Auditing User Logins and commands in ESXi

Most of you would have been asked by your auditors during your security audit of your environment. How to track the individual user login and actions performed by the user account in ESXi servers. It was not available in previous versions of vSphere. But with ESXi 5.x, You will be able to login to Shell access using Locally created user account. In previous versions, You have use Su to switch to execute all the commands at ESX or ESXi level but with latest versions you can login and execute all the commands using locally created account by adding them into administrator group. By that you can easily achieve user auditing and when was the last user login and what action was performed by the user during his login.

With this new feature, You will be able to easily provide the auditing information for ESXi logins to your auditor. You will be saved during your IT audit.

Let’s take a step by step look to understand this feature.

1. Create a local user account in ESXi server by login to ESXI directly using vSphere Client

2. Add the user account into Administrator Group 

3. Login to ESXi via SSH using the newly created user account called “Mohammed”

4. Execute the below commands with user “Mohammed” Login
  
This command to list the vSwitch connected to this ESXi host

      esxcli network vswitch standard list

This command to list the Number of CPU’s and its details

       esxcli hardware cpu list

5. Now We will verify the  ”/Var/log/shell.log” to audit the actions performed by user called “Mohammed”

It lists the login information and all the commands executed by the user called “Mohammed” and also logs information about all User logins and tasks performed by users.