Scanning a Guest Operating System

Guest OS scanning is supported for Windows, Linux and FreeBSD VMs. You can run scans manually or schedule them.

For Microsoft Azure, only Linux VMs with the SSH endpoint configured can be scanned. Azure Windows VMs cannot be scanned.

What information is retrieved during a guest OS scan?

Information retrieved for all operating systems

All guest OS scans retrieve values for the following properties:

Free Disk Space (%)

Free Disk Space (GB)

Last Guest OS Scan

Logical Disk Size (GB)

Physical Disk Size (GB)

Unallocated Disk Space (GB)

Unpartitioned Disk Space (GB)

Embotics® vCommander® also pulls disk space properties for both Windows and Linux VMs directly from VMware Tools. If you have set up guest OS scanning on a VM and have installed VMware Tools, disk space values from the most recent update are displayed.

The exception to this rule is Linux and FreeBSD VMs with XFS partitions. In this case, VMware Tools does not calculate disk space values; we recommend setting up guest OS scanning to populate these values. If an XFS partition is detected during a Linux or FreeBSD guest OS scan, further updates from VMware Tools are ignored.

Additional information retrieved for Windows

Installed applications, available services and hot fixes

Guest OS Scan Group

Last Deployed

Last Logon Time

Last Logon User

Memory Limit (GB)

Powered Off Since

Used Storage (GB)

For the last logon time and the VM ID to be displayed in the scan results, ensure that the Audit Policy on the VM is set to "Success" inside the Windows VM. For more information about setting the Audit Policy, see your system administrator.

Required credentials

For Windows VMs, WMI scanning credentials are used. The account you configure for guest OS scanning requires permission under WMI Control.

For Linux and FreeBSD VMs, SSH credentials are used. SSH must be enabled, accessible and allowed for the vCommander user account. This account needs permission to run the Linux command 'df'.

Tasks for scanning a guest operating system

Embotics® recommends that you carry out the tasks to scan VMs in the following order:

1.Create guest OS scan groups. If you will be scanning both Windows and Linux VMs, create separate Windows and Linux scan groups.

2.Add existing VMs to the scan groups.

3.Set the guest OS scan group for new VMs.

4.Schedule a guest OS scan.

5.Configure the VMs for guest OS scanning.

6.If a VM fails a scan, check for the following causes:

incorrect credentials (see Configuring VMs for Guest OS Scanning below)

incorrect host name or IP address (see Configuring VMs for Guest OS Scanning below)

the VM is powered off (start the VM using the Start VM command)

you are trying to scan a Microsoft Azure Linux VM without the SSH endpoint configured

you are trying to scan a Microsoft Azure Windows VM. Only Azure Linux VMs can be scanned. An attempt to scan an Azure Windows VM will fail with the following error: VM "<vm-name>" has no valid network address: cannot run guest command.

7.You can then try to run a manual scan on VMs that failed the scheduled scan.

Create guest OS scan groups

Access through:

Configuration menu > Groups > Guest OS Scan

Available to:

vCommander Role of Superuser and Enterprise Admin

Administrator Access Rights

By default, all VMs are assigned to the default guest OS scan group, which cannot be edited. If you will be scanning both Windows and Linux VMs, create separate Windows and Linux scan groups.

1.On the Guest OS Scan Group pane, click Add.

2.In the Name field, enter the name of the guest OS scan group (maximum 100 characters).

NotePencil-smallGive the group a descriptive name so that it makes sense to service owners viewing the service's Guest OS Scan Group property, and so that administrators can easily set the proper group when required.

3.In the Description field, enter details about the guest OS scan group and click OK.

The VM group is created.

Add existing VMs to guest OS scan groups

Access through:

Views menu > Operational, VMs and Templates, or Datastore

Available to:

Administrator and All Operator Levels of Access Rights

In vCommander, VMs are automatically assigned to a default guest operating system (OS) scan group. You can easily add one or more VMs to your own predefined guest OS scan group.

1.Navigate to and select one or more VMs either through the tree or the Virtual Machines tab.

2.Right-click and choose Change Management > Set Guest OS Scan Group.

3.In the Set Guest OS Scan Group dialog, from the list of group names, select the appropriate group, and click OK.

The group name is available on the VM Details pane under the Summary tab. (Learn how to display the guest OS scan group on the Details pane.)

Set the guest OS scan group for new VMs

Access through:

Configuration menu > Policies

Available to:

vCommander Role of Superuser and Enterprise Admin

Administrator Access Rights

You can automatically set a guest OS scan group for new VMs by configuring the Default Attributes policy. To learn how to configure the Default Attributes policy, see Assigning Groups to Services with the Default Attributes Policy.

Schedule a guest OS scan

Access through:

Tools > Scheduled Tasks

Available to:

All Access Rights Levels

Superuser can Override Schedules

If you will be scanning both Windows and Linux VMs, create separate Windows and Linux scheduled tasks.

1.Select Tools > Scheduled Tasks and click Add.

Click Next.

2.On the Infrastructure Target page, select the group to which you want the guest OS scan to apply (to schedule a scan for all VMs that have not been assigned to a specific guest OS scan group, select the Default Guest OS Scan Group).

Using the tree, select the infrastructure element to which you want to apply the scheduled scan and click Next.

3.On the Configuration page, enter a name for the scheduled guest OS scan in Guest OS Scan Name.

In the Credentials box, enter a username and password that provide the credentials for the guest OS scan group or leave the fields blank, in which case only VMs that have been assigned individual scanning credentials will be scanned (see Configure VMs for Guest OS Scanning below).

Windows VMs only: To set the scan to include the Security Events log which contains those security events that have occurred since the last login or up to 31 days (whichever comes first), enable Scan for last login.

NotePencil-smallYou can override this option to scan for the last login by using the Configure for Guest OS Scan command for an individual VM. For more information about this command, see Configure VMs for Guest OS Scanning below.

Click Next.

4.On the Scheduling page, to have scheduling take effect immediately, select Enabled.

You can edit the scheduled task at any time to enable or disable it.

To schedule the frequency and the time for the task, select when you want the task to occur: daily, weekly, monthly, or weekdays.

If you selected a weekly or monthly frequency, select the day of the week or the month from the drop-down menu that appears.

NotePencil-smallIf you select 31 for Day of Month for a monthly frequency, vCommander automatically adjusts the day to reflect the last day of any given month. The same adjustment is made if you select 29 or 30 for February.

Click Next.

5.On the Summary page, review the details and click Finish.

The scheduled task appears in the list of scheduled tasks.

Configure VMs for guest OS scanning

Access through:

Views menu > Operational or VMs and Templates

Available to:

Administrator and All Operator Levels of Access Rights

To configure a VM for guest OS scanning, follow this procedure.

1.Select the VM that you want to configure for scanning and right-click.

2.Click Change Management > Configure for Guest OS Scan.

3.In the Configure for Guest OS Scan dialog, you can use the VMware Tools address for the VM, if specified.

OR

Click Use specified address, and enter the IP address for the VM.

NotePencil-smallIf you use the VMware Tools address, any IP address previously saved for the VM is deleted.

4.To set the credentials for the scan, choose one of the following:

Select Use Credentials from Scheduled Task (available only if a scheduled task for a guest OS scan has been configured).

OR

Select Override Scan Group credentials and enter a username and password.

NotePencil-smallIf you override the scan group credentials, then any username and password you enter become the default credentials for scanning. Any credentials that you set up for a scheduled guest OS scan are overridden by the credentials you set up here.

5.Windows VMs only: To use the Last Login setting from the scheduled task setting, select the Use setting from Scheduled Task.

OR

To change the Last Login setting, select Override settings from the Scheduled Task and either select or deselect Scan for last login.

If the Scan for last login is selected, the guest OS scan looks at events that occurred in the Security Events log for a period up to 31 days.

6.To test your configuration, click Test.

If successful, the message "Test Succeeded" appears. This test only verifies that the IP address and credentials are correct.

7.Click OK.

Manually scanning VMs

Access through:

Views menu > Operational or VMs and Templates

Available to:

Administrator and All Operator Levels of Access Rights

After you configure VMs for scanning, you can manually scan a VM (or a group of VMs) at any time. A VM must be configured for scanning before the scan starts (see Configuring VMs for Guest OS Scanning above).

1.Select a VM from the tree or select a group of VMs from the Virtual Machines tab and right-click.

2.Click Change Management > Scan Guest OS and click OK.

Viewing guest OS scan results

There are three ways to view guest OS scan results:

Select the Guest OS Details tab and view the details under the OS Details, Applications, Services or Hot Fixes tab.

View the information that appears on the Details pane of the VM on its Summary tab. See About Scanning a Guest Operating System above for the list of properties populated by a guest OS scan. To display these properties on the Details pane, click Pick icon and select the properties from the list. See also Customizing the Display of Tabs, Properties and Commands.

View the Guest OS Disk Usage Report (from the Reports menu).

Viewing guest operating system details

Access through:

Views menu > Operational or VMs and Templates

Available to:

Administrator and All Operator Levels of Access Rights

To view guest OS details, the guest operating system must have been scanned.

Details such as applications, services and hotfixes are provided for Windows VMs. Only the date of the last guest OS scan is provided for Linux and FreeBSD VMs.

Guest OS disk usage information is also displayed. Disk usage information is retrieved either from a guest OS scan (if available) or from VMware Tools.

1.Select a VM in the tree.

2.Select the Guest OS Details tab.

3.Click any of the OS Details, Applications, Services or Hot Fixes tabs to open them and view the guest OS details for the selected VM.

For Puppet nodes

If you have integrated with the Puppet Labs® IT automation system, a Puppet tab appears in the Guest OS Details pane for any VMs identified as Puppet nodes. This tab displays environment, group, class and variable information for Puppet nodes.

If the tab contains no information, or if you want to retrieve new information, click Refresh Puppet Information. See also Integrating Puppet with Embotics® vCommander®.

For Chef nodes

If you have integrated with the Chef IT automation system, a Chef tab appears in the Guest OS Details pane for any VMs identified as Chef nodes. This tab displays recipe and role information for Chef nodes.

If the tab contains no information, or if you want to retrieve new information, click Refresh Chef Information. See also Integrating Chef with Embotics® vCommander®.

Deleting a guest OS scan group

Access through:

Configuration menu > Groups > Guest OS Scan

Available to:

vCommander Role of Superuser and Enterprise Admin

Administrator Access Rights

To delete a Guest OS Scan group, select the group, click Delete and confirm the deletion.

caution

When you delete a Guest OS Scan group, all VMs in the group are automatically reassigned to the Default Guest OS Scan group.