VMware Cloud Community
SCharchouf
Hot Shot
Hot Shot
‎10-25-2020 09:27 AM

Ensure the ESXi shell is disabled

I'm trying to create a script to disable ESXi shell, as I'm in the obligation to get the configuration before any change things I made the script like this

#Collect configuration

Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM" } | Select VMHost, Key, Label, Policy | Out-String | ForEach-Object { $_.Trim() } > ".\ESXiShell.txt"

# Verification

$CheckESXi_Shell_Disabled = (gc .\HardeningESXi-Logs\ESXi_Shell_Disabled-Config.txt | ft Value | findstr /v " _$Null Value ----- _$Null") | where-object {$_ -notlike '*off*'} | foreach{$_.split(".")[0]}

function ESXiDisabled {

    if ($CheckESXiDisabled -eq "off") {

    Write-Log -Level Success -Message "All Hosts have ESXi shell disabled" -FilePath $LogFile

    }

    else {

    Write-Host -f red "Host(s) with ESXi Shell not set as required "

    Write-Log -Level Success -Message  "Fixing host(s)" -FilePath $LogFile

    $CheckESXiDisabled | ForEach-Object {Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM"} | Set-VMHostService -Policy Off

    }

}

}

ESXiDisabled

unfotunaly the script is not working as expected, if I change the policy from GUI I'm expecting that the script detect that and do change and if the policy is set to OFF script should say that and nothing is done

Reply
3 Replies
LucD
Leadership
Leadership
‎10-25-2020 09:51 AM

I'm not really sure what you are trying to do here.

You write to a file named ESXiShell.txt, and then you read from a file named .\HardeningESXi-Logs\ESXi_Shell_Disabled-Config.txt.

What is supposed to be in that 2nd file?

In the function you are using a variable $CheckESXiDisabled, which doesn't seem to be instantiated anywhere.

Or is that supposed to be the variable $CheckESXi_Shell_Disabled?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
LucD
Leadership
Leadership
‎10-25-2020 10:41 AM

If I understand your intention correctly, why don't you do something like the following?

You can also make the call for a specific ESXi node with for example Set-VMHostShell -VMHost myesx

function Set-VMHostShell{

    [CmdletBinding()]

    param(

        $VMHost = '*'

    )


    $services = Get-VMHost $VMHost | Get-VMHostService | where{$_.Key -eq 'TSM' -and $_.Policy -ne 'off'}

    if($services){

        Write-Host -f red "Host(s) with ESXi Shell not set as required "

        Write-Log -Level Success -Message  "Fixing host(s)" -FilePath $LogFile

        $services | ForEach-Object -Process {

            Write-Log -Level Success -Message  "Host: $($_.VMHost.Name) setting ESXi shell to off" -FilePath $LogFile

            Set-VMHostService -HostService $_ -Policy Off -Confirm:$false

        }

    }

    else{

        Write-Log -Level Success -Message "All Hosts have ESXi shell disabled" -FilePath $LogFile  

    }

}


Set-VMHostShell


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
SCharchouf
Hot Shot
Hot Shot
‎10-26-2020 02:12 AM

thank you very much LucD Smiley Happy, since I don't have enough experience in PowerCLI / PowerShell, so I make mistakes and my choices sometimes are not good to implement a solution.

also knowing that there is a multitude of options to implement a script and have the desired result, moreover since I am on this forum I see a clear improvement and this is due to your help and advice.

Thank you again

Reply
0 Kudos