As you probably know VMware has interesting guideline: vSphere 4.1 Security Hardening Guide. This document provides instructions on how to securely deploy VMware vSphere™ 4.1 (“vSphere”) in a production environment. Also you can find very useful Perl script vmwarevSphereSecurityHardeningReportCheck.pl that can be ran on your environment and allows you to check your current state in according to the Security Hardening Guide.
Despite the fact that script does not check all requirements, it can help a lot.
To use this script you need to download and run vSphere Management Assistant in your environment. It is distributed as OVF template and can be installed very quickly. Virtual machine already has all necessary SDKs installed and you need just to copy vmwarevSphereSecurityHardeningReportCheck.pl script on your vMA. Note: to enable SSH connections on your vMA you need to read this article where you can find instructions “Issue with vMA5 & ssh” (check comments also, because I had some issues with file editing)
The main issue with vMA is its 64-bit OS, so if you want to run vMA on the virtual ESX(i) server you need to have hardware that supports VT-x/EPT instructions. I have Intel Core 2 Duo on my workstation and it doesn’t support this feature.
Actually script does not need vMA, it uses vSphere SDK for Perl so I have decided to try to run it in Windows host. I installed vSphere SDK for Perl and ran script. And it works, but with some issues that I have fixed: I replaced ‘grep’ with ’findstr ‘ and changed folder creation method. Also you need to have openSSL on your host. I use binary files from this package:http://gnuwin32.sourceforge.net/packages/openssl.htm).
These are step by step instructions:
1. Download and install vSphere SDK for Perl on the your Windows host (I use Win7 but I think that it should work on XP, 2003 and 2008 also)
2. Download openSSL binary package and copy openssl.exe, and libssl32.dll to the directory with Perl binaries.
3. Add path to the Perl binaries to your PATH environment variable
4. Download this script and enjoy. It supports ESX(i) 4.X and 5.0. Check RN in the script.
ALL COPYRIGHTS for script pertain to William Lam http://www.virtuallyghetto.com | @lamw
During the script checking I have fixed 2 bugs in the setting analysis. I posted these bugs (1 & 2) to VMwarevSphereSecuriyHardening Group forum and I as far I know William fixed it in the original script also.
Command line example:
perl.exe "PATH_TO_SCRIPT\vmwarevSphereSecurityHardeningReportCheck_win.pl" --recommend_check_level enterprise --server YOUR_SERVER --password PSWD --username USER --reportname "esx41_enter.html"
Check original script page to get details about command line parameters.
I will update this post and script as soon as it will be changed. I'm planning to extend its functionality so stay tuned.
Now we're planing to use this script for automatic testing. Our product vGate helps you ensure that your virtual infrastructure is compliant to popular security standarts: VMware Security Hardening Guide, CIS Benchmarks for vSphere 4.0 and PCI DSS 2.0
Thanks to William who was very responsive and answered all my questions.
This comment has been removed by the author.
ReplyDeleteHi Maxim,
ReplyDeleteThank you for the great work on this.
Are you able to post the modified version containing the changed folder creation method? I'm not a great scripter and it would be very useful as I'm presently a little stuck and would rather not have to fo through the change control process of requesting vMA be installed in the environment!
Regards,
Jose
Hi Jose,
ReplyDeletedid you try script that I pointed on the post (note 4)? It can be downloaded here https://docs.google.com/leaf?id=0B-FD8KumkK5WNWEwY2E0ODUtZGNiOC00NmZkLWFjNzQtNjBkM2JlODgxMjg4 ? That script contains all changes those you need to run it with Perl SDK for Windows. At least it works for me :)
Hi Maxim,
ReplyDeleteI downloaded that script (from original link and the one in your reply) but it doesn't seem to have the changes for a Windows-host deployment. It has the GREP command (which I replaced with FINDSTR) but I am not knowledgeable enough in scripting to replace the LINUX commands which create the directories with the Windows equivalent, which you state also needs to be done.
It is at this stage that the script bombs out and comes up with an error message about the directory not being created.
I was hoping you had the Windows version available as I've been through all the other steps (add the OpenSSL bits) and would rather not have to install vMA.
Really appreciate your time and effort in making life easier for us all!
Regards,
Jose
That's really strange :) Do you run with vmwarevSphereSecurityHardeningReportCheck_win.pl? It has correct mkdir and findStr. Anyway, to create folder you need to replace `mkdir $dir` with mkdir($dir, 0777). May be your problem with permissions issue on file system?
ReplyDeleteOK, with the above change made it now outputs the following;
ReplyDelete======= START ========
This can take a few minutes depending on environment size. Get a cup of coffee/tea and check out http://www.virtuallyghetto.com
To create - C:/Program Files (x86)/VMware/VMware vSphere CLI/Perl/bin/vSphereHardenReport/10.14.216.30embeddedESX
To create - C:/Program Files (x86)/VMware/VMware vSphere CLI/Perl/bin/vSphereHardenReport/10.14.216.31embeddedESX
Start Time: xxxxx
End Time: xxxxx
Duration: 8 seconds
=============END==================
The IP addresses correspond to the ESX Servers.
The script parameter I use has the vCenter Server as the SERVER value when run.
I have permissions to create folders under the ./bin directories but the script finishes as per above and nothing is reported.
Sorry to keep hounding you like this, I feel bad!
Thanks,
Jose
ok, I see. To be honest I have never run this script (both versions, win or vma) for vCenter. I'll try it asap. Can you check with "host"? Just for checking.
ReplyDeleteHi Max,
ReplyDeleteI got it working in the end. It was down to the fact that User Account Control was set to 'Always Notify' and the Command prompt wasn't set to run under elevated privileges. At least that's what I think it was as when I sorted out both those things the script ran beautifully under all parameters and produced the output report with the results for every VM in the environment.
I was surprised how quickly it did it, and returned all results in about 10 seconds for about 13 servers (only running it in test environment at the moment).
Thanks for your help and patience!
Regards,
Jose
Great! I'm glad that the script works finally and it helped you.Thanks for your feedback!
ReplyDelete