Secure VMware vSphere with Runecast's vRO Plugin


The Runecast vRO plugin version 1.0.3 comes with built-in workflows for enforcing security configuration for VMs, Hosts and DVPortgroups. It pulls the list of affected objects for specific security profile from Runecast Analyzer and shows which issues can be directly remediated via the plugin. This blog post provides guidance for deploying, configuring and using the Runecast vRO plugin and its out-of-the-box remediation workflows.

The plugin is distributed as standard .vmoapp package available for download here and supported on vRO 7.x.

1. Deploy the plugin

vRO plugins are installed via the Control Center accessible at https:// or FQDN>:8283/vco-controlcenter under the Plugins section. The installation process is simple enough - selecting the .vmoapp file and accepting the EULA.

Note: Some vRO versions require the services to be restarted in order the changes to take effect.

2. Configure the plugin

Once the plugin in installed you need to register your Runecast Analyzer with vRO. The easiest way is to use the built-in workflow available at Library -> RunecastAnalyzer -> Configuration -> Add RunecastAnalyzer. You will need to provide name, IP or FQDN, access token and choose if the certificate should be silently accepted.

Add a RunecastAnalyzer

Note: Some vRO versions require the services to be restarted after importing certificates to the internal trust store in order the changes to take effect.

After the workflow completes, ensure your Runecast Analyzer instance is visible in the vRO inventory:

RunecastAnalyzer in inventory

3. Start the Remediation Workflow

We recommend you to start the wrapper workflow called Secure vSphere which will guide you through the whole process. This workflow is located at Library -> RunecastAnalyzer -> Secure vSphere

Connection detail How to secure vSphere

All inputs are mandatory - Runecast Analyzer instance, vCenter Server, Security Profile, whether or not you want to trigger analysis of the selected vCenter after the workflow completes. Currently VMware Security Guidelines, PCI-DSS and HIPAA profiles are available for remediation. You can choose between Virtual Machine, Host and DVPortgroup in the list of object types. Once all parameters are provided, proceed by clicking Submit.

The next user interaction expects a list with VMs and issues to be selected:

A list with VMs and issues to be selected

You can select VMs by clicking on the Not set link in the Select VMs to configure property.

This will open a new window where you can add the VMs on which you want to work. Due to the fact that many of the remediations actions are related to VM advanced configuration change, only Powered Off VMs are available for applying changes.

Once the VMs are selected, the issues list below will get automatically populated.

Select VMs/Issues detail

The list will contain all issues, which are available for remediation for the selected VMs. You can easily modify the list by clicking on it and add/remove issues.

The list of all issues, which are available for remediation for the selected VM

Once you select the desired objects and issues, you can start the remediation by clicking Submit.

The workflow log contains information about all actions that were performed:

Informations about all logged actions

4. Summary

You can now have out of the box remediation workflows with the Runecast Analyzer vRO plugin. Currently, there are 43 security settings which can be easily applied using the plugin. It takes minutes to deploy and saves hours!

Would you like to know more? Check the recording of the webinar with Ivaylo Ivanov, VCIX-DCV.