Vagrant VMWare Desktop Plugin - Workstation Pro on Linux

Ran into a problem running Vagrant that nearly had me changing from VMware Workstation Pro on Linux over to VirtualBox. The problem is the Vagrant VMware Desktop plugin doesn't work when trying to control VMware Workstation Pro and returns the message: "An error occurred while executing `vmrun`, a utility for controlling VMware machines[...] The operation is not supported."

I even got so far as to actually have Vagrant working with VirtualBox, but my distaste for VirtualBox  was motivation enough to try and find another way.

So here's where I started:

The actual error being quite unhelpful. 

Searches on StackOverflow and Google brought up solutions for other platforms and the answers didn't apply to this particular setup.

The command that the Vagrant plugin uses is `vmrun` with the following arguments to create a linked clone:

Command: ["clone", "[home_dir]/.vagrant.d/boxes/generic-VAGRANTSLASH-ubuntu2004/3.4.2/vmware_desktop/generic-ubuntu2004-vmware.vmx", "[home_dir]/vagrant/.vagrant/machines/web/vmware_desktop/4bd0f323-e4a1-45b7-bf6d-55f9e09e0b31/generic-ubuntu2004-vmware.vmx", "linked", {:notify=>[:stdout, :stderr]}]

I tried the vmrun command directly with the same arguments and got the same error. So the issue is rooted in how vmrun is being called in particular.

Finally after digging into the vmrun documentation I found a flag which specifies the platform to use:

For Workstation, Player, and VMware Fusion, use the -T flag: 
vmrun -T ws
vmrun -T player 
vmrun -T fusion

Running the same command again, but with the "-T" flag, worked! So, how do we get the Vagrant plugin to use that flag? The plugin is open source, maybe add the flag in there? Sadly, my feeble attempts pretending to be a Ruby Vagrant Plugin Programmer failed.

As a workaround to fix it, I renamed the actual vmrun executable (/usr/bin/vmrun) to vmrun-bin and created a shell script in it's place that executes with the -T flag and any arguments given are just passed through:

#!/bin/bash
/usr/bin/vmrun-bin -T ws "$@"

And now when I run vagrant with the vmware_desktop plugin, It works!

This is not the best way to get the vagrant plugin working, better would be to get the VMWare plugin to add the flag. Until then, hopefully this helps others who may run into the same issue.

If you have other ways of getting it to work please post a comment.

Thinking Out-of-the-Box Does Not Come Out of the Box

Take a step back, change your perspective of the situation, look at the whole picture, and look for what people are ignoring. Think, out-of-the-box. Here are 7 cyber security controls that are often overlooked, and definitely don't come configured out of the box.

TL-BRA (Too Long, Bro. Read it Anyway):

1. Put simple effective controls in unexpected places, and then let them work their magic
2. Automate the removal data
3. Rebuild infrastructure rather than restoring old backups, use restoring backups as the backup plan.
4. Turn things off, sometimes even when they need to be on
5. Look for impossible actions or events
6. Reduce system performance
7. Diversify and distribute your security solution layers

1. Distribute security controls unevenly. Put security in unexpected places. A simple firewall with custom rules in between the VIP laptop and the rest of the network will provide security that a sophisticated firewall using defaults at the WAN border will always miss.
2. Delete, purge, remove, and decommission unneeded information, data, or systems. Unless you are required to keep the data as part of your business or related contracts and regulations, get rid of it! Hackers can't expose, sell, or exploit data that doesn't exist. Only keep data you need to keep.
3. Automate your ability to rebuild systems and infrastructure. The ability to rebuild systems and infrastructure on the fly enables you to move to new infrastructure, update baselines, and leapfrog vulnerabilities that plague static systems. Infrastructure that can move and reshape itself is going to last longer. Consider rebuilding instead of restoring a backup when systems fail.
4. Schedule maintenance windows when the only thing you do is observe what happens when you turn systems off. This is especially effective when some people were expecting the system to be on. Turn off servers, remove services, disable ports, and uninstall software. Like when carving a statue, perfection is achieved by removing the unnecessary and excess pieces in your infrastructure. Harden your systems by cutting out the softest parts. 
5. Alert on absolute negatives. Anyone who's been on a SOC team knows that adding an alert or two, one here and one there, is what results in the flood of alerts at two in the morning, but stick with me on this next one. Similar to honey pots, alerts for actions that should never be performed in your environment will help reveal hidden problems or adversaries before they cause additional damage. A few examples:
1. Alert if your CEO (or their secretary) tries to SSH into network equipment
2. Get notifications if the camera system visits company websites
3. Record connections when guest network IP addresses show up on protected networks
4. Use code names so you can alert when "key words" show up in shared folders
6. Slow down suspicious connections rather than immediately blocking them. The world we live in is fast-paced, and speed is often the difference between keeping and losing business or contracts. The other side of that coin is that speed can also be the difference between keeping and losing sensitive data. So slow down initial access approvals, implement ways to cause delays when monitoring traffic, limit bandwidth, and limit the number of permitted connections on un-trusted links especially for necessary but low priority services. Make time your friend rather than your enemy. Give yourself and your team time by purposefully slowing things down.
7. Diversify your security solutions and layers. There's a major drawback to standardizing on a single solution for a specific security control, once the control is bypassed or a system is compromised, all other systems with the same control are sure to fall in short order. Layers of security are most effective when you diversify each layer. Use a less common but effective AV solution on systems when appropriate, put in different types of firewalls at logical boundaries, use alternate network inspection technology. For example:
1. Run Windows Defender on a Linux box
2. Set up a pfSense firewall in between the Sales and HR departments

I'll stop this post with a warning. Employing non-standard solutions can also open up vulnerabilities. The key to successfully using uncommon controls is to keep it simple. Simple is not the same as stupid, just as sophisticated is not the same as complex.

Eventually I'll post "The 10 most effective security controls you should never forget!"... once I'm able to remember them myself.

NIST 800-171 Compliance - Yearly Checklist

Every once in a while you’ll need to bring in the big guns. This is one of those times. Company Management plays a key role in the yearly events.

1. CEO, Compliance Officer, and OpsO: Conduct thorough risk assessment individually; then work together to update the risk matrix and plan implementations to mitigate or improve effectiveness of controls
2. Compliance Officer: Conduct thorough security controls assessment with new risk mitigate plan in consideration
3. IT Team: Conduct a social engineering exercise to help increase employees' awareness of the risk behind many common actions, habits, and natural tendencies
4. IT Team: Conduct technical vulnerability assessment and penetration test
5. Compliance Officer: Review access records related to employees who were terminated within last 60 days
6. CEO or Delegate: Conduct walk-through exercises for business continuity and disaster recovery plans and evaluate the effectiveness of the planned emergency response actions
7. Compliance Officer: Update business continuity plan after walk-through exercises and send copies to key personnel
8. Continued:
9. IT Team: Conduct comprehensive physical inspection of each workstation
10. IT Team: Update requirements in GPOs, browser settings, and firewalls to ensure acceptable cryptographic standards are met by default
11. Office Manager: Check fire extinguishers for expiration and acceptable pressure gauge reading
12. Office Manager: Update the list of authorized maintenance organizations and personnel
13. IT Team: Review warranty and service coverage agreements for information systems
14. Compliance Officer: Ensure that system Mean Time Before Fail (MTBF) timelines are covered by warranty or service coverage agreements
15. Compliance Officer: Review information systems and data risk or security categorizations. Spot check whether related policies are in place, then update company policies
16. Compliance Officer: Request feedback on updated policies from stakeholders and responsible individuals
17. Compliance Officer: Conduct company-wide training on policies and procedures
18. Compliance Officer: Document and review waivers, exemptions, or exceptions to the security program and the reason for the allowances.

NIST 800-171 Compliance - Quarterly Checklist

Just when you think you’re safe, check again. Complacency kills.
Compliance Officer: Review annual training progress; schedule security training as necessary to ensure all employees meet the requirements.

1. IT Team: Update organizational accounts list; Change organization or service passwords and WiFi pre-shared keys that are older than 120 days old
2. IT Team: Review access records for drives and folders that contain CUI, PII, CUI, etc. for the last 90 days
3. Compliance Officer or Delegate: Review access records related to employees who were hired within the last 60 days
4. IT Team: Review access records and logs related to employees who were terminated within the 60 days; Ensure access records and logs older than 90 days are properly stored in long-term archives
5. IT Team: Conduct automated vulnerability assessment on systems that process, store, or transmit sensitive information
6. IT Team: Enforce mandated admin account disable for 10%-25% of admin users for 3-7 consecutive days
7. IT Team: Review software installed on all systems; remove blacklisted software (games, P2P, VPN, coin miners etc.); ensure required software is installed, and baseline configs are still in place
8. Compliance Officer or delegate: Review 25-50% of the Security Policies and note discrepancies or required changes; Record the results of the review so the policies can be updated at the annual review or earlier if necessary
9. IT Team: Restore a backup that was conducted within the last 30 days to test the full restoration process, Measure the time it takes to return to full operation
10. IT Team: Conduct test restoration of approved randomly chosen essential systems; Update backup inventory listing location, type, coverage, and schedule
11. Compliance Officer: Ensure that recovery and restoration actions meet Mean Time to Recovery (MTTR) objectives and that the objectives are reasonable
12. Office Manager: Conduct power management test to ensure uninterruptible power supply/systems function properly
13. Office Manager: Identify hours that have potential of high risk activity on-site and review 10 hours of surveillance recordings at 5x speed or less
14. Continued below:
15. IT Team: Update network diagram
16. IT Team: Physically check 10% of systems for unapproved peripherals or suspicious devices connected to computers
17. IT Team: Review GPO settings for passwords: 
1. IT / Admin users OU to 60 days
2. Domain User OU to 90 days
3. Service Accounts OU to 120-365 days"
18. IT Team: Update common password list, conduct password hash reviews to ensure these passwords are not used
19. IT Provider, Compliance Officer & OpsO: Review user permissions and roles; Ensure they match current job function requirements
20. IT Team: Remove temporary or shared accounts that are no longer needed
21. IT Team: Verify that technical security controls are functioning. Visit the EICAR website, attempt to log in to applications using guessed credentials, and modify test files on the audited file servers to ensure that audit records are accurate; Make sure logs for all tracked events are aggregated (SIEM) and processed appropriately
22. Compliance Officer: Review SIEM tool reports; and evaluate effectiveness of the IT Provider actions
23. Operations Officer: Verify the credentials, skills, references for training and certification claims
24. Office Manager:Review list of authorized users with physical access to the facility. Review access logs and ensure that only authorized personnel have access to the facility and secure areas
25. Data Protection Officer: Review shared documents, company communications, and public announcements to ensure privacy laws are followed
26. Compliance Officer: Delete and clean up sensitive or confidential files to ensure only required documents are stored and reduce the footprint of classified documents

NIST 800-171 Compliance - Monthly Checklist

The list below states who and what. It’s partially up to you to determine the final thresholds and timelines. Generally, doing less but more consistently and more thoroughly is better than inconsistent or incomplete. Do what you can, do it well, and stay the course.

1. IT Team: Review employees with Admin Privileges
2. IT Team: Review access rights for all users with elevated privileges
3. IT Team: Review access records related to users with elevated rights; ensure actions taken are approved and appropriate
4. IT Team: Review access records related to employees who were hired within 60 days
5. IT Team: Compare the list of employees terminated during last 60 days with a list of current active accounts. Disable any user accounts for terminated employees. Also review list of all system accounts
6. IT Team: Review access records related to employees who were terminated within 60 days
7. IT Team: Review overall access records and events for drives containing CUI, ensure logging is functioning as expected, and that all user actions on CUI are being tracked and documented
8. IT Team: Conduct scan of local network for unknown devices
9. IT Team: Ensure necessary updates are completed for all systems that process, store, or transmit CUI
10. Compliance Officer: Conduct inventory of hard-copy documents with CUI and compare with previous month's checks to ensure all document copies are destroyed, stored, or delivered appropriately
11. IT Team: Sample 10% of systems to ensure backup or alternative systems function properly
12. IT Team: Sample 10% of systems to ensure change management policies are valid, that processes are being followed, results of changes are measured, and documentation is complete
13. Compliance Officer: Review 75 random hours of surveillance footage at high speed for to ensure that it is functioning as expected during appropriate hours
14. IT Team: Review cryptographic connection requirements in GPO, browser settings, and firewall to ensure acceptable standards are met on a sample of 10% of systems
15. IT Team: Check hard drive encryption
16. Office Manager: Inventory all media containing sensitive or confidential data that is not encrypted. document with reasons for not encrypting it; Determine if stronger protections are available and applicable for each item;
17. Compliance Officer: Review files stored in shared drives for sensitive or confidential files
18. Compliance Officer: Physically inspect secure areas to ensure locks and protections are in good working order
19. Compliance officer: Review all NDAs, ensure they are current, and update as necessary
20. IT Team: Bundle all auto generated Antivirus Report tickets for the previous month to compliance check ticket
21. IT Team: Verify Group Policy - “gpresult” output on 10% of total workstations; This output should be reported by scripts that run automatically on each workstation. Just review the script output and make sure it's accurate, appropriate, and consistent
22. IT Team: Verify Flash is set to "Click to play" on 10% of total workstations
23. Compliance Officer: Send email reminder to employees regarding their job related maintenance of required skills and qualifications
24. Office Manager: Inventory all plain text media containing sensitive or confidential data with reasons for using lower standards; Determine if stronger protections are available and applicable for each piece of media;
25. IT Team: Review sample of 10% of tickets related to servers, firewall, or network architecture. Ensure rollback strategy is being documented in each ticket and that a second individual is reviewing the effectiveness of the changes  implemented.