparing its configuration to best practices as provided by VMware; specifically, the VMware Infrastructure 3 Security Hardening guidelines. The VMware Infrastructure 3 Security Hardening guidelines (which can be downloaded from the VMware site) provide detailed descriptions of security related configuration parameters as well as recommendations for their settings. Tripwire states that their Tripwire ConfigCheck tool automates over half of the tests provided in the hardening guide; including those tests that apply specifically to VMware ESX and lend themselves well to automated testing.

To use the utility, it must first be downloaded to a Windows 2003 machine with a JRE at 1.5 or better. After unpacking and launching the utility, the user is then prompted for the username/password for root access to the VMware ESX machine to be examined (users may examine as many ESX machines as they like; but may do so only one at a time). Tripwire recommends that this Windows machine be located behind the firewall, but on the same network used for virtual infrastructure management.

The utility then examines the configuration and performs its tests, noting the results of each test as "Passed," "Failed," or "Unavailable," (Unavailable usually means no connection could be made; the password provided was incorrect or the file to be examined is unreadable by root). Among the parameters examined are such items as port group settings, NIC mode settings, network isolation for VMotion and iSCSI, and more.

The tool then provides potential remediation steps for each failed test. A companion document, the Tripwire ConfigCheck Remediation Guide, is also available as a free PDF download (registration required), which explains each test (i.e., what is being tested and why it is important from a security standpoint), as well as provides step-by-step remediation instructions. The Remediation Guide additionally contains links to source data.

As a free tool, the vendor warns that it checks only VMware ESX configurations and not the entire virtual infrastructure (i.e., not Virtual Center, virtual networks, the guest operating system or applications, etc.). Additionally, the tool does not allow the printing of the test results. For more extensive examinations of both virtual and physical environments, the vendor recommends their Tripwire Enterprise product (see related link below).

Visit the Tripwire ConfigCheck site for further information.