Category: Nutanix

Posted on

The Art of Defense – Basic Nutanix Survival in Today’s Threat Landscape

Want to learn how to harden your defenses against external threats but not quite sure where to begin?

In this article, we will go over the following to help you stay proactive with securing your Nutanix environment.

Hardening Your CVM

  • Change Default Password
  • Learn about STIG, SCMA, and how to configure them
  • Advanced Intrusion Detection Environment (AIDE)
  • Cluster Lockdown

Change Default Password
First thing that should be done when you first get your system, change the default password! Many systems get compromised due to a weak password or no change to the default. Assuming you’re not enabling Cluster Lockdown, perform the following steps:
1. SSH into CVM
2. Change the Nutanix user account password
nutanxi@cvm$ passwd
3. Change the Nutanix root account password
nutanix@cvm$ sudo passwd root

STIG, SCMA, and how to configure them
If you’re scratching your head about these terms, don’t worry. I didn’t know about them until I joined Nutanix. Let’s start with the Security Technical Implementation Guide (STIG).

Now, what is a STIG?
STIGs are “Powerful automation and self-healing security models help maintain continuous security in enterprise cloud environments with efficiency and ease. Nutanix has created custom STIGs that are based on the guidelines outlined by Defense Information Security Agency (DISA) to keep the enterprise cloud platform within compliance and reduce attack surfaces.” In the case of Linux, the STIGs are commands that find/fix proven vulnerabilities in the code.

Already installed and updated on every Nutanix system is a series of STIGs, both taken from the National Institute of Standards and Technology (NIST). Check out the list of official and customized list of our STIGs.

So now that we know what STIGs are, what is SCMA?
Security Configuration Management Automation (SCMA) checks over 800 security entities in the Nutanix STIGs that cover both storage and built in virtualization. Nutanix leverages SaltStack and SCMA to self-heal any deviation from the security baseline configuration of the operating system and hypervisor to remain in compliance. If any component is found as non-compliant then the component is set back to the supported security settings without any intervention.

  • SCMA monitors the deployment periodically for any unknown or unauthorized changes to configurations, and can self-heal from any deviation to remain in compliance.
  • For example, automatically protecting permissions on log files is just one of several vulnerabilities that Nutanix checks to ensure their safety.

SaltStack Enterprise, built on Salt open source platform, provides system management software for the software-defined data center with the delivery of event-driven automation for natively integrated configuration management, infrastructure security and compliance, and any cloud or container control.

Hardening your CVMs
SSH into a CVM, and run the following:
nutanix@cvm$ ncli cluster get-hypervisor-security-config
….
Enable Aide : true
Enable Core : false
Enable High Strength P… : true
Enable Banner : false
Schedule : HOURLY

You can customize these categories with preference, but I want to focus on three: AIDE, High Strength Password, and Schedule.

AIDE stands for Advanced Intrusion Detection Environment and is the most popular tools for monitoring changes to Linux-based operating systems. It is used to protect your system against malware, viruses and detect unauthorized activities. It works by creating a database of the file system and checks this database against the system to ensure file integrity and detect system intrusions. AIDE helps you to shorten the investigation time during the incident response by focusing in on the files that have been changed. Basic info can be found about AIDE here.
To enable AIDE, run this command in the CVM terminal.
nutanix@cvm$ ncli cluster edit-hypervisor-security-params enable-aide=true

To enable the high-strength password policies (minlen=15, difok=8, remember=24) for your CVM:
ncli cluster edit-hypervisor-security-params enable-high-strength-password=true

Changing the default schedule of running the SCMA. The schedule can be hourly, daily, weekly, and monthly
ncli cluster edit-hypervisor-security-params schedule=hourly


Cluster Lock Down
Lastly, we can enable Cluster Lock Down on your Nutanix system. This will disable password SSH access to the CVMs and ensure that the system denies access to those attempting to gain access.

  • Nutanix recommends that access including SSH directly to CVM and hypervisor should be restricted to as few entities as possible.
  • In high security settings, Cluster lockdown can be very appropriate and should be implemented
  • Cluster Lockdown does not effect any cluster communication between its components. Cluster will function as normal.

You can enable this feature via Prism Settings, but follow this guide to generate keys needed for this operation.

If you’ve reached this far, then congrats! You have learned about some advanced features you can enable or customize to greater strengthen your defensive stance against exterior threats. 

Posted on

Automating CLI Command Execution with Paramiko

I spend my time always playing around with environments. Sometimes it’s simple spinning up multiple VMs with Terraform, configuring with Ansible, or just running simple stress tests. In this particular case, I had spun up four CentOS VMs all of which have the same application running Folding@Home. Incase you don’t know what Folding@Home is:

Folding@home is a distributed computing project which studies protein folding, misfolding, aggregation, and related diseases. We use novel computational methods and large scale distributed computing to simulate timescales thousands to millions of times longer than previously achieved.”

I figured running this application in my Nutanix environment would be a fun project. Currently, I’m running playbooks from my Prism Central instance to automate powering on and off of these VMs based on pre-defined hours of the day. But what if I want to spin them up without logging into Prism Element? While you can define the power state of VMs with Terraform, sadly, you’re not able to yet with Nutanix. I decided to use an old friend, Python with Paramiko.

Note: Ok, I lied. It’s a combination of Python, Paramiko, and Nutanix ACLI.

What you’ll need:
1. CVM IP Address
2. Login credentials for said CVM
3. Python 3.0 installed
4. Image UUID

Alrighty, SSH into any of your CVMs with the appropriate user credentials. From here, you’ll need to gather the VMs you’d like to power on. Use the command: acli image.list

Copy to a clipboard the Image UUID.

Go to your editor of choice and use my already created script as a template.

I use Microsoft Visual Studio Code for my editing, but anything really works. 

import paramiko
import sys
import config

username = sys.argv[1] # First command after your script
password = sys.argv[2] # Second command after your script

client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect('10.48.2.15', port=22, username=username, password=password)
stdin, stdout, stderr = client.exec_command("acli vm.on cbd69a63-c0a1-404c-969a-9816e085372f && acli vm.on b637a621-6cf2-442c-a513-5caeb108e96f && acli vm.on 28d4c186-c05c-4709-814f-eb635b4f269d")
lines = stdout.read()

print(lines)
client.close()

The script is pretty standard from what you’ll get on Paramiko’s documentation site. There are two points that I want to highlight for your future uses:

1. In the documentation, you’d need to store your username and password in plain text on the same script. This works, but it is a HUUUGE no no as it is a security issue. You can store your passwords in a separate file, but I decided to import sys so I can use the sys.argv[] feature to input the username and password on the command line instead.

2. client.exec_command(“”) is where you’ll need to enter your Nutanix acli commands. Since I want to power on three VMs at the same time, I added “&&” in between each command so they will all be run at the same time. The commands being acli vm.off <Image_UUID>

When you’re done making your edits, go ahead and run the script from your command line.

python PowerOnVM.py admin password

After the python script, there is the username (admin) and password (password) that you need to enter to log into the CVM and execute the acli commands.

And that’s it! Simple way to execute terminal commands on a remote host.

Proudly powered by WordPress