0 Replies Latest reply on Sep 16, 2011 7:04 AM by jscheponik

    Hardening Script - vmkernel monitoring

    jscheponik Lurker

      I created this script to monitor the vmkernel logs to check for unauthorized kernels ( HMT15) and thought I would share it with everyone. It requires plink to be available and also requires you to have cached the hosts ssl certs. if you run into any problems feel free to ask. Things surrouneded by ** should be changed to your specific values.

       

      $User

      = "root"

      $Pswd

      = "**password**"

      $plink

      = "C:\software\plink.exe"

      $plinkoptions

      = " -v -batch -pw $Pswd"

      Connect-VIServer

       

      **VCENTER_NAME**

      $vmhosts

      = Get-VMHost

      Disconnect-VIServer

       

      -Server * -Confirm:$false -Force:$true

      foreach

      ($vmhost in $vmhosts)

      {

       

      Connect-VIServer **VCENTER_NAME**

       

      Get-VMHostService -VMHost $vmhost `

      |

      where {$_.Key -eq "TSM-SSH"} `

      |

      Start-VMHostService

       

       

      Disconnect-VIServer -Server * -Confirm:$false -Force:$true

       

       

      $computer = ($vmhost.Name)

       

       

      #Remote Commands

       

       

      #if HCM05 is in place

       

      $cmd = 'vim-cmd proxysvc/add_tcp_service "/" httpsWithRedirect localhost 8309'

       

      $command = $plink + " " + $plinkoptions + " " + $User + "@" + $computer + " " + "`"" + $cmd + "`""

       

      $msg = Invoke-Expression -command $command -ErrorAction SilentlyContinue

        

       

      $cmd = "cp /var/log/messages /vmfs/volumes/**LOCALDATASTORE**/kernel/info.report"

       

      $command = $plink + " " + $plinkoptions + " " + $User + "@" + $computer + " " + "`"" + $cmd + "`""

       

      $msg = Invoke-Expression -command $command -ErrorAction SilentlyContinue

       

       

       

      Connect-VIServer $vmhost.Name -User $User -Password $Pswd

       

      $dsname = **DATASTORENAME**

       

      $datastore = Get-Datastore $dsname

       

      $date = Get-Date

       

      $filename = "c:\kernelcheck\" + $date.Month.ToString() + "." + $date.Day.ToString() + "." + $date.Year.ToString() + "-" + $vmhost.Name + "-kernelcheck.report"

        

       

      $psdrive = New-PSDrive -Name ds -PSProvider VimDatastore -Root "/" -Location $datastore

       

      Set-Location ds:\kernel

       

      Get-ChildItem

       

      Copy-DatastoreItem -Item "info.report" -Destination "c:\kernelcheck\"

       

      Sleep 10

       

      del "ds:\kernel\info.report"

       

      Disconnect-VIServer * -Confirm:$false

       

      Rename-Item -Path "c:\kernelcheck\info.report" -newname $filename

       

      $messages = Get-Content $filename

       

      $cnt = 0

       

      foreach($line in $messages)

      {

       

      if($line -like "*Kernel module*no signature*")

      {

       

      $emailbody += $line.ToString()

       

      $cnt += 1

      }

      }

       

      if($cnt -eq 0)

      {

       

      $msg = "There were no unsigned kernels loaded."

      }

       

      else

      {

       

      $msg = $emailbody

       

      #Set Date format for emails

       

      $timestart = (Get-Date -f "HH:MM")

       

      $emailFrom = "**VCENTER_NAME**"

       

      $emailTo = "**RECIPIENTS**"

       

      $subject = "Unsigned Kernel Check"

       

      $body = $msg

       

      $smtpServer = "**MAILSERVER**"

       

      $smtp = new-object Net.Mail.SmtpClient($smtpServer)

       

      $smtp.Send($emailFrom,$emailTo,$subject,$body)

      }

        

       

      #if HCM05 is in place

       

      $cmd = 'vim-cmd proxysvc/remove_service "/" "httpsWithRedirect"'

       

      $command = $plink + " " + $plinkoptions + " " + $User + "@" + $computer + " " + "`"" + $cmd + "`""

       

      $msg = Invoke-Expression -command $command -ErrorAction SilentlyContinue

       

      Set-Location c:\

       

      Remove-PSDrive -Name ds

       

      Connect-VIServer **VCENTER_NAME**

       

      Get-VMHostService -VMHost $vmhost `

      |

      where {$_.Key -eq "TSM-SSH"} `

      |

      Stop-VMHostService -Confirm:$false

        

       

      Disconnect-VIServer -Server * -Confirm:$false -Force:$true

      }