VMware ESX SOAP API Helpful Guidelines

VMware ESXi SOAP API Scan Results Review

This section provides the user resources to review scan results from the plugin output and debug log reporting in an effort to help guide you in the scan results review process for the vCenter Integration.

Plugin Families and Plugins

Settings

Nessus Scan Information (19506) - Credentialed Checks

Tenable has observed user confusion with respect to Credentialed Checks: ‘yes/no’ in plugin ID 19506 (Nessus Scan Information) and how authentication is interpreted with the vCenter integration. Unless an SSH credential is included along with a VMware vCenter SOAP API credential, credentialed checks do not represent a failed/successful authentication to the host. What is the difference? Traditionally, when running an authenticated scan to a host using SSH or Windows credentials, you can expect to see Credential Checks: ‘yes/no’ based on whether login credentials to the target machine were valid. In the case of the VMware ESXi SOAP API integration, Tenable is authenticating to the ESXi SOAP API, not the host machine, which is an important difference to highlight.

When running a scan using the VMware ESXi SOAP API integration, you can expect to see Credentialed Checks:

  • ‘yes’ if the integration collected VIBs for that host and Credentialed Checks:

  • ‘no’ if the integration did not collect VIBs.

Service Detection

VMware vSphere Detect (57396)

This plugin gathers the ESXi version from an unauthenticated SOAP API call to the ESXi host. The version gathered from this plugin is used for ESXi vulnerability detection plugins that rely on versioning. This plugin runs independently of the integration and it is not indicative of ESXi authentication issues experienced using the integration.

VMware ESX Local Security Checks

VMware vSphere Installed VIBs (57400)

This plugin reports the installed VIBs collected on a ESXi host. Other plugins and processes are dependent on the successful collection of ESXi installed VIBs, such as Credentialed Checks and vulnerability detection plugins. However, Tenable does not execute vulnerability detections on specific VIBs data collected.

VMware Active Virtual Machines (57397)

This plugin reports active virtual machines (powered on) that were collected on a specific ESXi host and therefore are reported on the applicable ESXi host.

VMware Inactive Virtual Machines (57398)

This plugin reports inactive virtual machines (powered off) that were collected on a specific ESXi host and therefore are reported on the applicable ESXi host.

Note: In addition to these integration-related plugins, ESXi vulnerability detection plugins belong to the VMware ESXi Local Security Checks plugin family. If this plugin family is disabled, scan results will not include these vulnerability detections.

Policy Compliance

VMware vCenter/vSphere Compliance Checks (64455)

This plugin must be enabled in order to execute compliance scanning and performs compliance checks against ESXi hosts. This plugin is automatically enabled if an audit file that requires it is added to the scan.

Plugin Debug Log Reporting

Unlike the vCenter integration, plugin debugging is not centralized in a collection. It consists of individual plugins that generate logs for VIBs and Active/Inactive virtual machines. When troubleshooting, remember that ESXi SOAP API authentication occurs in each of these.

ESXi Installed VIBs: vmware_installed_vibs.log
ESXi Active Virtual Machines: vmware_active_vms.log
ESXi Inactive Virtual Machines: vmware_inactive_vms.log
vmware_compliance_check.log
vmware_compliance_check_debug.log

Note: Do not refer to the vmware_vsphere_detect.log for authentication-related concerns. Tenable sends an unauthenticated SOAP API call to the ESXi host to retrieve the version. The logs in this file can be misleading and do not represent authentication success or failure.

When running a scan using the VMware ESXi SOAP API Integration, you can expect to see Credentialed Checks:

  • ‘yes’ if the integration collected VIBs for that host and Credentialed Checks:

  • ‘no’ if the integration did not collect VIBs.