Runecast 3.1 with German BSI Grundschutz compliance monitoring

Runecast Analyzer scans VMware infrastructures for known issues against the VMware-KB, checks hardware compatibility against HCL and compares current settings with VMware best-practice-guidelines and security baselines like DISA STIG, PCI DSS or HIPAA. The most recent version 3.1 now contains baselines from German Federal Office for Information Security (BSI). Germany is an important market for Runecast, so including BSI IT-Grundschutz (BSI IT-Baseline) was an important step to win new customers – especially in the public sector. One of the key selling points of Runecast in that market is its ability to work completely offline. No need to send any data into the cloud. You may update the appliance or get new signatures online, but you can also do this offline by mounting an ISO-image. Yes, Germany is special in that respect, but we had some…. issues.

To demonstrate all new features, Runecast will have a webinar on October 23rd 2019 at 10.00 am (CEST). Registration is free but priceless. Stanimir Markov (CEO) and Robert Berger will talk about BSI IT-Grundschutz Automation within Runecast Analyzer 3.1.

Continue reading “Runecast 3.1 with German BSI Grundschutz compliance monitoring”

NSX 6.4 UI problem with older vCenter versions

I’m a great fan of vSphere-Client a.k.a HTML5 client. The user interface based on project clarity is an eye catcher and the user experience is great. But sometimes you’re forced to use the old Flash based flex-client. Not with latest vCenter Server 6.7 but with older releases like vSphere 6.0.

We were facing compatibility issues between flex-client 6.0 and NSX 6.4.4 although it’s a supported combination.

Continue reading “NSX 6.4 UI problem with older vCenter versions”

VMworld NSX Roving Reporter Interview

Why NSX should be your top priority

While attending VMworld 2018 in Barcelona my buddy and vExpert Ather Beg asked for a brief interview about VMware NSX topics. Here’s the result.

 

Further links and resources

Product information

NSX Data Center

NSX for Horizon

Hands on Labs (HOL)

VMware NSX Data Center – Getting Started Hands-on Lab

VMware NSX – Advanced Hands-on Lab

VMware NSX Micro-Segmentation

VMware Secure Horizon with NSX

 

vCenter issues alarm esx.problem.hyperthreading.unmitigated

After installing VMware patches you might see a warning:

XXX esx.problem.hyperthreading.unmitigated.formatonhost not found XXX

Those patches which are addressed in VMware Security Advisory VMSA-2018-0020 migitate a vulnerability named L1TF. Because the patch will result in a performance impact, it is not activated by default. Administrators need to decide what is their main focus: performance or security.

Suppress warning

If one decides to have more performance and neglects the potential threat, then it is possible to suppress the warning. Just set advanced option UserVars.SuppressHyperthreadWarning from 0 to 1 and the warning will disappear. This should only be done after reviewing KB 55806.

Activate migitation

Connect to the vCenter Server using either the vSphere Web or vSphere Client. Switch to “Hosts and Clusters” view and select an ESXi host in your inventory.
Select an ESXi host in the inventory.


Click the Manage (5.5/6.0) or Configure (6.5/6.7) tab and then switch to “Settings”.
Move to System > Advanced System Settings and enter in the filterbox: VMkernel.Boot.hyperthreadingMitigation.

Select the setting and click the Edit pencil icon. Change the default value (false) to true and click OK.

In order to take effect, the host needs to reboot.

PowerCLI

Using PowerCLI is recommended if you have more than one host.

Connect-VIServer vc.mydomain.com

Check current values.

Get-VMHost | Get-AdvancedSetting -Name VMkernel.Boot.hyperthreadingMitigation | Select Entity, Name, Value

Set values

The next command will activate the migitation on all hosts without confirmation (be careful!).

Get-VMHost | Get-AdvancedSetting -Name VMkernel.Boot.hyperthreadingMitigation | Set-AdvancedSetting -Value 1 -Confirm:$false

In order to take effect, the host needs to reboot.

Links

VMware KB 57374 – L1TF related “esx.problem.hyperthreading.unmitigated” vCenter Server Updates

VMware KB 55806 – L1 Terminal Fault – VMM