If all hypervisors were priced the same...
-
@storageninja said in If all hypervisors were priced the same...:
@stacksofplates said in If all hypervisors were priced the same...:
Also, decisions are often more nuanced than simple TCO decisions. If you have compliance requirements this often shifts to commercial solutions that have validated FIPS 140-2 modules/solutions. If you need a DISA STIG at a given level paying some money and being able to deploy a single VIB to harden compliance vs. go through checklists and argue with auditors can be a big deal. How do you quantify the cost of applying with NIST for validation with a do it yourself setup vs. a turnkey solution?
RHEL/RHV have a good solution here. Auditors go through OpenSCAP scans with nice HTML reports and we justify any “failures.” It’s a pretty nice system.
That just audits if it was set. What I'm talking about is a single package you deploy that goes ahead and sets the configuration settings up for you.
On ESXi you can use Update Manager to track compliance with the DISA VIB, and use that for tracking it. Just attach as a baseline to your clusters and let Update Manager keep it up to date. Ed Groggin I think has a tool that will do an auto-generation of a report on the hardening guidelines.
Looking online, I'm not seeing Server 2016 in STIG viewer yet. Has Microsoft not gotten a STIG out yet?
Also Redhat Virtulization licensing cost as much (or more) than vSphere Standard. At that point if you don't need/want Redhat support VMware looks a lot more attractive. Oddly the only STIG for Suse I'm seeing is for Z series.
Well yes and no. They have built in remediations with OpenSCAP, so you can have it auto remediate your machine. We ran an auto remediate to get the correct settings and then pushed it all out with Ansible since we can apply specific rules or not based on the type of machine since they are all RHEL based (workstations, servers, hypervisors, etc). We don’t use RHV, but they have a subset of rules for RHV which is why I mentioned it. We use bare KVM for systems and it works out pretty well. Ya I’m not sure about 2016 but I wouldn’t be surprised seeing how slow they are.
-
@stacksofplates said in If all hypervisors were priced the same...:
@storageninja said in If all hypervisors were priced the same...:
@stacksofplates said in If all hypervisors were priced the same...:
Also, decisions are often more nuanced than simple TCO decisions. If you have compliance requirements this often shifts to commercial solutions that have validated FIPS 140-2 modules/solutions. If you need a DISA STIG at a given level paying some money and being able to deploy a single VIB to harden compliance vs. go through checklists and argue with auditors can be a big deal. How do you quantify the cost of applying with NIST for validation with a do it yourself setup vs. a turnkey solution?
RHEL/RHV have a good solution here. Auditors go through OpenSCAP scans with nice HTML reports and we justify any “failures.” It’s a pretty nice system.
That just audits if it was set. What I'm talking about is a single package you deploy that goes ahead and sets the configuration settings up for you.
On ESXi you can use Update Manager to track compliance with the DISA VIB, and use that for tracking it. Just attach as a baseline to your clusters and let Update Manager keep it up to date. Ed Groggin I think has a tool that will do an auto-generation of a report on the hardening guidelines.
Looking online, I'm not seeing Server 2016 in STIG viewer yet. Has Microsoft not gotten a STIG out yet?
Also Redhat Virtulization licensing cost as much (or more) than vSphere Standard. At that point if you don't need/want Redhat support VMware looks a lot more attractive. Oddly the only STIG for Suse I'm seeing is for Z series.
Well yes and no. They have built in remediations with OpenSCAP, so you can have it auto remediate your machine. We ran an auto remediate to get the correct settings and then pushed it all out with Ansible since we can apply specific rules or not based on the type of machine since they are all RHEL based (workstations, servers, hypervisors, etc). We don’t use RHV, but they have a subset of rules for RHV which is why I mentioned it. We use bare KVM for systems and it works out pretty well. Ya I’m not sure about 2016 but I wouldn’t be surprised seeing how slow they are.
The remediations are in Bash, Ansible, and I think Puppet? Anyway I have written a few of the Ansible remediations for them and have had them pulled into the project.