VMware Cloud Community

Ansible Configuration STIG Settings: Removing Advanced Setting & Encrypted vMotion

Good Afternoon!

I'm working on an Ansible set of tasks to implement DISA STIGs on the various VM/ESXi/vCenter components from the current STIG. I've worked through most of the settings. There are two settings that are causing me kittens.

1 - Shared salt values must be disabled on the virtual machine. The STIG uses PowerCLI to configure this as:

Get-VM "VM Name" | Get-AdvancedSetting -Name sched.mem.pshare.salt | Remove-AdvancedSetting

For most of the Advanced Settings, I've been using the community.vmware.vmware_guest module to configure the advanced_settings key. This works when you are adding to changing a value. But how do you remove an advanced setting on a VM using the SOAP or REST ansible modules? Or is the answer to run a builtin.ansible.shell / builtin.ansible.windows.win_powershell line and test for pwsh on the linux side to run the above command?

2 - Encryption must be enabled for vMotion on the virtual machine. The STIG walks the user through the GUI to set the value at either Opportunistic or Required. The check text is:

Get-VM | Where {($_.ExtensionData.Config.MigrateEncryption -ne "opportunistic") -and ($_.ExtensionData.Config.MigrateEncryption -ne "required")}

How do you set this using Ansible?



Labels (3)
0 Kudos
0 Replies