VMware’s hardening guides as well as other guides from the likes of DISA and CIS are all well and good but how practical are they?
Not every recommendation should be implemented as it may not be appropriate for your business. Like everything with security there will always be a trade off in terms of the risk you are willing to take versus the day to day reality and practicality of operations. Having said that you have to start somewhere and these guides are a good basis for implementing security checks whatever your environment may be. The clever part is implementing what these guides recommend within your environment in the most practical and sensible way.
There have been and still are various tools out there that provide a basis for security recommendations and guidance towards compliance. Whether it be Databases, web applications or VMware that are looking for advice on you will find a tool that should work for you. The tools though should be used carefully, take VMinformer as an example this tool aims to go beyond existing tools in so much as letting you decide what checks you run or don’t run rather than running a blanket of checks and saying you passed or failed and then like a sheep you following what the tool says without question!
It then attempts to give you an impact score when reporting on passed/failed checks which in turn hopefully will give you a better understanding of your VM environment and add clarity and more meaning in terms of the risks that effect your business.
Link to this page