VMware Cloud Community
jvm2016
Hot Shot
Hot Shot
Jump to solution

script_structure_powercli

Hi Luc ,

can you please check following script .this is to get some security info from esxi and network switches .this works fine except the orange line .

can you please modify orange line to use join .also can this be converted to excel file ??

$vcenter=read-host "please provide vcentername"

$credential_vcenter=get-credential

$conn=connect-viserver -server $vcenter|out-null

#only for distributed switches .

#for hostd presence we need openssh module though it shud be present by default.

$path = 'C:\Users\user1\Desktop\scriptfolder'

$security_parameters = @()

foreach($dc in get-datacenter)

{

$datacenter=get-datacenter $dc

write-host "cureent powershell version" -ForegroundColor Cyan

$PSVersionTable.psversion

foreach($ei in (get-vmhost -Location $datacenter))

{

$esxi=get-vmhost -name $ei

$distributedswitch = get-vmhost $esxi|Get-VirtualSwitch -Distributed

$ssh_running_remote = Get-VMHost $esxi | Get-VMHostService | Where {$_.key -eq "TSM-SSH"}

$promiscousmode=$distributedswitch.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value

$forgedtransmit=$distributedswitch.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value

$mac_address_change=$distributedswitch.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value

$vmkmgmt=Get-VMHostNetworkAdapter -VMHost $esxi -VMKernel|?{$_.ManagementTrafficEnabled -eq $true}

$dhcp_enabled=$vmkmgmt.DhcpEnabled

$ports_enabled=Get-VMHostFirewallException -vmhost $esxi -Enabled:$true

$local_tech_support=Get-VMHost $esxi | Get-View | Where {$_.Summary.Config.Product.Name -match "i"} | Select Name, @{N="localTechSuportModeEnabled";E={(Get-VMHost $_.Name | Get-VMHostAdvancedConfiguration -Name VMkernel.Boot.techSupportMode).Values}}

$local_tech_support.localTechSuportModeEnabled

if($local_tech_support.localTechSuportModeEnabled -eq $null)

{

$localtechsupportenabled="False"

}

$vmkernel=get-log -VMHost $esxi -Key vmkernel

if($vmkernel.entries -ne $null)

{

$presence_vmkernel="True"

}

$output = New-Object -TypeName PSObject

        $output|Add-Member -MemberType NoteProperty -Name 'esxiname' -Value $esxi.name

        $output|Add-Member -MemberType NoteProperty -Name 'distributedswitch' -Value $distributedswitch.name

              

        $output|Add-Member -MemberType NoteProperty -Name 'whetherremote_ssh_running' -Value $ssh_running_remote.running

        $output|Add-Member -MemberType NoteProperty -Name 'promiscousmode' -Value $promiscousmode

        $output|Add-Member -MemberType NoteProperty -Name 'forgedtransmit' -Value $forgedtransmit

        $output|Add-Member -MemberType NoteProperty -Name 'mac_address_change' -Value $mac_address_change

        $output|Add-Member -MemberType NoteProperty -Name 'vmkernellogs_presence' -Value $presence_vmkernel

        $output|Add-Member -MemberType NoteProperty -Name 'whether mgmt ip assigned by dhcp' -Value $dhcp_enabled

        $output|Add-Member -MemberType NoteProperty -Name 'ports enabled ' -Value $ports_enabled

        $output|Add-Member -MemberType NoteProperty -Name 'whether local tech support mode enabled ' -Value $localtechsupportenabled

        $security_parameters += $output

               }

              

              

               }

$security_parameters|out-file $path\secp.txt

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

Try something like this (I split into incoming and outgoing).

$vcenter = Read-Host "please provide vcentername"

$credential_vcenter = Get-Credential

$conn = Connect-VIServer -Server $vcenter | Out-Null


#only for distributed switches .

#for hostd presence we need openssh module though it should be present by default.

$path = 'C:\Users\user1\Desktop\scriptfolder'

$security_parameters = @()

foreach ($dc in Get-Datacenter)

{

   Write-Host "Current PowerShell version $(($PSVersionTable.PSVersion).ToString())" -ForegroundColor Cyan


   foreach ($esxi in (Get-VMHost -Location $dc))

   {

   $distributedswitch = Get-VirtualSwitch -VMHost $esxi -Distributed

   $ssh_running_remote = Get-VMHostService -VMHost $esxi | Where-Object { $_.key -eq "TSM-SSH" }

 

   $promiscousmode = $distributedswitch.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value

   $forgedtransmit = $distributedswitch.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value

   $mac_address_change = $distributedswitch.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value

   $vmkmgmt = Get-VMHostNetworkAdapter -VMHost $esxi -VMKernel | Where-Object { $_.ManagementTrafficEnabled -eq $true }

   $dhcp_enabled = $vmkmgmt.DhcpEnabled

   $ports_enabled = Get-VMHostFirewallException -VMHost $esxi -Enabled:$true

   $inports = ($ports_enabled.IncomingPorts | % { $_.Split(',') } | Where-Object { $_ } | % { [int]$_.Trim(' ') }) -join '|'

   $outports = ($ports_enabled.OutGoingPorts | % { $_.Split(',') } | Where-Object { $_ } | % { $_.Trim(' ') }) -join '|'

   $local_tech_support = $esxi |

   Where-Object { $_.ExtensionData.Summary.Config.Product.Name -match "i" } |

   Select-Object Name,

   @{N = "localTechSuportModeEnabled"; E = { (Get-VMHost $_.Name | Get-AdvancedSetting -Entity $esxi -Name VMkernel.Boot.techSupportMode).Values } }

   if ($null -eq $local_tech_support.localTechSuportModeEnabled)

   {

   $localtechsupportenabled = "False"

   }

   $vmkernel = Get-Log -VMHost $esxi -Key vmkernel

   if ($null -ne $vmkernel.entries)

   {

   $presence_vmkernel = "True"

   }

   $output = New-Object -TypeName PSObject

   $output | Add-Member -MemberType NoteProperty -Name 'esxiname' -Value $esxi.name

   $output | Add-Member -MemberType NoteProperty -Name 'distributedswitch' -Value $distributedswitch.name

   $output | Add-Member -MemberType NoteProperty -Name 'whetherremote_ssh_running' -Value $ssh_running_remote.running

   $output | Add-Member -MemberType NoteProperty -Name 'promiscousmode' -Value $promiscousmode

   $output | Add-Member -MemberType NoteProperty -Name 'forgedtransmit' -Value $forgedtransmit

   $output | Add-Member -MemberType NoteProperty -Name 'mac_address_change' -Value $mac_address_change

   $output | Add-Member -MemberType NoteProperty -Name 'vmkernellogs_presence' -Value $presence_vmkernel

   $output | Add-Member -MemberType NoteProperty -Name 'whether mgmt ip assigned by dhcp' -Value $dhcp_enabled

   $output | Add-Member -MemberType NoteProperty -Name 'incoming ports enabled ' -Value $inports

   $output | Add-Member -MemberType NoteProperty -Name 'outgoing ports enabled ' -Value $outports

   $output | Add-Member -MemberType NoteProperty -Name 'whether local tech support mode enabled ' -Value $localtechsupportenabled

   $security_parameters += $output

   }

}


$security_parameters | Out-File -FilePath "$path\secp.txt"


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
4 Replies
LucD
Leadership
Leadership
Jump to solution

Try something like this (I split into incoming and outgoing).

$vcenter = Read-Host "please provide vcentername"

$credential_vcenter = Get-Credential

$conn = Connect-VIServer -Server $vcenter | Out-Null


#only for distributed switches .

#for hostd presence we need openssh module though it should be present by default.

$path = 'C:\Users\user1\Desktop\scriptfolder'

$security_parameters = @()

foreach ($dc in Get-Datacenter)

{

   Write-Host "Current PowerShell version $(($PSVersionTable.PSVersion).ToString())" -ForegroundColor Cyan


   foreach ($esxi in (Get-VMHost -Location $dc))

   {

   $distributedswitch = Get-VirtualSwitch -VMHost $esxi -Distributed

   $ssh_running_remote = Get-VMHostService -VMHost $esxi | Where-Object { $_.key -eq "TSM-SSH" }

 

   $promiscousmode = $distributedswitch.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value

   $forgedtransmit = $distributedswitch.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value

   $mac_address_change = $distributedswitch.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value

   $vmkmgmt = Get-VMHostNetworkAdapter -VMHost $esxi -VMKernel | Where-Object { $_.ManagementTrafficEnabled -eq $true }

   $dhcp_enabled = $vmkmgmt.DhcpEnabled

   $ports_enabled = Get-VMHostFirewallException -VMHost $esxi -Enabled:$true

   $inports = ($ports_enabled.IncomingPorts | % { $_.Split(',') } | Where-Object { $_ } | % { [int]$_.Trim(' ') }) -join '|'

   $outports = ($ports_enabled.OutGoingPorts | % { $_.Split(',') } | Where-Object { $_ } | % { $_.Trim(' ') }) -join '|'

   $local_tech_support = $esxi |

   Where-Object { $_.ExtensionData.Summary.Config.Product.Name -match "i" } |

   Select-Object Name,

   @{N = "localTechSuportModeEnabled"; E = { (Get-VMHost $_.Name | Get-AdvancedSetting -Entity $esxi -Name VMkernel.Boot.techSupportMode).Values } }

   if ($null -eq $local_tech_support.localTechSuportModeEnabled)

   {

   $localtechsupportenabled = "False"

   }

   $vmkernel = Get-Log -VMHost $esxi -Key vmkernel

   if ($null -ne $vmkernel.entries)

   {

   $presence_vmkernel = "True"

   }

   $output = New-Object -TypeName PSObject

   $output | Add-Member -MemberType NoteProperty -Name 'esxiname' -Value $esxi.name

   $output | Add-Member -MemberType NoteProperty -Name 'distributedswitch' -Value $distributedswitch.name

   $output | Add-Member -MemberType NoteProperty -Name 'whetherremote_ssh_running' -Value $ssh_running_remote.running

   $output | Add-Member -MemberType NoteProperty -Name 'promiscousmode' -Value $promiscousmode

   $output | Add-Member -MemberType NoteProperty -Name 'forgedtransmit' -Value $forgedtransmit

   $output | Add-Member -MemberType NoteProperty -Name 'mac_address_change' -Value $mac_address_change

   $output | Add-Member -MemberType NoteProperty -Name 'vmkernellogs_presence' -Value $presence_vmkernel

   $output | Add-Member -MemberType NoteProperty -Name 'whether mgmt ip assigned by dhcp' -Value $dhcp_enabled

   $output | Add-Member -MemberType NoteProperty -Name 'incoming ports enabled ' -Value $inports

   $output | Add-Member -MemberType NoteProperty -Name 'outgoing ports enabled ' -Value $outports

   $output | Add-Member -MemberType NoteProperty -Name 'whether local tech support mode enabled ' -Value $localtechsupportenabled

   $security_parameters += $output

   }

}


$security_parameters | Out-File -FilePath "$path\secp.txt"


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
jvm2016
Hot Shot
Hot Shot
Jump to solution

thnaksluc .iam going to check this .do yu see any scope of putting anything related to encryption in this script.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

What encryption do you mean?
You could check if there is a KMS server present and if encryption is enabled on the ESXi nodes.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
jvm2016
Hot Shot
Hot Shot
Jump to solution

this works fine and thanks for reminding me the version of powershellSmiley Happy.

Reply
0 Kudos