On May 18, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued
Emergency Directive (ED) (22-03) for select VMware products.
The directive confirmed active exploitation of the VMware vulnerabilities by threat actors and left many organizations scrambling to determine their patch level, security hardening status, and attack surface exposure. The following sections provide direction on how you can configure Tenable’s Nessus vulnerability scanner to identify vulnerabilities and security misconfigurations within your VMware infrastructure.
What vulnerability and compliance scanning capabilities does Tenable Nessus have for VMware vSphere infrastructure?
The Nessus compliance scanning capability allows you to scan for security misconfigurations within your VMware infrastructure. Utilizing Tenable audit files, you can scan your VMware infrastructure for compliance with the following configuration standards:
- Department of Defense (DoD) Security Technical Implementation Guide (STIG)
- Center for Internet Security (CIS) Benchmarks
- VMware vendor Hardening Guides.
Nessus also possesses the ability to identify critical security vulnerabilities using local security checks. From a VMware perspective, local security checks exist for PhotonOS and ESXi.
How do you properly configure an SSH scanning account in vCenter Server Appliance (VCSA)?
Nessus will not perform Photon OS Local Security Checks or compliance audits without the proper SSH access. Setting up the VCSA SSH scanning account with the correct role (Super Administrator), login shell (bash) and authentication is necessary to achieve full visibility. Justin Sylvester (SecureStrux) has developed a detailed guide on how to set up the scanning account.
How to configure Tenable Nessus credentials?
Running vulnerability and compliance scans against a vCenter Server Appliance (VCSA) requires both SOAP API and SSH credentials in Tenable Nessus. The VMware vCenter SOAP API credentials and settings are defined directly in your Scan Policy along with the desired VMware vSphere compliance audit files. The SSH credentials are assigned to the scan job.