Penetration Testing mailing list archives
RE: Pen Test of a ESX Server
From: jfvanmeter () comcast net
Date: Thu, 16 Aug 2007 13:17:22 +0000
-------------- Original message ---------------------- From: "Paul Melson" <pmelson () gmail com>
I have a assignment to complete a pen test of a ESX server and was hopingto get some thoughts from everyoneon how and what to test. I need to check to see if the server isconfigured in accordance with the "VirtualComputing Security Technical Implementation Guide" Version 1, release0.1You realize the pen test and evaluating the ESX server against the VM STIG are 2 different things, yes?Yes I was trying to find some guide lines and that was what I found.
Is your client able to provide you with a copy of that version of the STIG? The most recent version I can find is v2R2*, which is more than 2 years old. Beyond that, the STIG is pretty straightforward. However, I would approach this work more as an audit than a pen test, otherwise you will be very much handicapped in your ability to verify compliance with the STIG. Anyway, if you do pen-test the server, I would suggest that you check out the work** the IntelGuardians guys announced at SANSFire last month. For the time being, this pretty much makes it impossible for PaulM
thank you Paul for the information and idea's --John
* http://iase.disa.mil/stigs/stig/vm_stig_v2r2.pdf ** http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pen Test of a ESX Server jfvanmeter (Aug 15)
- RE: Pen Test of a ESX Server Paul Melson (Aug 16)
- RE: Pen Test of a ESX Server Mohr, James (Aug 16)
- <Possible follow-ups>
- RE: Pen Test of a ESX Server jfvanmeter (Aug 16)
- RE: Pen Test of a ESX Server jfvanmeter (Aug 16)