It is important to restrict user authentication and security settings so that you can tell what users performed what actions.
Controlling SSH remote root log in access
In ESX 3.x hosts, SSH remote root log in access is disabled by default. If
you allow SSH remote root logins to an ESX host service console, you
can track where the access to the root account was initiated from,
but you cannot track who logged into the root account or which commands
were executed. VMware therefore recommends that you restrict SSH remote
SSH remote root login is controlled by the PermitRootLogin parameter in the/etc/ssh/sshd_config file. To restrict SSH remote logins completely, set the PermitRootLogin parameter to no.
To allow or deny SSH remote root login for specific users, add the users to the AllowUsers and DenyUsers parameter in the /etc/ssh/sshd_config file.
AllowUsers msmith johnd jdoe user*
DenyUsers cclark bbarker user11 gue*
Using the su command
By default all users can use the switch user (su) command. However,
the user issuing the command must know the password of the account to
which they are switching. Commands executed as root are not logged, but all attempts to use the su command to login (whether successful or not) are logged.
To restrict who can use the su command, configure the wheel group in the /etc/group file. A dd the appropriate users to thewheel group using either the VMware Infrastructure (VI) Client or a command line to modify the/etc/group file. Users assigned to the wheel group can use the su command.
To enable wheel group authentication using a command line, r emove the comment from this line in the /etc/pam.d/su file:
#auth required /lib/security/$ISA/pam_wheel.so use_uid
Do not remove the comment from this line:
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
Users in the wheel group now have to enter the root password when switching to that account. Attempts to switch to the root account are logged in /var/log/messages.
Note: If you uncomment the line that starts with #auth sufficient... the
user is not required to enter a password when switching to a new
user. Uncommenting this line lowers the overall security of the ESX host
Using the sudo command
The Sudo command allows a normal user to run commands with root privileges. The sudo command is installed but not configured in ESX hosts.
Administrators can configure the commands that may be executed by users on a command-by-command and host-by-host basis. Sudo logs user activities in the /var/log/secure file. Using sudo to run root-privileged commands protects the root account because you do not have to give the root password to anyone.
In the /etc/sudoers file, use the text editor visudo to d efine which users and groups can or cannot run specific commands on which hosts.
Here is the syntax of the /etc/sudoers file:
<user or group> <host> = (<runas>) <command(s)>
Here is an example entry for the /etc/sudoers file:
test123 ALL=(ALL) NOPASSWD: ALL
In this example, members of the test123 group can initiate any command on any host as root without entering a password.
Note: visudo protects the /etc/sudoers file against multiple simultaneous edits and checks the syntax of your entries.
Here is another example:
mike svresx3 = /usr/sbin/esxcfg-vmhbadevs
In this example, the user mike can run the command esxcfg-vmhbadevs as root on one specific host.