Scanning Guest Operating Systems

Guest OS scanning is supported for Windows, Linux and FreeBSD VMs. You can run scans manually or schedule them.

In this topic:

Information retrieved during guest OS scans

All guest OS scans retrieve values for the following properties:

vCommander also pulls disk space properties for both Windows and Linux VMs directly from VMware Tools. If you have set up guest OS scanning on a VM and have installed VMware Tools, disk space values from the most recent update are displayed. The exception to this rule is Linux and FreeBSD VMs with XFS partitions. In this case, VMware Tools doesn't calculate disk space values; we recommend setting up guest OS scanning to populate these values. If an XFS partition is detected during a Linux or FreeBSD guest OS scan, further updates from VMware Tools are ignored.

Because guest OS scans for non-English Windows guests may report disk metrics as Unknown, you should rely on disk usage data from VMware Tools instead of a guest OS scan for non-English Windows guests.

Additional information retrieved for Windows

For the Last Logon Time and the VM ID to be displayed in the scan results, ensure that the Audit Policy on the VM is set to "Success" inside the Windows VM. For more information about setting the Audit Policy, see your system administrator.

Required credentials

  • For Windows VMs, WMI scanning credentials are used. The account you configure for guest OS scanning requires permission under WMI Control.
  • For Linux and FreeBSD VMs, SSH credentials are used. SSH must be enabled, accessible and allowed for the vCommander user account. This account needs permission to run the Linux command 'df'.
  • For Amazon EC2 Linux instances, you must enable password authentication. Guest OS scanning using key pair authentication is not supported.
  • For Amazon EC2 Windows instances, AWS generates an encrypted password for the Administrator account when the instance is launched. To configure guest OS scanning credentials, you must use the key pair to decrypt the password. You can retrieve this password in the AWS console. To learn how, see How do I retrieve my Windows administrator password after launching an instance? in the AWS documentation.
  • For Azure instances, the credentials created when the instance is provisioned must be used.
  • For GCP Linux instances, you must enable password authentication. Guest OS scanning using key pair authentication is not supported.
  • For certain GCP Windows instances, GCP generates an encrypted password for the Administrator account when the instance is launched. To configure guest OS scanning credentials, you must use the key pair to decrypt the password. You can retrieve this password in the GCP console. To learn how, see Creating Passwords for Windows Instances in the GCP documentation.

Tasks for scanning a guest operating system

Here are the steps involved in configuring guest OS scanning:

  1. Create guest OS scan groups. If you will be scanning both Windows and Linux VMs, create separate Windows and Linux scan groups.
  2. Add existing VMs to guest OS scan groups.
  3. There are three ways to set the guest OS scan group when a VM is deployed: .
  4. Scheduling guest OS scans.
  5. Configure VMs for guest OS scanning.
  6. If a VM fails a scan, check for the following causes:
    • incorrect credentials (see Configure VMs for guest OS scanning)
    • incorrect host name or IP address (see Configure VMs for guest OS scanning)
    • the VM is powered off (start the VM using the Start VM command)
    • you are trying to scan a Microsoft Azure Linux VM without the SSH endpoint configured
    • you are trying to scan a Microsoft Azure Windows VM. Only Azure Linux VMs can be scanned. An attempt to scan an Azure Windows VM will fail with the following error: VM "<vm-name>" has no valid network address: can't run guest command.
    • You can then try to run a manual scan on VMs that failed the scheduled scan.

Create guest OS scan groups

Access through:

Configuration menu > Groups > Guest OS Scan

Available to:

vCommander Role of Superuser and Enterprise Admin

Administrator Access Rights

By default, all VMs are assigned to the default guest OS scan group, which can't be edited. If you will be scanning both Windows and Linux VMs, create separate Windows and Linux scan groups.

  1. On the Guest OS Scan Group pane, click Add.
  2. In the Name field, enter the name of the guest OS scan group (maximum 100 characters).

    Give the group a descriptive name so that it makes sense to service owners viewing the service's Guest OS Scan Group property, and so that administrators can easily set the proper group when required.

  3. In the Description field, enter details about the guest OS scan group and click OK.

    The VM group is created.

Add existing VMs to guest OS scan groups

Access through:

Views menu > Operational, Deployed, or Storage

Available to:

Administrator and All Operator Levels of Access Rights

In vCommander, VMs are automatically assigned to a default guest OS scan group. You can easily add one or more VMs to your own guest OS scan groups.

  1. Navigate to and select one or more VMs either through the tree or the Virtual Machines tab.
  2. Right-click and choose Change Management > Set Guest OS Scan Group.
  3. In the Set Guest OS Scan Group dialog, from the list of group names, select the appropriate group, and click OK.

    The group name is available on the VM's Summary tab on the Details pane, and can be retrieved in a search. Learn how to display the guest OS scan group on the Details pane.

Set guest OS scan groups for new VMs

There are three ways to set the guest OS scan group when a VM is deployed:

  • the service catalog
  • completion workflows
  • policies

See Guidance for assigning groups to new services to learn which which method is best for your situation.

Scheduling guest OS scans

Access through:

Tools > Scheduled Tasks

Available to:

All Access Rights Levels

Superuser can Override Schedules

If you will be scanning both Windows and Linux VMs, create separate Windows and Linux scheduled tasks.

  1. Select Tools > Scheduled Tasks, and click Add.
  2. On the Task page of the Configured Scheduled Task dialog, choose Guest OS Scan, then click Next.
  3. On the Infrastructure Target page, select the group to which you want the guest OS scan to applyfrom the tree, then select the infrastructure element to which you want to apply the scheduled scan, and click Next.

    To schedule a scan for all VMs that have not been assigned to a specific guest OS scan group, select the Default Guest OS Scan Group.

  4. On the Configuration page, enter a name for the scheduled guest OS scan in Guest OS Scan Name.
  5. In the Credentials box, enter a username and password that provide the credentials for the guest OS scan group or leave the fields blank, in which case only VMs that have been assigned individual scanning credentials will be scanned (see Configure VMs for guest OS scanning below).

    Windows VMs only: To set the scan to include the Security Events log which contains those security events that have occurred since the last login or up to 31 days (whichever comes first), enable Scan for last login.

    You can override this option to scan for the last login by using the Configure for Guest OS Scan command for an individual VM. For more information about this command, see Configure VMs for guest OS scanning below.

  6. Click Next.
  7. On the Scheduling page, to have scheduling take effect immediately, select Enabled.
    • You can edit the scheduled task at any time to enable or disable it.
    • To schedule the frequency and the time for the task, select when you want the task to occur: daily, weekly, monthly, or weekdays.
    • If you selected a weekly or monthly frequency, select the day of the week or the month from the drop-down menu that appears.
    • If you select 31 for Day of Month for a monthly frequency, vCommander automatically adjusts the day to reflect the last day of any given month. The same adjustment is made if you select 29 or 30 for February.

  8. Click Next.
  9. On the Summary page, review the details, and click Finish.

    The scheduled task appears in the list of scheduled tasks.

Configure VMs for guest OS scanning

Access through:

Views menu > Operational or Deployed

Available to:

Administrator and All Operator Levels of Access Rights

To configure a VM for guest OS scanning, follow this procedure.

  1. Select the VM that you want to configure for scanning and right-click.
  2. Click Change Management > Configure for Guest OS Scan.
  3. In the Configure for Guest OS Scan dialog, you can use the VMware Tools address for the VM, if specified.

    OR

    Click Use specified address, and enter the IP address for the VM.

    If you use the VMware Tools address, any IP address previously saved for the VM is deleted.

  4. To set the credentials for the scan, choose one of the following:
    • Select Use Credentials from Scheduled Task (available only if a scheduled task for a guest OS scan has been configured).

      OR

    • Select Override Scan Group credentials and enter a username and password.

      If you override the scan group credentials, then any username and password you enter become the default credentials for scanning. Any credentials that you set up for a scheduled guest OS scan are overridden by the credentials you set up here.

  5. Windows VMs only: To use the Last Login setting from the scheduled task setting, select Use setting from Scheduled Task.

    OR

    To change the Last Login setting, select Override settings from the Scheduled Task and either select or deselect Scan for last login.

    If the Scan for last login is selected, the guest OS scan looks at events that occurred in the Security Events log for a period up to 31 days.

  6. To test your configuration, click Test.

    If successful, the message "Test Succeeded" appears. This test only verifies that the IP address and credentials are correct.

  7. Click OK.

Manually scanning VMs

Access through:

Views menu > Operational or Deployed

Available to:

Administrator and All Operator Levels of Access Rights

After you configure VMs for scanning, you can manually scan a VM (or a group of VMs) at any time. A VM must be configured for scanning before the scan starts (see Configure VMs for guest OS scanning above).

To manually scan a VM:

  1. Select a VM from the tree or select a group of VMs from the Virtual Machines tab.
  2. Right-click and select Change Management > Scan Guest OS and click OK.

Viewing guest OS scan results

There are three ways to view guest OS scan results:

Viewing guest operating system details

Access through:

Views menu > Operational or Deployed

Available to:

Administrator and All Operator Levels of Access Rights

To view guest OS details, the guest operating system must have been scanned.

Details such as applications, services and hotfixes are provided for Windows VMs. Only the date of the last guest OS scan is provided for Linux and FreeBSD VMs.

Guest OS disk usage information is also displayed. Disk usage information is retrieved either from a guest OS scan (if available) or from VMware Tools.

  1. Select a VM in the tree.
  2. Select the Guest OS Details tab.
  3. View the details for the selected VM under the OS Details, Applications, Services or Hot Fixes tabs that are on that page.

For Puppet nodes

If you have integrated with the Puppet Labs® IT automation system, a Puppet tab appears in the Guest OS Details pane for any VMs identified as Puppet nodes. This tab displays environment, group, class and variable information for Puppet nodes.

If the tab contains no information, or if you want to retrieve new information, click Refresh Puppet Information. See also Integrating Puppet with vCommander.

For Chef nodes

If you have integrated with the Chef IT automation system, a Chef tab appears in the Guest OS Details pane for any VMs identified as Chef nodes. This tab displays recipe and role information for Chef nodes.

If the tab contains no information, or if you want to retrieve new information, click Refresh Chef Information. See also Integrating Chef with vCommander.

Deleting guest OS scan groups

Access through:

Configuration menu > Groups > Guest OS Scan

Available to:

vCommander Role of Superuser and Enterprise Admin

Administrator Access Rights

To delete a guest OS scan group, select the group, click Delete and confirm the deletion.

Caution: When you delete a guest OS scan group, all VMs in the group are automatically reassigned to the Default Guest OS Scan group.