0 Replies Latest reply on Nov 11, 2013 3:54 PM by kderres

    Hardening Script for 5.1 feedback

    kderres Lurker

      I have recently come across the vmwarevSphereSecurityHardeningReportCheck.pl script and have been using it in conjunction with the vSphere 5.1 Hardening Guide to secure a new installation.  I am planning to utilize the guide and checker script combination to get my hardening approved so that our project can move forward.  First of all, let me echo all of those that say this is an immensely helpful tool that is saving me a ton of time.


      Here are the specs of the installation:

      • vCenter Server Appliance 5.1u1
      • ESXi 5.1u1
      • vMA 5.1
      • v247 of the vmwarevSphereSecurityHardeningReportCheck.pl script downloaded from sourceforge.  


      I have run the script from vMA against "profile 1", and it seems to run properly, generating the html report at the end for my review.  My question is regarding several instances where the information in the checking script is in conflict with what is in the hardening guide.


      For example:

      • The check for "enable-bpdu-filter" under vnetwork says to set Net.BlockGuestBPDU to 1 on each ESXi host.  Then when you run the scanner, it tells you to set it to 1.  In this case, it looks to be checking for a 0 not a 1, but has the correct accompanying text.
      • Despite testing against profile 1, the test for limit-console-connections-two (listed for profile 3 in guide) is run, instead of limit-console-connections-one (listed for profile 1 and 2 in guide).


      I am looking for the best place to report these, and see if other issues like this have been found.  I appreciate any information that anyone has.