I have a regulatory requirement to let Nessus scan my ESXi boxes. I have two challenges with this.
Challenge 1: Turning on the ESXi Shell and SSH on. How can I automate this so it happens to all boxes at the same time?
Challenge 2: Using a Windows account I can add to let it log on to the ESXi box. Windows accounts can logon to vSphere but not ESXi. I do not want to give a way the root account.
How do you let your environment get scanned.
If your ESXi are being managed by vCenter you can enable SSH with PowerCLI:
1. Open PowerCLI
2. Connect-VIServer <myVC>
3. Get-VMHost | Get-VMHostService | Where Key -EQ "TSM-SSH" | Start-VMHostService
To stop it:
Get-VMHost | Get-VMHostService | Where Key -EQ "TSM-SSH" | Stop-VMHostService -Confirm:$False
I believe you need to create a Read Only user for your ESXi servers with read only permissions, since Nessus need to access OS and it cannot do it from vCenter.