Automation

 View Only
  • 1.  Hardening ESXi Script

    Posted Sep 16, 2020 12:53 PM

    With LucD help I created this script in order to secure ESXi based on VMware recommandation

    I will need assistance and collaboration in order to:

    1. Get existant value for hosts
    2. Add advanced settings for Hosts
    3. if the required value is set, script must have the ability to compare existant value with the desired and made the required change
    4. get report
    5. Receive an email with information how many
      1. Hardened VMs & Hardned Hosts
      2. Remaining VMs & Host to hardned

    Connect-VIServer -Server "vcenter1", "vcenter2"

    # vCenter Login

    $vCUser="login"

    $vCPass="password"

    $StartTime = Get-Date

    $report = @()

    Foreach ($Host in Get-VMHost)

    {

        $tab = @{}

        $date=Get-Date -format "ddMMyy_HHmm"

        Get-AdvancedSetting -Entity $Host | ForEach-Object -Process {

            $tab.Add($_.Name,$_.Value)

    }

    }

    $NTPServers = "NTP1", "NTP2" Get-VMHost | Add-VmHostNtpServer $NTPServers

    Foreach ($vm in Get-VM)

    {

        $tab = @{}

        $date=Get-Date -format "ddMMyy_HHmm"

        Get-AdvancedSetting -Entity $vm | ForEach-Object -Process {

            $tab.Add($_.Name,$_.Value)

        }

       

        New-AdvancedSetting -Entity $vm -Name isolation.device.edit.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

       

        New-AdvancedSetting -Entity $vm -Name isolation.device.connectable.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.copy.disable -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

       

        New-AdvancedSetting -Entity $vm -Name isolation.tools.paste.disable -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.autologon.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.bios.bbs.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.protocolhandler.info.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.taskbar.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.unityActive.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.windowContents.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.push.update.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.vmxDnDVersionGet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.guestDnDVersionSet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.ghi.host.shellAction.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.dispTopoRequest.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.trashFolderState.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.trayicon.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.unity.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.unityInterlockOperation.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.getCreds.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.hgfsServerSet.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.ghi.launchmenu.change -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.memSchedFakeSampleStats.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.copy.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.dnd.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.setGUIOptions.enable -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.paste.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name RemoteDisplay.vnc.enabled -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name svga.vgaOnly -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name mks.enable3d -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.diskShrink.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.diskWiper.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name isolation.tools.vixMessage.disable -value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name log.keepOld -value 10 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name tools.guestlib.enableHostInfo -value FALSE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        New-AdvancedSetting -Entity $vm -Name log.rotateSize -value 102400 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

       

        New-AdvancedSetting -Entity $vm -Name Remove-FloppyDrive -Value TRUE -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

       

        New-AdvancedSetting -Entity $vm -Name tools.setInfo.sizeLimit -value 1048576 -Confirm:$False -Force:$True | select @{N='VM';E={$_.Entity.Name}},Name,Value

        # repeat for other settings

     

        $report += Get-AdvancedSetting -Entity $vm |

        Select @{N='VM';E={$vm.Name}},Name,@{N='OldValue';E={$tab[$_.Name]}},@{N='NewValue';E={$_.Value}}

    }

    $report | Export-Csv -Path "Settings_$($date).csv" -NoTypeInformation -UseCulture

    $EndTime = Get-Date

    $duration = [math]::Round((New-TimeSpan -Start $StartTime -End $EndTime).TotalMinutes,2)

    Write-Host "================================"

    Write-Host "Hardening VMs By vCenter Completed!" -Foregroundcolor "Green"

    Write-Host "Hardening Hosts By vCenter Completed!" -Foregroundcolor "Cyan"

    Write-Host "StartTime: $StartTime"

    Write-Host "EndTime: $EndTime"

    Write-Host "Duration: $duration minutes"

    Write-Host "================================"



  • 2.  RE: Hardening ESXi Script

    Posted Sep 16, 2020 01:18 PM

    1. With 'hosts' do you mean VMs or ESXi nodes?
    2. How will you provide the 'desired settings'?
    3. I suspect you mean 'not set'?

    4. What should be in that report?

    5.2 Why would there be VMs remaining to be hardened?



  • 3.  RE: Hardening ESXi Script

    Posted Sep 16, 2020 01:47 PM

    1. With 'hosts' do you mean VMs or ESXi nodes? ESXi NODES
    2. How will you provide the 'desired settings'? like the parametre that I added to VMs in the script

    Like this:

    Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.acceptance.Set("PartnerSupported") }

    $NTPServers = "pool.ntp.org", "pool2.ntp.org" Get-VMHost | Add-VmHostNtpServer $NTPServers


    3. I suspect you mean 'not set'? Yep you are right

    4. What should be in that report? Juste one excel file which inclue worksheet | one for VMs - One for Node and they should include the below details in column

    vcenter Node VM    ParametreName    OldValue    NewValue

    5.2 Why would there be VMs remaining to be hardened? my bad, I mean nombre of VMs hardned and number of nodes hardned

    for sure output log is required, espacialy if something happen :smileyhappy:

    if you have any other suggestion, I am interested. after all I'm trying to do something that could be of use to the community.:smileyhappy:



  • 4.  RE: Hardening ESXi Script
    Best Answer

    Posted Sep 17, 2020 08:51 AM

    You could do, similar to the VM script, something like this.

    This only shows 1 Advanced setting, the others will have to follow the same structure.

    Not sure how you are going to document changes beyond Advanced settings (for example the NTP servers).

    Btw, this has been an issue in all attempts to write a script that handles all security hardening guidelines

    $report = @()

    $date = Get-Date -format "ddMMyy_HHmm"


    Get-VMHost -PipelineVariable esx | ForEach-Object -Process {

        $tab = @{}


        Get-AdvancedSetting -Entity $esx | ForEach-Object -Process {

            $tab.Add($_.Name,$_.Value)

        }


        $changed = 0


        Get-AdvancedSetting -Entity $esx -Name UserVars.DcuiTimeOut |

        where{$_.Value -ne 600} | ForEach-Object -Process {

            Set-AdvancedSetting -AdvancedSetting $_ -Value 600 -Confirm:$False | Out-Null

            $changed++

        }


        # Other settings with similar structure


        Write-Host "On $($esx.Name) there were $changed changes."


        $report += Get-AdvancedSetting -Entity $esx |

        Select @{N='VMHost';E={$esx.Name}},Name,@{N='OldValue';E={$tab[$_.Name]}},@{N='NewValue';E={$_.Value}}


    }


    $report | Export-Csv -Path "Settings_$($date).csv" -NoTypeInformation -UseCulture