Automation

 View Only

Automating Hardening of Esxi Hosts 

Oct 07, 2015 03:05 PM


Synopsis: Hardening of Esxi Hosts as per hardening guide.


Prerequisites:

Esxi 5.x

Powercli 5.x

plink (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

Most Hardening points are covered which are used in my environment on the below script.

Any suggestions or modifications are encouraging as beginner in writing scripts.

$root = "root" 

$Passwd = "dontaskme"

$newserv = "10.xx.xx.xx"

Write-Host -Object "fetching content to execute using ssh"

$content = 'C:\Program Files\VMware\Infrastructure\vSphere PowerCLI\content.txt'

foreach ($esxiHost in $newserv) {

Connect-VIServer $esxiHost -User  $root -Password $Passwd

Write-Host -Object "starting ssh services on $esxiHost"

$sshstatus= Get-VMHostService  -VMHost $esxiHost| where {$psitem.key -eq "tsm-ssh"}

if ($sshstatus.Running -eq $False) {

Get-VMHostService | where {$psitem.key -eq "tsm-ssh"} | Start-VMHostService }

#Hardening Esxi Host using remote ssh

Write-Host -Object "Hardening $esxiHost"

Write-Output "y" | & 'C:\Program Files\VMware\Infrastructure\vSphere PowerCLI\plink.exe' -ssh root@$esxihost -P 22 -pw $passwd -m  $content

#Configuring SysLog

Write-Host -Object "Configuring SysLog on $esxiHost"

Get-AdvancedSetting -Entity $esxiHost -Name Syslog.global.defaultSize |Set-AdvancedSetting -Value 1024 -Confirm:$False

Get-AdvancedSetting -Entity $esxiHost -Name Syslog.global.logDir | Set-AdvancedSetting -Value '[] /folder/log'

Get-AdvancedSetting -Entity $esxiHost -Name Syslog.global.logHost | Set-AdvancedSetting -Value 'udp://10.xx.xx.xx:514' -Confirm:$False

Get-VMHostFirewallException -VMHost $esx -Name "syslog" |Set-VMHostFirewallException -Enabled $true -Confirm:$false

#Configuring NTP Server

Write-Host -Object "Configuring NTP on $esxiHost"

Add-VMHostNtpServer -VMHost 10.50.56.140 -NtpServer 10.16.1.62

Get-VMHostFirewallException -VMHost $esxiHost | where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled:$true

#Start NTP client service and set to automatic

Get-VmHostService -VMHost $esxiHost | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService | Set-VMHostService -policy "automatic"

#Configuring Security Policy on Vswitch

Write-Host "Configuring Security Policy on $esxiHost"

Get-VirtualSwitch -Standard -VMHost $esxiHost | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false -ForgedTransmits $false -AllowPromiscuous $false

#Configuring EsxiShellTimeOut

Write-Host "Configuring EsxiShellTimeOut on $esxiHost"

Get-AdvancedSetting -Entity $esxiHost -Name UserVars.ESXiShellTimeOut |Set-AdvancedSetting -Value 600 -Confirm:$False

}



Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Dec 23, 2016 11:33 AM

Thank you very much for this script.

I have created almost same script to do ESXi hardening with min Knowledge in powershell.

Can you please let please me to get the output in html output. Like

Hardening control Name      Value

SSH                                   Disabled

Feb 02, 2016 04:11 AM

That's Nice to Here:smileyhappy:

Feb 01, 2016 11:03 AM

Hi vineeth‌,

good Script!

It seems, that we had the same intention:

Script - ESXi Hardening mit PowerCLI - my cloud-(r)evolution

Kind Regards,

Markus

Related Entries and Links

No Related Resource entered.