vSphere Security Hardening Report Script 5.1

    Table of Contents

    • Author

    • Description

    • Category

    • Features

    • Requirements

    • Version Support

    • Configurations

    • Sample Execution

    • Sample Output

    • Change Log

     

    Author

    William Lam

     

    Description

     

    The script is currently based on the following revisions of the vSphere 4.x/5.x Security Hardening Guide:

    vSphere 4.0 Security Hardening Guide (06/17/2010)

    vSphere 4.1 Security Hardening Guide Draft (04/05/211)

    vSphere 5.0 Security Hardening Guide Draft (04/18/12)

    vSphere 5.1 Security Hardening Guide Draft (02/11/13)

     

     

    • Introduction

    • Virtual Machines

    • Host

    • vNetwork

    • vCenter

    • Console OS (for ESX only)

     

    While going through the COS/HOST and VM documentation, I noticed there were quite a few checks that might benefit from having a script to validate the guidelines and that was the motivation for this script. Not all sections can be validated using the vSphere APIs and will require some manual validation and I've seperated the types of passes whether it's a fail, pass or manual (which requires user intervention).

     

    The script allows you to run a subset of the checks and against different type of validation (ENTERPRISE,DMZ or SSLF OR PROFILE1,PROFILE2,PROFILE3). Upon completion, a report is generated including a grade for your environment.

     

    Category

    • Reporting Auditing

     

    Features

    • Email report

    • Ability to execute subset of the checks (COS,HOST,VCENTER,VNETWORK,VM)

    • Ability execute specific test suite (ENTERPRISE,DMZ,SSLF or PROFILE1,PROFILE2,PROFILE3)

    • Detail HTML summary report with letter grade

    • Output in both HTML and CSV

     

    Requirements

     

    Version Support

    • Supports ESX(i) 4.x/5.x (licensed version only)

    • Supports vCenter 4.x/5.x

     

    Issues/Feature Request

    Please join vSphereSecurityHardening Group to post comments/discussions

    Usage

    vi-admin@scofield:~> ./vmwarevSphereSecurityHardeningReportCheck.pl 
    Required command option 'recommend_check_level' not specified.
    
    Synopsis: ./vmwarevSphereSecurityHardeningReportCheck.pl OPTIONS 
    
    
    Command-specific options:
       --cos (default '0')
          Run COS report
       --csv (default 'no')
          Output report into CSV as well [yes|no] (Default: no)
       --host (default '0')
          Run Host report
       --recommend_check_level (required)
          Recommendation check_level to check against [enterprise|dmz|sslf] for vSphere 4.x and [profile3,profile2,profile1] for vSphere 5.x
       --reportname (default 'vmwarevSphereSecurityHardeningReport.html')
          Name of the report to email out
       --runall (default '1')
          Run all harden reports [COS|HOST|VCENTER|VNETWORK|VM]
       --vcenter (default '0')
          Run vCenter report
       --vm (default '0')
          Run VM report
       --vnetwork (default '0')
          Run vNetwork report
    
    Common VI options: 
       --config (variable VI_CONFIG)
          Location of the VI Perl configuration file
       --credstore (variable VI_CREDSTORE)
          Name of the credential store file defaults to <HOME>/.vmware/credstore/vicredentials.xml on Linux and <APPDATA>/VMware/credstore/vicredentials.xml on Windows
       --encoding (variable VI_ENCODING, default 'utf8')
          Encoding: utf8, cp936 (Simplified Chinese), iso-8859-1 (German), shiftjis (Japanese)
       --help
          Display usage information for the script
       --passthroughauth (variable VI_PASSTHROUGHAUTH)
          Attempt to use pass-through authentication
       --passthroughauthpackage (variable VI_PASSTHROUGHAUTHPACKAGE, default 'Negotiate')
          Pass-through authentication negotiation package
       --password (variable VI_PASSWORD)
          Password
       --portnumber (variable VI_PORTNUMBER)
          Port used to connect to server
       --protocol (variable VI_PROTOCOL, default 'https')
          Protocol used to connect to server
       --savesessionfile (variable VI_SAVESESSIONFILE)
          File to save session ID/cookie to utilize
       --server (variable VI_SERVER, default 'localhost')
          VI server to connect to. Required if url is not present
       --servicepath (variable VI_SERVICEPATH, default '/sdk/webService')
          Service path used to connect to server
       --sessionfile (variable VI_SESSIONFILE)
          File containing session ID/cookie to utilize
       --url (variable VI_URL)
          VI SDK URL to connect to. Required if server is not present
       --username (variable VI_USERNAME)
          Username
       --verbose (variable VI_VERBOSE)
          Display additional debugging information
       --version
          Display version information for the script

     

     

    Email Report

    The script has the capablity to email an HTML report on the results of the backup upon completion, you'll need to fill out the following variables within the script:

     

    #################
    # EMAIL CONF
    #################
    
    my $SEND_MAIL = "no";
    my $EMAIL_HOST = "mail.primp-industries.com";
    my $EMAIL_DOMAIN = "primp-industries.com.com";
    my $EMAIL_TO = 'William Lam <william@primp-industries.com.com>';
    my $EMAIL_FROM = 'vMA <vMA@primp-industries.com>';
    
    

     

     

    1. Download vmwarevSphereSecurityHardeningReportCheck.pl and upload to your vMA 4.x/5.x host

     

    2. Set the script have execution permission:

     

     [vi-admin@scofield skunkworks]$ chmod +x vmwarevSphereSecurityHardeningReportCheck.pl

     

     

    Sample Execution

    By default all checks (COS,HOST,VCENTER,VNETWORK,VM) are executed assuming they're valid on the host type. The only required parameter is the type of validation you would like to run against by specifying ----recommend_check_level and choosing (enterprise,dmz or sslf) for vSphere 4.x and (profile1,profile2 or profile3) for vSphere 5.x

     

    e.g. Run only COS and VM report using SSLF requiremennts

    ./vmwarevSphereSecurityHardeningReportCheck.pl --server [SERVER] --username [USERNAME] --recommend_check_level sslf --cos 1 --vm 1

     

     

    Here is a sample execution against our personal development environment, let's see if it's ready for the Enterprise:

     

    [vi-admin@scofield harden]$ ./vmwarevSphereSecurityHardeningReportCheck.pl --server [SERVER] --username [USERNAME] --recommend_check_level enterprise
    Generating VMware vSphere Security Hardening Report (ENTERPRISE) "vmwarevSphereSecurityHardeningReport.html" ...
    
    Start Time: 01-29-2010 20:39:48
    End   Time: 01-29-2010 20:40:14
    Duration  : 26 Seconds
    
    

     

     

    Sample Output

    Here is the results (you be the judge):

     

    vmwarevSphereSecurityHardeningReport-SAMPLE.html

     

    The grading scale was based on the US and I don't grade on a curve

     

    Change Log

     

    ##########################################################################

     

    03-23-13 - v5.1

     

    Enhancements:

    • Updated script to support vSphere 5.1 + additional checks with in 5.1

     

    ##########################################################################

     

    04-23-12 - v5.0

     

    Enhancements:

    • Updated script to support vSphere 5.x
    • Added SSL expiry check for both vCenter Server + ESXi hosts (not included in the Hardening Guide)

     

    ##########################################################################

     

    01-08-12 - v2.0

     

    Fixes:

    • Fixed MOB/Intro Page checks for ESX(i) host

     

    ##########################################################################

     

    04-18-11 - v1.8

     

    Fixes:

    • Updated VUM check using extensions versus port check

     

    ##########################################################################

     

    04-07-11 - v1.7

     

    Enhancements:

    • Reports sent via email are attachments now instead of raw output
    • Support for CSV output by using --csv option

     

    ##########################################################################

     

    04-05-11 - v1.6

     

    Enhancements:

    • Updated reported based on the latest official release of vSphere Security Hardening Guide 4.1 (04/05/2011)
    • Updated to include HCM06 (NFC)
    • Updated minor parameter check display names

     

    ##########################################################################

     

    01-22-11 - v1.5

     

    Enhancements:

    • Updated reported based on the latest _draft_ version of vSphere Security Hardening Guide 4.1 (01/20/2011)
    • Enhanced checks based on hypervisor types (only apply check if applicable)
    • Enhanced Service End Point checks (/,/ui,/mob)

     

    ##########################################################################

     

    12-27-10 - v1.0

     

    Enhancements:

    • Updated reported based on the latest version of vSphere Security Hardening Guide 4.0 (06/17/2010)
    • Support for vSphere 4.1
    • Added jump tags at top of report for easy navigation
    • Resolved some of the WIP (work in progress) tasks
    • Updated .vmx parameter checks to properly log entries that are missing and/or configure incorrectly
    • Updated VM report to display parameters being checked if applicable for ease of reading

     

    Fixes:

    • Resolved ESX(i) HTTP get issues


    ##########################################################################

     

    01-29-10 - v0.2

     

    Initial released based on vSphere Security Hardening Guide 4.0 Beta