5 Replies Latest reply on Jan 23, 2012 7:27 AM by bleibold

    HCM

    bleibold Enthusiast

      Hi,

       

      I have downloaded the latest version of the script and have beening running it against some test ESX 4.0 Update 2 servers.  I am getting a fail on HCM04 even though I believe I have everything set right.  I took a look at the script and this doesn't look right to me, but I know virtually nothing about perl, so I might be way off base here.  I did a search on the forum and didn't find anyone else mentioning the issue, so I think it might just be me, but wanted to check.

       

      my $accessmode_results = `grep -i "<accessMode>" "$folder/proxy.xml" | grep -iE '(httpAndHttp|httpsOnl)'`;
          if($accessmode_results ne '') {
           $success = 0;
           $resolution = "&#60;accessMode&#62; in proxy.xml should not be configured to allow HTTP";
           &log("HOST",$hostname,$code,$desc,$success,"N/A",$resolution);

       

      Shouldn't httpAndHttp|httpsOnl be httpAndHttp|httpOnly?  Seems like a 'y' is missing, probably not a big deal but shouldn't be looking for httpOnly, not httpsOnly?

       

      Thanks,

      Bob

        • 1. Re: HCM
          lamw Guru
          VMware EmployeesCommunity Warriors

          Hi bleibold,

           

          The grep is actually fine even with the missing "y", it'll still catch it. I'll need to double check the Hardening Guide, I know there were some minor changes in one of the recent releases.

           

          Thanks for reporting the bug.

          • 2. Re: HCM
            bleibold Enthusiast

            Lamw,

             

            Thanks for the reply.  Figured the missing 'y' wasn't a big deal.

             

            My larger question is with what the script is grepping for.  The current script greps for httpAndHttp|httpSOnl.  Note the 'S'.  Then it seems to see if the result of that is not equal to null/blank, you will get a failure message.  It seems like it should be grepping for httpAndHttp|httpOnly. Since the current script greps for both http and httpS seems like you will get a failure no matter how you have configured the file.

             

            Again, I know virtually nothing about perl and am only slightly fluent with Linux so I might be reading the script wrong.

             

            Thanks,

            Bob

            • 3. Re: HCM
              lamw Guru
              VMware EmployeesCommunity Warriors

              FYI - The scrpit is just making a call out to system grep and -i is for incase senstive and -E is an extended grep, so '(foo|bar)', it can match either or.

               

              The real question as you have mentioned is whether it's supposed to be "httpsOnly" or "httpOnly", I'll need to double check the doc, there might have been changed or was a doc type when I wrote the script as the checks were copy/paste (though I could have fat fingered).

              • 4. Re: HCM
                lamw Guru
                VMware EmployeesCommunity Warriors

                I just took a look at the vSphere Security Hardening Guide for vSphere 4.0 which is where HCM04 is applicable and it has the following:

                httpsWithRedirect or httpsOnly

                 

                I'll add this to the backlog to get fixed

                 

                Thanks

                • 5. Re: HCM
                  bleibold Enthusiast

                  Lamw,

                   

                  Thanks for checking into it.  I'll look for the updated script at some point.  I am still a bit confused with the script statement.  Should it read:

                   

                  my $accessmode_results = `grep -i "<accessMode>" "$folder/proxy.xml" | grep -iE '(httpsWithRedirect|httpsOnly)'`;
                      if($accessmode_results ne '') {
                       $success = 0;
                       $resolution = "&#60;accessMode&#62; in proxy.xml should not be configured to allow HTTP";
                       &log("HOST",$hostname,$code,$desc,$success,"N/A",$resolution);

                   

                  or

                   

                  my $accessmode_results = `grep -i "<accessMode>" "$folder/proxy.xml" | grep -iE '(httpAndHttps|httpOnly)'`;
                      if($accessmode_results ne '') {
                       $success = 0;
                       $resolution = "&#60;accessMode&#62; in proxy.xml should not be configured to allow HTTP";
                       &log("HOST",$hostname,$code,$desc,$success,"N/A",$resolution);

                   

                  It seems you want the IF statement that follows, "if($accessmode_results ne '')", to not be true, in other words, you don't want to find anything via the grep command agove.  I assume ne '' means not equal to blank or nothing or empty.  If that is true, then it seems you want to grep for httpAndHttps|httpOnly as those are what you do NOT want in the file.  If you grep for httpsWithRedirect|HttpsOnly, which is what you want, you'll get results and the if statement will be true and you'll get a failure.

                   

                  Am I reading this right?

                   

                  Thanks again for all your work on this script, it's really helpfull!

                   

                  Bob