FAQ - Tripwire ConfigCheck - Configuration Control for Virtual and Physical Infrastructures

Tripwire ConfigCheck for VMware ESX FAQ

Who is Tripwire?
Tripwire, Inc., founded in 1997, helps over 6,000 enterprises worldwide reduce security risk, attain compliance and increase operational efficiency across virtual and physical environments. With its industry leading configuration assessment and change auditing software solutions, IT organizations achieve and maintain configuration control. Tripwire is headquartered in Portland, Oregon, with offices worldwide.
What is Tripwire® ConfigCheck^TM?
Tripwire ConfigCheck is a free, standalone Windows-based utility that enables you to rapidly assess the security of VMware ESX 3.0 and 3.5 configurations compared to the VMware Infrastructure 3 Security Hardening guidelines.
Is this tool endorsed by VMware?
Tripwire ConfigCheck was jointly developed with VMware. For additional details on VMware's involvement in the project, please refer to the announcement issued by Tripwire.
What do my test results mean?
When the assessment process is completed each test will return a "Passed," "Failed" or "Unavailable" result. If a test receives a "Passed" result, it means that the VMware ESX 3.0 and 3.5 hypervisor meets the particular recommended configuration parameters as established by the VMware Virtual Infrastructure 3 Security Hardening guidelines. Conversely, a "Failed" result indicates your server does not meet the recommended configuration parameters. "Unavailable" means there was a problem executing the test. This result usually occurs because the root password fails or the file that is attempting to be accessed is set to be unreadable by root.
How do I get updates?
Tripwire plans to periodically release updates to the ConfigCheck utility. These will include new and/or improved tests developed in response to recently discovered vulnerabilities, as well as provide support for additional versions of ESX. You can check this site for updates, or register to receive automatic notification upon release.
How can I ensure Tripwire ConfigCheck is secure?
You should install and run Tripwire ConfigCheck on a Windows system that is behind your firewall and preferably on the same network that you use for virtual infrastructure management applications. Once installed, Tripwire ConfigCheck uses Secure Sockets Layer (SSL) and HTTPS, which are secure communications protocols.
What protocols is Tripwire Config Check utilizing?
Tripwire ConfigCheck uses Secure Sockets Layer (SSL) and HTTPS protocols.
What about other parts of the virtual infrastructure (Virtual Center, virtual networks, VMs and guests, etc.)? Tripwire's commercial products address other parts of the virtual infrastructure, including guest operating systems and applications. Please visit us online for additional information.
Is there a ConfigCheck tool for my physical servers or network devices?
Tripwire Enterprise, a commercial off-the-shelf software product, provides proactive ConfigCheck capabilities (Configuration Assessment) for file systems (servers and desktops), databases, network devices, directory services and applications. By deploying Tripwire Enterprise across virtual and physical infrastructures, organizations are able to proactively assess and validate configuration settings against internal and external best practice standards. Please visit us online for additional information.
Will ConfigCheck satisfy a security audit?
Different regulatory and security audits have different requirements depending on the goal of the audit. In general, an audit typically requires a review of the security posture of the entire mission-critical infrastructure through which sensitive data is passed. In that context, VMware ESX is a critical component in the chain. Tripwire ConfigCheck will help you understand how the current configuration state compares to VMware's hardening guide as an initial benchmark review. Audits require you to document your security policy (which may be developed by either following or tuning the hardening guidelines to your specific requirements) and then show auditable proof that your systems have been configured to meet the policy requirements. In order to satisfy a security audit requirement, you should consider Tripwire Enterprise. Please visit us online for additional information.
How was the knowledge base's remediation guidance created?
Remediation commands are derived from sources which (typically) include the system guidance from the publisher or manufacturer. Tripwire is relying on such third party information, and makes no warranties of any kind in relation to the accuracy or propriety of such information. Please note, these instructions are not guaranteed to work due to the specific nature of your environment and should only be treated as general guidance. Tripwire is not responsible, and expressly disclaims all liability, for any modification of settings, undesired behavior or any other results of your use of this remediation guidance. You assume all risk and responsibility therefore. In any case, all modifications to systems should be performed by trained, experienced and appropriate IT staff. Always apply appropriate backup measures prior to configuration change to allow systems to be returned to prior state.
Does Tripwire ConfigCheck work on VMware ESXi?
The current version works with ESX 3.0 and 3.5. However, Tripwire has plans to support ESXi in a future release. If you would like to be notified when this becomes available, please register for updates.
What versions of VMware ESX are supported currently?
Currently, Tripwire ConfigCheck supports ESX 3.0 and 3.5. Tripwire plans to support additional versions in the future. If you would like to be notified when this becomes available, please register for updates.
How do I install & start-up Tripwire ConfigCheck?
Tripwire ConfigCheck is simple & easy to use. To properly install & start-up the utility, follow these steps or read the blog posting:
1. Download the file configcheck.zip to a Windows machine that has Java Runtime Environment (JRE) version 1.5, or higher.
2. Unzip the configcheck.zip file
3. Double click on the file configcheck.cmd
4. Accept the license agreement
5. Enter the ESX host and user credentials
6. Click the "Check Configuration" button
7. Once the check is complete you can click the test results to view remediation steps
What is the Privacy Protection Policy?
Tripwire ConfigCheck doesn't capture or transmit any personal information, login credentials or ESX configuration data to Tripwire or any third parties. For the privacy policy that applies to the Tripwire corporate website, this site and to Tripwire ConfigCheck, please refer to our corporate privacy policy.
Why didn't Tripwire ConfigCheck run?
Tripwire ConfigCheck requires that a compatible Java Runtime Environment (JRE) be present on your Windows computer. If it is not present you will see an error message saying telling you that a compatible JRE was not found and asking you to install a JRE at least at version 1.5. If the username/password is incorrect you will be notified that access was denied. Confirm that you are using the correct IP address and password and that ESX can be reached from your computer. An easy way to do this is to connect to ESX using a VI Client.
Where should I install Tripwire ConfigCheck?
You should install and run Tripwire ConfigCheck on a Windows system that is behind your firewall and preferably on the same network that you use for virtual infrastructure management applications. The Windows system must have a Java Runtime Environment v1.5. or later installed.
Can I use Tripwire ConfigCheck to assess multiple VMware ESX servers?
You can use Tripwire ConfigCheck to monitor multiple VMware ESX servers, although one at a time. Simply provide the ESX host credentials and click the 'Check Configuration' button for each ESX instance.
Where do I go for Technical Support?
For a detailed information on the VMware hardening guide, please visit http://www.vmware.com/resources/techresources/726.

To better understand how Tripwire ConfigCheck works, what it tests for, how the tests were developed and how to remediate failed tests, please download the Tripwire Technical Remediation Guide http://www.tripwire.com/configcheck/tw_remediation_guide.cfm.

If the information in this FAQ and in the recommended resources does not answer your questions, we are very interested in helping you find the answers you are looking for. Please any unanswered questions you may have.
Can I print out my results?
Tripwire ConfigCheck does not allow you to print test results. However, Tripwire's commercial products include a number of reports that allow you to document test results.
How does Tripwire ConfigCheck compare to other Tripwire products?
Tripwire ConfigCheck provides limited functionality in comparison to other Tripwire products such as Tripwire Enterprise. Tripwire ConfigCheck provides configuration assessment capabilities for VMware ESX 3.0 and 3.5 compared to the VMware Infrastructure 3 Security Hardening guidelines. In comparison, Tripwire Enterprise ensures configuration control across the VMware ESX hypervisor, individual virtual machines (VMs) and their physical counterparts. Tripwire Enterprise for VMware ESX provides out-of-the-box assessment tests based on both the Center for Internet Security (CIS) security policies and the VMware Infrastructure 3 Security Hardening recommendations—policies that proactively identify potential security vulnerabilities within VMware ESX. Tripwire helps maintain a known and trusted state through continuous change auditing that detects any changes, regardless of the source. For more information on Tripwire Enterprise, please visit http://www.tripwire.com/it-compliance-products/te/.
How can I contact Tripwire?
You may contact Tripwire via email, phone or online. Complete contact information is available here.
Where do I send questions, comments or suggestions?
We are very interested in hearing your comments and suggestions on Tripwire ConfigCheck and on the content on this site. Please at your convenience.



	Tripwire ConfigCheck for VMware ESX FAQ Who is Tripwire? Tripwire, Inc., founded in 1997, helps over 6,000 enterprises worldwide reduce security risk, attain compliance and increase operational efficiency across virtual and physical environments. With its industry leading configuration assessment and change auditing software solutions, IT organizations achieve and maintain configuration control. Tripwire is headquartered in Portland, Oregon, with offices worldwide. What is Tripwire® ConfigCheck^TM? Tripwire ConfigCheck is a free, standalone Windows-based utility that enables you to rapidly assess the security of VMware ESX 3.0 and 3.5 configurations compared to the VMware Infrastructure 3 Security Hardening guidelines. Is this tool endorsed by VMware? Tripwire ConfigCheck was jointly developed with VMware. For additional details on VMware's involvement in the project, please refer to the announcement issued by Tripwire. What do my test results mean? When the assessment process is completed each test will return a "Passed," "Failed" or "Unavailable" result. If a test receives a "Passed" result, it means that the VMware ESX 3.0 and 3.5 hypervisor meets the particular recommended configuration parameters as established by the VMware Virtual Infrastructure 3 Security Hardening guidelines. Conversely, a "Failed" result indicates your server does not meet the recommended configuration parameters. "Unavailable" means there was a problem executing the test. This result usually occurs because the root password fails or the file that is attempting to be accessed is set to be unreadable by root. How do I get updates? Tripwire plans to periodically release updates to the ConfigCheck utility. These will include new and/or improved tests developed in response to recently discovered vulnerabilities, as well as provide support for additional versions of ESX. You can check this site for updates, or register to receive automatic notification upon release. How can I ensure Tripwire ConfigCheck is secure? You should install and run Tripwire ConfigCheck on a Windows system that is behind your firewall and preferably on the same network that you use for virtual infrastructure management applications. Once installed, Tripwire ConfigCheck uses Secure Sockets Layer (SSL) and HTTPS, which are secure communications protocols. What protocols is Tripwire Config Check utilizing? Tripwire ConfigCheck uses Secure Sockets Layer (SSL) and HTTPS protocols. What about other parts of the virtual infrastructure (Virtual Center, virtual networks, VMs and guests, etc.)? Tripwire's commercial products address other parts of the virtual infrastructure, including guest operating systems and applications. Please visit us online for additional information. Is there a ConfigCheck tool for my physical servers or network devices? Tripwire Enterprise, a commercial off-the-shelf software product, provides proactive ConfigCheck capabilities (Configuration Assessment) for file systems (servers and desktops), databases, network devices, directory services and applications. By deploying Tripwire Enterprise across virtual and physical infrastructures, organizations are able to proactively assess and validate configuration settings against internal and external best practice standards. Please visit us online for additional information. Will ConfigCheck satisfy a security audit? Different regulatory and security audits have different requirements depending on the goal of the audit. In general, an audit typically requires a review of the security posture of the entire mission-critical infrastructure through which sensitive data is passed. In that context, VMware ESX is a critical component in the chain. Tripwire ConfigCheck will help you understand how the current configuration state compares to VMware's hardening guide as an initial benchmark review. Audits require you to document your security policy (which may be developed by either following or tuning the hardening guidelines to your specific requirements) and then show auditable proof that your systems have been configured to meet the policy requirements. In order to satisfy a security audit requirement, you should consider Tripwire Enterprise. Please visit us online for additional information. How was the knowledge base's remediation guidance created? Remediation commands are derived from sources which (typically) include the system guidance from the publisher or manufacturer. Tripwire is relying on such third party information, and makes no warranties of any kind in relation to the accuracy or propriety of such information. Please note, these instructions are not guaranteed to work due to the specific nature of your environment and should only be treated as general guidance. Tripwire is not responsible, and expressly disclaims all liability, for any modification of settings, undesired behavior or any other results of your use of this remediation guidance. You assume all risk and responsibility therefore. In any case, all modifications to systems should be performed by trained, experienced and appropriate IT staff. Always apply appropriate backup measures prior to configuration change to allow systems to be returned to prior state. Does Tripwire ConfigCheck work on VMware ESXi? The current version works with ESX 3.0 and 3.5. However, Tripwire has plans to support ESXi in a future release. If you would like to be notified when this becomes available, please register for updates. What versions of VMware ESX are supported currently? Currently, Tripwire ConfigCheck supports ESX 3.0 and 3.5. Tripwire plans to support additional versions in the future. If you would like to be notified when this becomes available, please register for updates. How do I install & start-up Tripwire ConfigCheck? Tripwire ConfigCheck is simple & easy to use. To properly install & start-up the utility, follow these steps or read the blog posting: Download the file configcheck.zip to a Windows machine that has Java Runtime Environment (JRE) version 1.5, or higher. Unzip the configcheck.zip file Double click on the file configcheck.cmd Accept the license agreement Enter the ESX host and user credentials Click the "Check Configuration" button Once the check is complete you can click the test results to view remediation steps What is the Privacy Protection Policy? Tripwire ConfigCheck doesn't capture or transmit any personal information, login credentials or ESX configuration data to Tripwire or any third parties. For the privacy policy that applies to the Tripwire corporate website, this site and to Tripwire ConfigCheck, please refer to our corporate privacy policy. Why didn't Tripwire ConfigCheck run? Tripwire ConfigCheck requires that a compatible Java Runtime Environment (JRE) be present on your Windows computer. If it is not present you will see an error message saying telling you that a compatible JRE was not found and asking you to install a JRE at least at version 1.5. If the username/password is incorrect you will be notified that access was denied. Confirm that you are using the correct IP address and password and that ESX can be reached from your computer. An easy way to do this is to connect to ESX using a VI Client. Where should I install Tripwire ConfigCheck? You should install and run Tripwire ConfigCheck on a Windows system that is behind your firewall and preferably on the same network that you use for virtual infrastructure management applications. The Windows system must have a Java Runtime Environment v1.5. or later installed. Can I use Tripwire ConfigCheck to assess multiple VMware ESX servers? You can use Tripwire ConfigCheck to monitor multiple VMware ESX servers, although one at a time. Simply provide the ESX host credentials and click the 'Check Configuration' button for each ESX instance. Where do I go for Technical Support? For a detailed information on the VMware hardening guide, please visit http://www.vmware.com/resources/techresources/726. To better understand how Tripwire ConfigCheck works, what it tests for, how the tests were developed and how to remediate failed tests, please download the Tripwire Technical Remediation Guide http://www.tripwire.com/configcheck/tw_remediation_guide.cfm. If the information in this FAQ and in the recommended resources does not answer your questions, we are very interested in helping you find the answers you are looking for. Please any unanswered questions you may have. Can I print out my results? Tripwire ConfigCheck does not allow you to print test results. However, Tripwire's commercial products include a number of reports that allow you to document test results. How does Tripwire ConfigCheck compare to other Tripwire products? Tripwire ConfigCheck provides limited functionality in comparison to other Tripwire products such as Tripwire Enterprise. Tripwire ConfigCheck provides configuration assessment capabilities for VMware ESX 3.0 and 3.5 compared to the VMware Infrastructure 3 Security Hardening guidelines. In comparison, Tripwire Enterprise ensures configuration control across the VMware ESX hypervisor, individual virtual machines (VMs) and their physical counterparts. Tripwire Enterprise for VMware ESX provides out-of-the-box assessment tests based on both the Center for Internet Security (CIS) security policies and the VMware Infrastructure 3 Security Hardening recommendations—policies that proactively identify potential security vulnerabilities within VMware ESX. Tripwire helps maintain a known and trusted state through continuous change auditing that detects any changes, regardless of the source. For more information on Tripwire Enterprise, please visit http://www.tripwire.com/it-compliance-products/te/. How can I contact Tripwire? You may contact Tripwire via email, phone or online. Complete contact information is available here. Where do I send questions, comments or suggestions? We are very interested in hearing your comments and suggestions on Tripwire ConfigCheck and on the content on this site. Please at your convenience.

	Tripwire Home \| Contact Tripwire \| Privacy Policy \| © 2008 Copyright Tripwire, Inc. \| All Rights Reserved