VMware Cloud Community
esxi1979
Expert
Expert
Jump to solution

Powercli for VM hardening 5.5

Can someone Please confirm below can be used for VM hardening :- (i got it from a post )

"Thanks for the tip, I was working on PowerCLI script the complies with disa stig and the hardening guide and this gave me the missing piece. Here it is in summary:

I created d:\vmware stig\stig_vm.txt file with the following input taken from DISA stig:"
isolation.bios.bbs.disable,TRUE
isolation.device.connectable.disable,TRUE
isolation.monitor.control.disable,TRUE
isolation.tools.diskShrink.disable,TRUE
isolation.tools.diskWiper.disable,TRUE
log.keepOld,10
log.rotateSize,100000
RemoteDisplay.maxConnections,1
tools.guestlib.enableHostInfo,FALSE
tools.setInfo.sizeLimit,1048576
vmci0.unrestricted,FALSE
isolation.tools.hgfsServerSet.disable,TRUE
isolation.device.edit.disable,TRUE
isolation.tools.autoInstall.disable,TRUE
isolation.tools.copy.disable,TRUE
isolation.tools.dnd.disable,FALSE
isolation.tools.setGUIOptions.enable,FALSE
isolation.tools.paste.disable,TRUE
isolation.tools.ghi.autologon.disable,TRUE
isolation.bios.bbs.disable,TRUE
isolation.tools.getCreds.disable,TRUE
isolation.tools.ghi.launchmenu.change,TRUE
isolation.tools.memSchedFakeSampleStats.disable,TRUE
isolation.tools.ghi.protocolhandler.info.disable,TRUE
isolation.ghi.host.shellAction.disable,TRUE
isolation.tools.dispTopoRequest.disable,TRUE
isolation.tools.trashFolderState.disable,TRUE
isolation.tools.ghi.trayicon.disable,TRUE
isolation.tools.unity.disable,TRUE
isolation.tools.unityInterlockOperation.disable,TRUE
isolation.tools.unity.push.update.disable,TRUE
isolation.tools.unity.taskbar.disable,TRUE
isolation.tools.unityActive.disable,TRUE
isolation.tools.unity.windowContents.disable,TRUE
isolation.tools.vmxDnDVersionGet.disable,TRUE
isolation.tools.guestDnDVersionSet.disable,TRUE
isolation.tools.vixMessage.disable,TRUE
tools.setinfo.sizeLimit,1048576

$stig_vm = Import-Csv ‘D:\VMWARE STIG\stig_vm.txt’ -Header Name,Value

::APPLY TO JUST MY_VM1
foreach ($line in $stig_vm) {
New-AdvancedSetting -Entity MY_VM1 -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value
}

::APPLY TO ALL VM
foreach ($line in $stig_vm) {
Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output
}

I tried to follow the xls published by vmware , but i am not getting in eg,

# List the VMs and their current settings

Get-VM | Get-AdvancedSetting -Name  "isolation.tools.autoInstall.disable"| Select Entity, Name, Value

It gives me no o/p .. what does that mean ?

Please help

thanks

1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

I was referring to the VirtualMachineConfigSpec to explain what happens under the covers of the cmdlet.

You can check this with Onyx.

When a specific setting is not present, the default value will be used.

That doesn't mean that the default value will show up when you list the advanced settings.

So the script should work.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
9 Replies
LucD
Leadership
Leadership
Jump to solution

That would mean that the setting "isolation.tools.autoinstall.disable" is not present in the advanced setting, in other words it is not set.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

esxi1979
Expert
Expert
Jump to solution

Thanks, so the script should be fine, ie use New-AdvancedSetting for getting these values set  ?

$stig_vm = Import-Csv ‘D:\VMWARE STIG\stig_vm.txt’ -Header Name,Value

foreach ($line in $stig_vm) {
Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output
}

Reply
0 Kudos
esxi1979
Expert
Expert
Jump to solution

I tested the script works ... I was under impression that the vm should be powered off status... but it (only tested with this parameter ) worked without powering off ... Please share your thoughs Lucd

Entity                Name                  Value
------                ----                  -----
xxx        isolation.tools.autoIns... TRUE
Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Under the covers the advanced settings are set in 2 ways.

Via a property in the VirtualMachineConfigSpec object, or if there is no property, via the ExtraConfig property in the same object.

For several of these options the VM needs to be powered off (which is what can be seen in the vSphere client as well) to make the change permanent.

An alternative is to vMotion the VM after you changed specific advanced settings, that will make your changes permanent as well.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

esxi1979
Expert
Expert
Jump to solution

Ok so the script should work well then ?  ie Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output ?

I am confused as in above i am not using  VirtualMachineConfigSpec  or ExtraConfig here at all, but the values do get change ...


Please advice.

Reply
0 Kudos
esxi1979
Expert
Expert
Jump to solution

I think the script should do the job as the doc says :-

PowerCLI Command Remediation

# Add the setting to all VMs

Get-VM | New-AdvancedSetting -Name "isolation.tools.autoInstall.disable" -value $true

the script does is

Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output

so identical Smiley Happy

Reply
0 Kudos
esxi1979
Expert
Expert
Jump to solution

QQ, per xls,

Configuration Parameter    Desired Value

isolation.tools.copy.disable    TRUE

And

Is desired value the default? YES

PowerCLI C:\powerCLI\scriptis> Get-VM xxx | Get-AdvancedSetting -Name "isolation.tools.copy.disable" | Select Entity, Name, Value

PowerCLI C:\powerCLI\scriptis>

This confuses me, the xls needs to be corrected.

Desired value is true & if that is default value as well, then why is not showing up ?

Also as you mentioned there is should be some colume which says , needs reboot Yes/No ...

Please share your thoughts

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

I was referring to the VirtualMachineConfigSpec to explain what happens under the covers of the cmdlet.

You can check this with Onyx.

When a specific setting is not present, the default value will be used.

That doesn't mean that the default value will show up when you list the advanced settings.

So the script should work.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
esxi1979
Expert
Expert
Jump to solution

Thanks LucD.. that make sense now.

Reply
0 Kudos