VMware Cloud Community
Paulk99
Enthusiast
Enthusiast
‎06-19-2019 02:37 PM

VM Hardening help !!!

Hi all

I'm ok at knocking up scripts to run a function but so great when it comes to a reporting type script...!!

So TBH I'm really unsure how to start here, any input really appreciated.

I need to report on all VMs in a vCenter report out their Name and if they are powered on or off then report against a set of predefined parameters within the VM hardening guide and how those values are currently set.

e.g

VM.disable-hgfs

VM.disable-independent-nonpersistent

VM.disable-non-essential-3D-features

VM.disable-unexposed-features-autologon

VM.disable-unexposed-features-memsfss

Then dump it all out to a nicely tabulated .csv file for readability purposes(if that makes any sense...)

Once i know how they are set i can reverse engineer the script to apply the agreed hardening policy.

Happy for some PS guru out there to steer me off if at all possible.

Kr

Paul

Reply
0 Kudos
11 Replies
LucD
Leadership
Leadership
‎06-20-2019 12:27 AM

The answer to your question is mostly contained in the Security Hardening Guides, more specifically in columns Q ('PowerCLI Command Assessment') and R ('PowerCLI Command Remediation').
I'm referring to the guide for vSphere 6.7U1, the columns may be different in other guides.

Btw, have a read of Mike's blog post vSphere 6.5 Security Configuration Guide now available

Entries that are not yet listed in the guide, can be derived from similar settings.
See for example theVM.disable-hgfs setting

Depending where you can find each of these settings (documented in column Q), you will have to use different code.
But you can combine these in a single script.
The following snippet shows how that could be done.

Adding other Guidelines should be trivial I assume.

Get-VM |

Select Name,

@{N = 'VM.disable-hgfs'; E = {

   $data = Get-AdvancedSetting -Entity $_ -Name "isolation.tools.hgfsServerSet.disable"

   if ($data) { $data.Value }else { $false }

   }

},

@{N = 'VM.disable-independent-nonpersistent'; E = {

   (Get-HardDisk -VM $_ | % { $_.Persistence –ne “Persistent” }) -contains $false

   }

},

@{N = 'VM.disable-non-essential-3D-features'; E = {

   $data = Get-AdvancedSetting -Entity $_ -Name "mks.enable3d"

   if ($data) { $data.Value }else { $false }

   }

} |

Export-Csv -Path .\report.csv -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Paulk99
Enthusiast
Enthusiast
‎06-25-2019 02:52 PM

Hi There

Thanks for the reply I've only had chance to pick this up again.

I was having problems running multiple VMs within the script so I've stripped it down as below using an individually targeted VM. However it still errors out.

Now the value "isolation.tools.hgfsServerSet.disable" Appears to be a hidden value not actually entered as an Advanced Option let alone set, by default. However it is in the hardening guide and so one I've been asked to explicitly set as FALSE.

So it seems to be having a problem actually identifying a VM where the entry actually exits. and so the "Data" field in the XL is just blank.. However this is just my thought.

Is there an "If Exist" statement that could be used as it seems :-

"If Exist" = YES\NO

needs to be a separate column from

"Data"  = TRUE\FALSE

My Script

Get-VM MY-VM_NAME | Select Name, PowerState

@{N = 'VM.disable-hgfs'; E = {

   $data = Get-AdvancedSetting -Entity $_ -Name "isolation.tools.hgfsServerSet.disable"

   if ($data) { $data.Value }else { $false }

   } |

Export-Csv -Path .\report.csv -NoTypeInformation -UseCulture

This terminates in an error I've not seen

The Hash Litteral was incomplete

        + Category info          :parser error (:) [], Parentcontainserrorrecordexception

        +FullyQualified errorID  : IncompleteHashLiteral

Can you assist in the above if at all possible.

BTW it seems these advanced values may be modified whith the VM online if done with a script.

If so that's jolly good news.

Cheers.

Reply
0 Kudos
LucD
Leadership
Leadership
‎06-25-2019 09:56 PM

Not sure why and what issue you have with running Get-VM for all your VMs?

It would help if you can show the error or describe the issue.

Your original question was on reporting the settings, so I didn't include the Set part.

But that is also in the Hardening Guide I mentioned.

The error you are getting is caused by the fact that you are missing a curly brace at the end of the calculated property.

Try like this

Get-VM MY-VM_NAME | Select Name, PowerState,

@{N = 'VM.disable-hgfs'; E = {

   $data = Get-AdvancedSetting -Entity $_ -Name "isolation.tools.hgfsServerSet.disable"

   if ($data) { $data.Value }else { $false }

   }} |

Export-Csv -Path .\report.csv -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Paulk99
Enthusiast
Enthusiast
‎06-26-2019 05:27 AM

HI there

Ok great

So that clears the error.

But still no data is reported (even in the PS window)

Even if i change the value to CTKEnabled which should output as "True" i get nothing past The VMs Name and the fact it is powered on.

p

Reply
0 Kudos
LucD
Leadership
Leadership
‎06-26-2019 05:41 AM

You forgot the comma after PowerState.
Try like this

Get-VM | Select Name, PowerState,

@{N = 'VM.disable-hgfs'; E = {

   $data = Get-AdvancedSetting -Entity $_ -Name "isolation.tools.hgfsServerSet.disable"

   if ($data) { $data.Value }else { $false }}} |

Export-Csv -Path .\report.csv -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Paulk99
Enthusiast
Enthusiast
‎06-26-2019 07:56 AM

Ok fabulous...

Right testing against 2 values curently configured in the Advanced options all is good.

When i run it and include "Isolation.tools.hgfsServerSet.Disable" all the fields are blank in the respective XL column (as the option is not entered and not configured.)

im not sure how to set an "Empty" data return to somthing like Not-Configured...? Is that possible.?

Paul

Reply
0 Kudos
LucD
Leadership
Leadership
‎06-26-2019 08:04 AM

Can you share your latest code?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Paulk99
Enthusiast
Enthusiast
‎06-26-2019 08:27 AM

Copy and paste is a bitch here..(i think the below is good but there could be typos...

let me type it out for you..

The top set of values are for testing this script, the bottom set are for testing the as yet un-configured values (which i will be setting as part of hardening) so would like these to cum up as NULL or Not Configured. As the values are no yet set.

Get-VM | Select Name, PowerState,

# Below lines are configured as advanced options in the VM these report correctly in XL

@{N = 'XL_CTKEnabled'; E = {

   $data = Get-AdvancedSetting -Entity $_ -Name "CTKEnabled"

   if ($data) { $data.Value }else { $false }

}

},

# Below lines are NOT yet configured as advanced options in the VM these do NOT report correctly in XL

@{N = 'XL_VM.disable-hgfs'; E = {

   $data = Get-AdvancedSetting -Entity $_ -Name "isolation.tools.hgfsServerSet.disable"

   if ($data) { $data.Value }else { $false }

}

} |

Export-Csv -Path .\report.csv -NoTypeInformation -UseCulture

Paul

Reply
0 Kudos
LucD
Leadership
Leadership
‎06-26-2019 08:47 AM

I just ran your script, and the output seems to be ok to me.
None of my VMs have these settings configured, so $false is correct.

2019-06-26_17-40-14.jpg

Or do you literally want such an entry to say 'Not Configured'?
In that case, try like

Get-VM | Select Name, PowerState,

# Below lines are configured as advanced options in the VM these report correctly in XL

@{N = 'XL_CTKEnabled'; E = {

   $data = Get-AdvancedSetting -Entity $_ -Name "CTKEnabled"

   if ($data) { $data.Value }else { 'Not Configured' }

}

},

# Below lines are NOT yet configured as advanced options in the VM these do NOT report correctly in XL

@{N = 'XL_VM.disable-hgfs'; E = {

   $data = Get-AdvancedSetting -Entity $_ -Name "isolation.tools.hgfsServerSet.disable"

   if ($data) { $data.Value }else { 'Not Configured' }

}

} |

Export-Csv -Path .\report.csv -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Paulk99
Enthusiast
Enthusiast
‎06-26-2019 09:11 AM

Yes cheers mate. i figured that little tweak.

So there is no way to report or introduce no way to introduce a third option at all.

As the value could be either True, False or Not present\Not Configured.

The only reason i say this is i will need to evidence it post hardening.

Ok will have a play with it some more tommorow ans set some of the values to true and false to see how that works out..

Cheers Luk

Reply
0 Kudos
LucD
Leadership
Leadership
‎06-26-2019 10:11 AM

The $data.Value should return True or False when the option is set, otherwise it will return "Not Configured".


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply