Welcome to Tenable for VMware
Last Updated: October 18, 2024
This document provides information and steps for integrating Tenable Vulnerability Management, Tenable Nessus, or Tenable Security Center with VMware. For more information, refer to the following product documentation:
Virtualization environments include a combination of hypervisors, management servers, often a large number of virtual machines, and can be complicated. Integrating Tenable Vulnerability Management, Tenable Security Center, or Tenable Nessus with VMware allows you to scan these environments for a comprehensive cyber exposure view.
The Tenable for VMware integration collects information from vCenter servers, ESXi servers, or a combination of both. You can integrate with VMware by listing VMware ESXi and/or vCenter servers as scan targets. Additional functionality is available when enabling credentialed scans, using the VMware vCenter API and VMware ESX SOAP API credentials for the respective hosts. Credentialed scans also make it possible to scan for compliance.
What information does the integration collect?
Note: Tenable’s VMware integrations support both IPv4 and IPv6 environments.
ESXi and vCenter Versions
The majority of VMware vulnerability checks are based on the versions of ESXi and/or vCenter. Scans collect the versions of both ESXi and vCenter servers in the target list through an unauthenticated API call.
In the case where a vCenter server manages one or more ESXi servers, ESXi version information can also be obtained from the vCenter server (for example, in the event that ESXi servers are not routable from the scanner). This requires successful authentication to the vCenter server.
VMware Installation Bundles
In addition to ESXi and vSphere version information, credentialed scans collect VMware Installation Bundles (VIBs). Collecting VIBs requires successful authentication to vCenter or ESXi, and in the case of vCenter it also requires Lifecycle Manager permissions. For more on required permissions, see the section on required permissions. VIBs are stored in the scanner’s Knowledge Base (KB).
The successful collection of VIBs is the criteria for which an ESXi host may have the value of “credentialed checks” set to “yes.” If setting up a credential for vCenter or ESXi hosts, you must be able to list VIBs.
Auto-Discovery of ESXi Hosts and Virtual Machines
Credentialed scans can enumerate the ESXi hosts and virtual machines and add them as targets to be scanned. For more, see the section on auto-discovery.
Compliance
Tenable Vulnerability Management, Tenable Security Center, or Tenable Nessus can scan VMware environments for compliance. Compliance checks are targeted, credentialed checks of ESXi and/or vCenter servers based on the targets listed in the settings.
When scanning a vCenter host, Tenable reports about the vCenter server and any ESXi servers that the vCenter manages. When scanning an ESXi host, the scan reports about the ESXi host. It is possible to scan both ESXi and vCenter hosts in a single scan.
Compliance checks use the SOAP API, unlike normal vulnerability checks which use the REST API for VMware versions 7.0.3 and newer.
Note: Compliance scanning is unavailable with the Auto-Discovery feature enabled.
What the VMware integration does not collect
The VMware integration does not collect information about the vCenter or ESXi host operating systems. Additionally, the VMware integration cannot collect all information about virtual machines themselves (for example, operating system details).
Note: You can configure additional SSH or Windows credentials for the vCenter and/or ESXi hosts in order to scan for operating system vulnerabilities.
Note: You can configure additional SSH or Windows credentials for virtual machines discovered using the integration in order to scan for operating system vulnerabilities.
For more information about each product integration, see VMware in the Tenable Nessus, Tenable Vulnerability Management, and Tenable Security Center user guides.