Can someone Please confirm below can be used for VM hardening :- (i got it from a post )
"Thanks for the tip, I was working on PowerCLI script the complies with disa stig and the hardening guide and this gave me the missing piece. Here it is in summary:
I created d:\vmware stig\stig_vm.txt file with the following input taken from DISA stig:"
isolation.bios.bbs.disable,TRUE
isolation.device.connectable.disable,TRUE
isolation.monitor.control.disable,TRUE
isolation.tools.diskShrink.disable,TRUE
isolation.tools.diskWiper.disable,TRUE
log.keepOld,10
log.rotateSize,100000
RemoteDisplay.maxConnections,1
tools.guestlib.enableHostInfo,FALSE
tools.setInfo.sizeLimit,1048576
vmci0.unrestricted,FALSE
isolation.tools.hgfsServerSet.disable,TRUE
isolation.device.edit.disable,TRUE
isolation.tools.autoInstall.disable,TRUE
isolation.tools.copy.disable,TRUE
isolation.tools.dnd.disable,FALSE
isolation.tools.setGUIOptions.enable,FALSE
isolation.tools.paste.disable,TRUE
isolation.tools.ghi.autologon.disable,TRUE
isolation.bios.bbs.disable,TRUE
isolation.tools.getCreds.disable,TRUE
isolation.tools.ghi.launchmenu.change,TRUE
isolation.tools.memSchedFakeSampleStats.disable,TRUE
isolation.tools.ghi.protocolhandler.info.disable,TRUE
isolation.ghi.host.shellAction.disable,TRUE
isolation.tools.dispTopoRequest.disable,TRUE
isolation.tools.trashFolderState.disable,TRUE
isolation.tools.ghi.trayicon.disable,TRUE
isolation.tools.unity.disable,TRUE
isolation.tools.unityInterlockOperation.disable,TRUE
isolation.tools.unity.push.update.disable,TRUE
isolation.tools.unity.taskbar.disable,TRUE
isolation.tools.unityActive.disable,TRUE
isolation.tools.unity.windowContents.disable,TRUE
isolation.tools.vmxDnDVersionGet.disable,TRUE
isolation.tools.guestDnDVersionSet.disable,TRUE
isolation.tools.vixMessage.disable,TRUE
tools.setinfo.sizeLimit,1048576
$stig_vm = Import-Csv ‘D:\VMWARE STIG\stig_vm.txt’ -Header Name,Value
::APPLY TO JUST MY_VM1
foreach ($line in $stig_vm) {
New-AdvancedSetting -Entity MY_VM1 -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value
}
::APPLY TO ALL VM
foreach ($line in $stig_vm) {
Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output
}
I tried to follow the xls published by vmware , but i am not getting in eg,
# List the VMs and their current settings
Get-VM | Get-AdvancedSetting -Name "isolation.tools.autoInstall.disable"| Select Entity, Name, Value
It gives me no o/p .. what does that mean ?
Please help
thanks
I was referring to the VirtualMachineConfigSpec to explain what happens under the covers of the cmdlet.
You can check this with Onyx.
When a specific setting is not present, the default value will be used.
That doesn't mean that the default value will show up when you list the advanced settings.
So the script should work.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That would mean that the setting "isolation.tools.autoinstall.disable" is not present in the advanced setting, in other words it is not set.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks, so the script should be fine, ie use New-AdvancedSetting for getting these values set ?
$stig_vm = Import-Csv ‘D:\VMWARE STIG\stig_vm.txt’ -Header Name,Value
foreach ($line in $stig_vm) {
Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output
}
I tested the script works ... I was under impression that the vm should be powered off status... but it (only tested with this parameter ) worked without powering off ... Please share your thoughs Lucd
Entity | Name | Value |
------ | ---- | ----- |
xxx | isolation.tools.autoIns... TRUE |
Under the covers the advanced settings are set in 2 ways.
Via a property in the VirtualMachineConfigSpec object, or if there is no property, via the ExtraConfig property in the same object.
For several of these options the VM needs to be powered off (which is what can be seen in the vSphere client as well) to make the change permanent.
An alternative is to vMotion the VM after you changed specific advanced settings, that will make your changes permanent as well.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Ok so the script should work well then ? ie Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output ?
I am confused as in above i am not using VirtualMachineConfigSpec or ExtraConfig here at all, but the values do get change ...
Please advice.
I think the script should do the job as the doc says :-
PowerCLI Command Remediation |
# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name "isolation.tools.autoInstall.disable" -value $true
the script does is
Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output
so identical
QQ, per xls,
Configuration Parameter Desired Value
isolation.tools.copy.disable TRUE
And
Is desired value the default? YES
PowerCLI C:\powerCLI\scriptis> Get-VM xxx | Get-AdvancedSetting -Name "isolation.tools.copy.disable" | Select Entity, Name, Value
PowerCLI C:\powerCLI\scriptis>
This confuses me, the xls needs to be corrected.
Desired value is true & if that is default value as well, then why is not showing up ?
Also as you mentioned there is should be some colume which says , needs reboot Yes/No ...
Please share your thoughts
I was referring to the VirtualMachineConfigSpec to explain what happens under the covers of the cmdlet.
You can check this with Onyx.
When a specific setting is not present, the default value will be used.
That doesn't mean that the default value will show up when you list the advanced settings.
So the script should work.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks LucD.. that make sense now.