Hi,
Recently I have come accross vmware compliance checker tool and want to collect the same information for each esx and esxi hosts in my environment using a powercli script. I have attached here with one such report for more information.
Please help.
I assume you mean this Compliance Checker ?
If yes, the checks are based on the VMware vSphere Hardening Guidelines
Alan and WIlliam have a blog on how to discover and correct breaches on these Security Guidelines for VMs.
See Automatically Securing Virtual Machines Using a vCenter Alarm.
Are there any specific hardening guidelines you want to detect ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
It is possible to check all the items in your list through PowerCLI.
Most of the items in that list where already handled in this community.
Which of the guidelines gives you most problems at the moment ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Lucd,
Yes I agree with you that most of the items are handled in this community but I have some specific questions like:
1. When I will check a esxi for "CON01 - Ensure that ESX firewall is configured to high security" item what things the script should check
2. When I will check "HLG03 - Configure NTP time synchronization", does it mean if NTP is configured on esxi host then this item is green for that esxi host
3. When I will check "NCN10 - Ensure that port groups are configured with a clear network label" does it mean if port groups has a label the it is green etc..
So my confusion is when the script will check the items mentioned in the text file then what are things it should check under each item to declare it green or red for each host.
So need your guidance to achieve the same.
The Compliance checker is using the rules from the v4 Hardening guide.
For several of the guidelines it depends what exactly you want to check in your environment.
For example, guideline NGN03 states that you should control who has access to the portgroup configuration.
In the following example script I just list the principals that have admin access to the regular portgroups. But you could also check if these principals are only the ones in a group of groups and/or users you define.
Get-VMHost | Select Name,
@{N="CON01";E={ if(Get-VMHostFirewallDefaultPolicy -VMHost $_ |
where {$_.IncomingEnabled -or $_.OutgoingEnabled}){"nok"}else{"ok"}}},
@{N="HLG03";E={ if((Get-VMHostNtpServer -VMHost $_) -and ( (Get-VMHostService -VMHost $_ | where {$_.Key -eq "ntpd"} | Select -ExpandProperty Running))){"ok"}else{"nok"} }},
@{N="NCN03";E={ [string]::Join(',',(Get-VirtualPortGroup -Distributed:$false | Get-VIPermission | where {$_.Role -eq "Admin"} | Select -ExpandProperty Principal)) }} | fl
Most of the guidelines are quite easy to check with PowerCLI, you just need to find where the information can be retrieved and in which format you want to display the result.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LuCD,
Thanks for the script.
I think Get-VMHostFirewallDefaultPolicy will not run as all are ESXi 4.1 host. Hence I need to think differently for CON01 item.
Try it like this if you're on ESX(i) 4.*
Get-VMHost | Select Name, @{N="CON01";E={ $fw = Get-View $_.ExtensionData.configManager.firewallSystem
if($fw.firewallInfo.defaultPolicy.incomingBlocked -and $fw.firewallInfo.defaultPolicy.outgoingBlocked){"ok"}else{"nok"}}},
@{N="HLG03";E={ if((Get-VMHostNtpServer -VMHost $_) -and ( (Get-VMHostService -VMHost $_ | where {$_.Key -eq "ntpd"} | Select -ExpandProperty Running))){"ok"}else{"nok"} }},
@{N="NCN03";E={ [string]::Join(',',(Get-VirtualPortGroup -Distributed:$false | Get-VIPermission | where {$_.Role -eq "Admin"} | Select -ExpandProperty Principal)) }} | fl
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
I am getting the follwoing error when running the code for CON01 item:
Get-View: Cannot validate argument on parameter 'VIObject'. The argument is null or empty. Supply an argument that is not null or empty and then run the command again.
Which PowerCLI version are you using ?
Do a
Get-PowerCLIVersion
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I am using the following powercli version:
5.0.1 Build 581491
Strange, that's the latest build.
Try adding the Id parameter on that line
$fw = Get-View -Id $_.ExtensionData.configManager.firewallSystem
I'm afraid I don't have any ESX(i) 4.* left to test.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I have tried:
Get-VMHost | Select Name,@{N="FirewallSystem";E={$_.ExtensionData.configManager.FirewallSystem}}
All our vSphere 4.1 hosts return nothing for the FirewallSystem.
From KB Troubleshooting the firewall policy on an ESX host:
ESXi 4.0/ESXi 4.1 does not include a firewall because it runs a limited set of well-known services and prevents the addition of further services.
We only use ESXi 4.1 U2. That will be the reason that the FirewallSystem is empty.
Message was edited by: RvdNieuwendijk
It seems ESXi 4.1 didn't have a builtin Firewall, only ESX 4.x
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference