WilliamLam.com

You are here: Home / Automation / Monitoring vSphere account password & permission changes 

Monitoring vSphere account password & permission changes 

by // Leave a Comment

If it is not clear by now, I REALLY love the power of vSphere Events and all the use cases it can enable, especially when used with our VMware Event Broker Appliance (VEBA) solution to enable easy Event-Driven Automation.

Over the past month or so, I have noticed a series of questions from our field and customers across a number of topics pertaining to vSphere accounts including vSphere Single Sign-On (SSO) users. My response to each of these questions all point back to a leveraging specific vSphere Events and I thought I share some of use cases in which vSphere Events can help

  • When was the last time a vSphere SSO user (e.g. *protected email*) password was changed?
  • How much time left (expiry) before the vSphere SSO user password must be changed?
  • Audit of all password changes for an vSphere SSO user (e.g. *protected email*)?
  • Who recently updated the password for a vSphere SSO user (e.g. *protected email*)?
  • When was the last time a vSphere SSO user (e.g. *protected email*) password was reseted?
  • Who recently added new permission to a vSphere user?
  • Who recently removed a permission from a vSphere user?
  • Who recently updated vSphere Role with additional permissions?
  • Who recently updated vSphere Role and removed permissions?

These are just some of the examples that I have come across that can be answered when looking at vSphere Events such as: com.vmware.sso.PrincipalManagement, PermissionAddedEvent, PermissionRemovedEvent, PermissionUpdatedEvent, com.vmware.cis.CreateGlobalPermission and com.vmware.cis.RemoveGlobalPermission. As of vSphere 7.0 Update 3, there are over 1,900+ Events, which you can view here.

Once you have identified a particular vSphere Event, you may be interested in what it contains and for VEBA users, you can leverage the vSphere Event Viewer, which is built right into the VEBA Appliance which uses project called Sockeye. Below is an example of com.vmware.sso.PrincipalManagement event and we can see a number of interesting pieces of information such as the username that performed the password change for the given vSphere SSO user, which is *protected email* along with the date and time.

Using VEBA, not only can you easily consume these vSphere Events, but you can now do more interesting things like sending these audit entries to your security and compliance team, maybe send notification to a shared Slack/Microsoft Teams channels, etc. The use cases are truly endless and you can take advantage of many of the example functions that we have built. If you wish to learn more, check out our VMworld 2021 session VEBA Revolutions - Unleashing the Power of Event-Driven Automation #CODE2773.

Lastly, here are a few of the example payloads for some of the vSphere Events mentioned above.

Password reset and/or change for vSphere SSO User

{
  "Key": 9376716,
  "ChainId": 9376716,
  "CreatedTime": "2021-10-14T14:53:48.854999Z",
  "UserName": "*protected email*",
  "Datacenter": null,
  "ComputeResource": null,
  "Host": null,
  "Vm": null,
  "Ds": null,
  "Net": null,
  "Dvs": null,
  "FullFormattedMessage": "Principal Management event by *protected email* at 10/14/2021 14:52:32 GMT : Resetting local person user 'veba-ui' password",
  "ChangeTag": "",
  "EventTypeId": "com.vmware.sso.PrincipalManagement",
  "Severity": "info",
  "Message": "",
  "Arguments": [
    {
      "Key": "userName",
      "Value": "*protected email*"
    },
    {
      "Key": "description",
      "Value": "Resetting local person user 'veba-ui' password"
    },
    {
      "Key": "userIp",
      "Value": ""
    },
    {
      "Key": "timestamp",
      "Value": "10/14/2021 14:52:32 GMT"
    },
    {
      "Key": "_sourcehost_",
      "Value": "vcsa.primp-industries.local"
    }
  ],
  "ObjectId": "",
  "ObjectType": "",
  "ObjectName": "",
  "Fault": null
}

Adding a vSphere Permission

{
    "Key": 9380117,
    "ChainId": 9380117,
    "CreatedTime": "2021-10-16T14:42:58.142Z",
    "UserName": "VSPHERE.LOCAL\\Administrator",
    "Datacenter": null,
    "ComputeResource": null,
    "Host": null,
    "Vm": null,
    "Ds": null,
    "Net": null,
    "Dvs": null,
    "FullFormattedMessage": "Permission created for VSPHERE.LOCAL\\readonly-svc on Datacenters, role is Administrator, propagation is Enabled",
    "ChangeTag": "",
    "Entity": {
      "Name": "Datacenters",
      "Entity": {
        "Type": "Folder",
        "Value": "group-d1"
      }
    },
    "Principal": "VSPHERE.LOCAL\\readonly-svc",
    "Group": false,
    "Role": {
      "RoleId": -1,
      "Name": "Administrator"
    },
    "Propagate": true
  }


Removing a vSphere Permission

{
  "Key": 9380134,
  "ChainId": 9380134,
  "CreatedTime": "2021-10-16T14:44:41.637Z",
  "UserName": "VSPHERE.LOCAL\\Administrator",
  "Datacenter": null,
  "ComputeResource": null,
  "Host": null,
  "Vm": null,
  "Ds": null,
  "Net": null,
  "Dvs": null,
  "FullFormattedMessage": "Permission rule removed for VSPHERE.LOCAL\\readonly-svc on Datacenters",
  "ChangeTag": "",
  "Entity": {
    "Name": "Datacenters",
    "Entity": {
      "Type": "Folder",
      "Value": "group-d1"
    }
  },
  "Principal": "VSPHERE.LOCAL\\readonly-svc",
  "Group": false
}

Thanks for the comment!

This site uses Akismet to reduce spam. Learn how your comment data is processed.