Beyond the Defaults: Building a Custom Compliance Benchmark in VMware Aria Operations

Beyond the Defaults: Building a Custom Compliance Benchmark in VMware Aria Operations

One of the most powerful features in VMware Aria Operations 8.18.x is the ability to break free from pre-defined compliance standards.

While the out-of-the-box benchmarks for vSphere, vSAN, NSX and VMware Cloud Foundation (VCF) are excellent, they are often “all-or-nothing.” You might find yourself in a situation where:

  1. You want to combine vSphere, vSAN, NSX and VCF rules into one view.
  2. Crucially: You need to modify a specific rule (e.g., the vSphere Security Guide says “Disable SSH,” but your environment requires SSH).

If you just use the default rules, you will be stuck with a permanent “Red” score for a setting you intentionally configured.

In this post, I’ll walk you through the advanced workflow: Modifying specific Compliance Alerts to remove unwanted symptoms, and then combining them into a User-Defined Custom Benchmark.

The Workflow

To achieve this, we cannot just use the Benchmark wizard immediately. We must follow a two-phase process:

  1. Phase 1: Clone and Edit the specific Alert Definitions to match your internal standards.
  2. Phase 2: Create the Custom Benchmark using your new “tuned” alerts.

Phase 1: Customizing the Alert Definitions

Before we build the benchmark, we need to create the specific rules we want to track. In Aria Operations, a Compliance Rule is just an Alert Definition made up of Symptoms.

1. Locate the Source Alert

  • Navigate to Configure > Alerts > Alert Definitions.
  • Filter by Alert Subtype: Compliance.
  • Search for the Alert Definition you want to modify (e.g., search by object / Defined by : Compliance standard ).
  • Select the specific Alert Definition you want to tweak (e.g., “ESXi Host is violating the vSphere Security Configuration Guide”).

2. Clone and Edit

  • Do not edit the default. It is best practice to clone it so updates don’t overwrite your work.
  • Click the Clone button (three dots menu).
  • Name: Give it a clear name (e.g., Custom – ESXi Compliance (SSH Allowed)”). It will be easy to search in the later steps if you give a standard prefix for all the cloned alerts you create.

3. Modify the Symptoms (The Magic Step)

  • In the drag-and-drop canvas, you will see the list of Symptoms that trigger this alert. These represent the individual checks (e.g., “Shell Timeout,” “Secure Boot,” “SSH Service”).
  • To Remove a Check: If you don’t care about a specific setting (e.g., you allow SSH), simply click the X on that Symptom to remove it from the canvas.
  • To Change a Threshold: If a symptom checks for a value (e.g., “Password complexity = 10”) and you want to change it to “8”, you must go to the Symptoms tab, clone that specific symptom, edit the value, and drag your new symptom into this Alert Definition.

4. Save

  • Click Save. You now have a custom compliance rule that reflects your reality.

Follow the above steps for all Compliance alert definitions you would like to use, but needs to be tweaked. You will end up having multiple Compliance Alert Definitions with your own prefix “Custom – xxx”)

Phase 2: Creating the Unified Benchmark

Now that we have our custom rules ready, we can build the custom Complaince scorecard.

1. Start the Wizard

  • Navigate to Operations > Compliance.
  • Scroll down to the Custom Benchmarks section.
  • Click Add Custom Compliance.

2. Define the Benchmark

  • Select Create a New Custom Benchmark.
  • Name: e.g., “Production – Tailored Security Standards”.
  • Description: “Mixed compliance for vSphere, vSAN, NSX and VCF with custom exclusions.”
  • Click Next.

3. The “Mix-and-Match” Selection

Here is where we select our custom work alongside standard rules ( if required).

  • Add your Custom Rules: Manually select the custom alerts created in Phase 1 (e.g., “Custom – ESXi Compliance”). You can click on “Name” tab to list all alerts by order and this is where the prefix you set for custom alerts in phase 1 will become handy.
  • Add Standard Rules: You can mix this with standard out-of-the-box rules also as needed. For example, search  types vSAN. NSX , VMware Cloud Foundation  and select the required standard alerts.
  • You now have a list containing both your modified Compliance rules and standard vSphere/vSAN/NSXVCF rules.                                            

4. Apply to Policies

  • Select the Policy used by your environment (usually “vSphere Solution’s Default Policy”).
  • Crucial: Ensure the policy also has your new Custom Alert Definition (from Phase 1) enabled. If the Alert Definition is disabled in the policy, the benchmark cannot trigger it.

5. Finish and Validate

  • Click Finish.
  • Go to Operations > Compliance, find your new card, and open the Scorecard.

Why This Approach is Better

By cloning and editing the specific Alert Definitions first, you eliminate “False Positives.”

Instead of explaining to your auditor, “Oh, ignore that red badge, we allow SSH here,” your dashboard will actually show Green because you updated the rule to match your policy. This moves you from “Compliance Reporting” to “True Operational Compliance.”

Leave a Reply