HI LucD,

Thanks for your reply.

We already have gone through the hardening guidelines and decided to check the items mentioned in the attached text file:

Is it possible to check the items through powercli and created a report for all my esxi hosts.

It is possible to check all the items in your list through PowerCLI.

Most of the items in that list where already handled in this community.

Which of the guidelines gives you most problems at the moment ?

Hi Lucd,

Yes I agree with you that most of the items are handled in this community but I have some specific questions like:

1. When I will check a esxi for  "CON01 - Ensure that ESX firewall is configured to high security" item what things the script should check

2. When I will check "HLG03 - Configure NTP time synchronization", does it mean if NTP is configured on esxi host then this item is green for that esxi host

3. When I will check "NCN10 - Ensure that port groups are configured with a clear network label"  does it mean if port groups has a label the it is green etc..

So my confusion is when the script will check the items mentioned in the text file then what are things it should check under each item to declare it green or red for each host.

So need your guidance to achieve the same.

The Compliance checker is using the rules from the v4 Hardening guide.

For several of the guidelines it depends what exactly you want to check in your environment.

For example, guideline NGN03 states that you should control who has access to the portgroup configuration.

In the following example script I just list the principals that have admin access to the regular portgroups. But you could also check if these principals are only the ones in a group of groups and/or users you define.

Get-VMHost | 
Select Name,
 @{N="CON01";E={
  if(Get-VMHostFirewallDefaultPolicy -VMHost $_ |
    where {$_.IncomingEnabled -or $_.OutgoingEnabled}){"nok"}else{"ok"}}},
 @{N="HLG03";E={
  if((Get-VMHostNtpServer -VMHost $_) -and (
    (Get-VMHostService -VMHost $_ | where {$_.Key -eq "ntpd"} | Select -ExpandProperty Running))){"ok"}else{"nok"}
}},
 @{N="NCN03";E={
  [string]::Join(',',(Get-VirtualPortGroup -Distributed:$false | Get-VIPermission | where {$_.Role -eq "Admin"} |  Select -ExpandProperty Principal))
}} | fl

Most of the guidelines are quite easy to check with PowerCLI, you just need to find where the information can be retrieved and in which format you want to display the result.

Hi LuCD,

Thanks for the script.

I think  Get-VMHostFirewallDefaultPolicy will not run as all are ESXi 4.1 host. Hence I need to think differently for CON01 item.

Try it like this if you're on ESX(i) 4.*

Get-VMHost | 
Select Name, @{N="CON01";E={
   $fw = Get-View $_.ExtensionData.configManager.firewallSystem
  if($fw.firewallInfo.defaultPolicy.incomingBlocked -and $fw.firewallInfo.defaultPolicy.outgoingBlocked){"ok"}else{"nok"}}},
 @{N="HLG03";E={
  if((Get-VMHostNtpServer -VMHost $_) -and (
    (Get-VMHostService -VMHost $_ | where {$_.Key -eq "ntpd"} | Select -ExpandProperty Running))){"ok"}else{"nok"}
}},
 @{N="NCN03";E={
  [string]::Join(',',(Get-VirtualPortGroup -Distributed:$false | Get-VIPermission | where {$_.Role -eq "Admin"} |  Select -ExpandProperty Principal))
}} | fl

Hi LucD,

I am getting the follwoing error when running the code for CON01 item:

Get-View: Cannot validate argument on parameter 'VIObject'. The argument is null or empty. Supply an argument that is not null or empty and then run the command again.

Which PowerCLI version are you using ?

Do a

Get-PowerCLIVersion

I am using the following powercli version:

5.0.1 Build 581491

Strange, that's the latest build.

Try adding the Id parameter on that line

$fw = Get-View -Id $_.ExtensionData.configManager.firewallSystem

I'm afraid I don't have any ESX(i) 4.* left to test.

I have tried:

Get-VMHost | Select Name,@{N="FirewallSystem";E={$_.ExtensionData.configManager.FirewallSystem}}

All our vSphere 4.1 hosts return nothing for the FirewallSystem.

From KB Troubleshooting the firewall policy on an ESX host:

ESXi 4.0/ESXi 4.1 does not include a firewall because it runs a limited set of well-known services and prevents the addition of further services.

We only use ESXi 4.1 U2. That will be the reason that the FirewallSystem is empty.

Message was edited by: RvdNieuwendijk

It seems ESXi 4.1 didn't have a builtin Firewall, only ESX 4.x