Automating Hardening of Esxi Hosts

Automating Hardening of Esxi Hosts


Synopsis: Hardening of Esxi Hosts as per hardening guide.


Prerequisites:

Esxi 5.x

Powercli 5.x

plink (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

Most Hardening points are covered which are used in my environment on the below script.

Any suggestions or modifications are encouraging as beginner in writing scripts.

$root = "root" 

$Passwd = "dontaskme"

$newserv = "10.xx.xx.xx"

Write-Host -Object "fetching content to execute using ssh"

$content = 'C:\Program Files\VMware\Infrastructure\vSphere PowerCLI\content.txt'

foreach ($esxiHost in $newserv) {

Connect-VIServer $esxiHost -User  $root -Password $Passwd

Write-Host -Object "starting ssh services on $esxiHost"

$sshstatus= Get-VMHostService  -VMHost $esxiHost| where {$psitem.key -eq "tsm-ssh"}

if ($sshstatus.Running -eq $False) {

Get-VMHostService | where {$psitem.key -eq "tsm-ssh"} | Start-VMHostService }

#Hardening Esxi Host using remote ssh

Write-Host -Object "Hardening $esxiHost"

Write-Output "y" | & 'C:\Program Files\VMware\Infrastructure\vSphere PowerCLI\plink.exe' -ssh root@$esxihost -P 22 -pw $passwd -m  $content

#Configuring SysLog

Write-Host -Object "Configuring SysLog on $esxiHost"

Get-AdvancedSetting -Entity $esxiHost -Name Syslog.global.defaultSize |Set-AdvancedSetting -Value 1024 -Confirm:$False

Get-AdvancedSetting -Entity $esxiHost -Name Syslog.global.logDir | Set-AdvancedSetting -Value '[] /folder/log'

Get-AdvancedSetting -Entity $esxiHost -Name Syslog.global.logHost | Set-AdvancedSetting -Value 'udp://10.xx.xx.xx:514' -Confirm:$False

Get-VMHostFirewallException -VMHost $esx -Name "syslog" |Set-VMHostFirewallException -Enabled $true -Confirm:$false

#Configuring NTP Server

Write-Host -Object "Configuring NTP on $esxiHost"

Add-VMHostNtpServer -VMHost 10.50.56.140 -NtpServer 10.16.1.62

Get-VMHostFirewallException -VMHost $esxiHost | where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled:$true

#Start NTP client service and set to automatic

Get-VmHostService -VMHost $esxiHost | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService | Set-VMHostService -policy "automatic"

#Configuring Security Policy on Vswitch

Write-Host "Configuring Security Policy on $esxiHost"

Get-VirtualSwitch -Standard -VMHost $esxiHost | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false -ForgedTransmits $false -AllowPromiscuous $false

#Configuring EsxiShellTimeOut

Write-Host "Configuring EsxiShellTimeOut on $esxiHost"

Get-AdvancedSetting -Entity $esxiHost -Name UserVars.ESXiShellTimeOut |Set-AdvancedSetting -Value 600 -Confirm:$False

}



Attachments
Comments

Hi vineeth‌,

good Script!

It seems, that we had the same intention:

Script - ESXi Hardening mit PowerCLI - my cloud-(r)evolution

Kind Regards,

Markus

That's Nice to HereSmiley Happy

Thank you very much for this script.

I have created almost same script to do ESXi hardening with min Knowledge in powershell.

Can you please let please me to get the output in html output. Like

Hardening control Name      Value

SSH                                   Disabled

Version history
Revision #:
1 of 1
Last update:
‎10-07-2015 08:05 AM
Updated by: