Solved: Error in a script for Get-SecurityPolicy for Virtu...

sjoshi25 · ‎01-26-2022

We are using this script to export multiple advanced configurations for all hosts on each vCenter. Below is the script and the error, the error is due to the command highlighted in bold as the hosts have either standard or distributed virtual switch:

foreach ($hostVar in $ESXHost)
{
Write-Output $hostVar.Name

$advancedSetting = Get-AdvancedSetting -Entity $hostVar.Name

$NTPServerConfig = Get-VMHostNtpServer -VMHost $hostVar.Name

$esxShellStatus = Get-VMHostService -VMHost $hostVar.Name | Where { $_.key -eq "TSM" }

$sshShellStatus = Get-VMHostService -VMHost $hostVar.Name | Where { $_.key -eq "TSM-SSH" }

$CIMStatus = Get-VMHostService -VMHost $hostVar.Name | Where { $_.key -eq "sfcbd-watchdog" }

$SLPStatus = Get-VMHostService -VMHost $hostVar.Name | Where { $_.key -eq "slpd" }

$virtualSwitchConfig = Get-VirtualSwitch -VMHost $hostVar.Name | Get-SecurityPolicy
$virtualPortGroupConfig = Get-VirtualPortGroup $hostVar.Name | Get-SecurityPolicy

$lockdownSetting = $hostVar | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}}

$aggregateOutput = [PSCustomObject]@{
HostName = $hostVar.Name
ConnectionState = $hostVar.ConnectionState
PowerState = $hostVar.PowerState
Version_Patch = $hostVar.Version
Build = $hostVar.Build
NTPServerConfiged = [string]$NTPServerConfig -join ','
#2.3 Ensure Managed Object Browser (MOB) is disabled
MOBSetting = ($advancedSetting | Where-Object{$_.Name -eq "Config.HostAgent.plugins.solo.enableMob"}).Value

#2.6 Ensure dvfilter API is not configured if not used
DVFilter = ($advancedSetting | Where-Object{$_.Name -eq "Net.DVFilterBindIpAddress"}).Value

#3.2 Ensure persistent logging is configured for all ESXi hosts
PersistentLogging = ($advancedSetting | Where-Object{$_.Name -eq "Syslog.global.logDir"}).Value

#3.3 Ensure remote logging is configured for ESXi hosts
RemoteLogging = ($advancedSetting | Where-Object{$_.Name -eq "Syslog.global.logHost"}).Value

#4.3 Ensure the maximum failed login attempts is set to 5
LockFailures = ($advancedSetting | Where-Object{$_.Name -eq "Security.AccountLockFailures"}).Value

#4.4 Ensure account lockout is set to 15 minutes
AccountUnlockTime = ($advancedSetting | Where-Object{$_.Name -eq "Security.AccountUnlockTime"}).Value

#4.5 Ensure previous 5 passwords are prohibited
PasswordHistory = ($advancedSetting | Where-Object{$_.Name -eq "Security.PasswordHistory"}).Value

#Password Quality Control for local accounts
PasswordQualityControl = ($advancedSetting | Where-Object{$_.Name -eq "Security.PasswordQualityControl"}).Value

#Suppressing Hyperthreading warning
HyperthreadWarning = ($advancedSetting | Where-Object{$_.Name -eq "UserVars.Suppress.HyperthreadWarning"}).Value

#4.7 Ensure only authorized users and groups belong to the esxAdminsGroup group
AdminGroup = ($advancedSetting | Where-Object{$_.Name -eq "Config.HostAgent.plugins.hostsvc.esxAdminsGroup"}).Value

#5.1 Ensure the DCUI timeout is set to 600 seconds or less
DCUITTimeout = ($advancedSetting | Where-Object{$_.Name -eq "UserVars.DcuiTimeOut"}).Value

#5.2 Ensure the ESXi shell is disabled
IsESXShellRunning = $esxShellStatus.Running
IsESXShellPolicyOn = $esxShellStatus.Policy

#5.3 Ensure the SSH is disabled
IsSSHShellRunning = $sshShellStatus.Running
IsSSHShellPolicyOn = $sshShellStatus.Policy

# CIM should be disabled if not in use
CIMStatusRunning = $CIMStatus.Running
CIMStatusPolicyOn = $CIMStatus.Policy

#SLP should be disabled if not in use
SLPRunning = $SLPStatus.Running
SLPPolicyOn = $SLPStatus.Policy

#5.5 Ensure Normal Lockdown mode is enabled
LockdownSetting = $lockdownSetting.Lockdown

#5.10 Ensure DCUI has a trusted users list for lockdown mode
DCUIList = ($advancedSetting | Where-Object{$_.Name -eq "DCUI.Access"}).Value

##Block guest OS BPDU transmissions.
BlockGuestBPDU = ($advancedSetting | Where-Object{$_.Name -eq "Net.BlockGuestBPDU"}).Value

##Audit use of dvfilter network APIs.
FilterBindIPAddress = ($advancedSetting | Where-Object{$_.Name -eq "Net.DVFilterBindIpAddress"}).Value

##Set a timeout to limit how long the ESXi Shell and SSH services are allowed to run.
ESXShellTimeout = ($advancedSetting | Where-Object{$_.Name -eq "ESXiShellTimeOut"}).Value

##Warning for support and troubleshooting interfaces is suppressed.
ESXShellWarning = ($advancedSetting | Where-Object{$_.Name -eq "UserVars.SuppressShellWarning"}).Value

##Ensure that deprecated SSL/TLS protocols are disabled.
ESXDeprecatedProtocols = ($advancedSetting | Where-Object{$_.Name -eq "UserVars.ESXiVPsDisabledProtocols"}).Value

##Restrict transparent page sharing to VMs configured with sched.mem.pshare.salt.
transparentPageSharing = ($advancedSetting | Where-Object{$_.Name -eq "Mem.ShareForceSalting"}).Value

##Only run binaries delivered via VIB.
BinayVIB = ($advancedSetting | Where-Object{$_.Name -eq "VMkernel.Boot.execInstalledOnly"}).Value

##virtual Switch Number
SwitchNumber = [string]$virtualSwitchConfig.VirtualSwitch.Name -join ','
##Ensure that the “Forged Transmits” policy is set to reject on both the vSphere Standard Switch and on its port groups.
SwitchForgedTransmits = [string]$virtualSwitchConfig.ForgedTransmits -join ','
##Ensure that the “MAC Address Changes” policy is set to reject on both the vSphere Standard Switch and on its port groups.
SwitchMACChanges = [string]$virtualSwitchConfig.MacChanges -join ','
##Ensure that the “Promiscuous Mode” policy is set to reject on both the vSphere Standard Switch and on its port groups.
SwitchPromiscuousMode = [string]$virtualSwitchConfig.AllowPromiscuous -join ','

##VirtualPortGroup
PortGroup = [string]$virtualPortGroupConfig.VirtualPortGroup.Name -join ','
##Ensure that the “Forged Transmits” policy is set to reject on both the vSphere Standard Switch and on its port groups.
PortGroupForgedTransmits = [string]$virtualPortGroupConfig.ForgedTransmits -join ','
##Ensure that the “MAC Address Changes” policy is set to reject on both the vSphere Standard Switch and on its port groups.
PortGroupMACChanges = [string]$virtualPortGroupConfig.MacChanges -join ','
##Ensure that the “Promiscuous Mode” policy is set to reject on both the vSphere Standard Switch and on its port groups.
PortGroupPromiscuousMode = [string]$virtualPortGroupConfig.AllowPromiscuous -join ','

}
$list.Add($aggregateOutput) | Out-Null

}
}

This is the error:

Get-SecurityPolicy : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the
input and its properties do not match any of the parameters that take pipeline input.
At C:\Users\A649632\Documents\ESX Hosts Configuration.ps1:36 char:72
+ ... GroupConfig = Get-VirtualPortGroup $hostVar.Name | Get-SecurityPolicy
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (303--OMA1_DH2_P13-FMN:PSObject) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

mpeneva · ‎01-27-2022

I think that you need to use Get-VDSecurityPolicy for distributed switches 🙂

View solution in original post

mpeneva · ‎01-27-2022

You are right Luc. It said only "virtual switches".

View solution in original post

LucD · ‎01-26-2022

The error is in the line

$virtualPortGroupConfig = Get-VirtualPortGroup $hostVar.Name | Get-SecurityPolicy

But without explaining what is in $ESXHost, and hence in $hostVar, it is impossible to determine what is wrong.
I suspect you have a VMHost object in $hostVar, so try doing

$virtualPortGroupConfig = Get-VirtualPortGroup -VMHost $hostVar | Get-SecurityPolicy

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mpeneva · ‎01-26-2022

Hi,

Try to retrieve the 'standard' switch for a concrete host, so that you could get the default switch security policy:

...

Get-VirtualSwitch -VMHost $hostVar.Name -Standard | Get-SecurityPolicy

...

sjoshi25 · ‎01-27-2022

$ESXhost is each ESX Host in the vCenter. Also getting the error for VirtualSwitch and this warning before the first error:

WARNING: The output of the command produced distributed virtual switch objects. This behavior is obsolete and may change in the future. To retrieve distributed switches, use Get-VDSwitch cmdle
t in the VDS component. To retrieve standard switches, use -Standard.
Get-SecurityPolicy : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match
any of the parameters that take pipeline input.
At C:\Users\A649632\Documents\ESX Hosts Configuration.ps1:35 char:74
+ ... Config = Get-VirtualSwitch -VMHost $hostVar.Name | Get-SecurityPolicy
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Backup-SRV-OMA1-1:PSObject) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

LucD · ‎01-27-2022

That first one is a warning, avoid that by adding -Standard on the Get-VirtualSwitch cmdlet, like Maya said earlier

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

sjoshi25 · ‎01-27-2022

Yes I tried with -Standard and it doesn't give me error or warning but no output for GetSecurityPolicy. Is there a way to have output for Get-SecurityPolicy for both standard and distributed switches in the script above. When I try Get-VDSwitch for one of ESX hosts with distributed switches I get this error:

Get-VDSwitch -VMHost ESXHost1 | Get-SecurityPolicy

Get-SecurityPolicy : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
At line:1 char:47
+ Get-VDSwitch -VMHost ESXHost1 | Get-SecurityPolicy
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (OMA1_DH2_P13-FMN:PSObject) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

LucD · ‎01-27-2022

Just tested again, seems Get-SecurityPolicy does not work for VDS.
Although the online documentation doesn't explicitly state it is only for VSS

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

mpeneva · ‎01-27-2022

I think that you need to use Get-VDSecurityPolicy for distributed switches 🙂

mpeneva · ‎01-27-2022

You are right Luc. It said only "virtual switches".

sjoshi25 · ‎01-27-2022

That makes sense. Thanks for the help!

All

Error in a script for Get-SecurityPolicy for Virtual Switch