VMware 5.1 DISA STIG and Hardening Guide PowerCLI

I had the challenge of applying the new hot off the press DISA STIG 5.1.  This goes hand in hand with VMware 5.1 hardening guide.  In fact those are the resources that I used to craft the powershell script.  The VCenter and ESXi STIG could help some powershell love too but I want to focus on the vm stig because this is the most time consuming if not scripted.  First and foremost you need to download and install the latest VMware PowerCLI.  I created a file in D:\vmware stig\stig_vm.txt and put the following fixes extracted from reading the DISA STIG and Hardening guide:

isolation.bios.bbs.disable,TRUE
isolation.device.connectable.disable,TRUE
isolation.monitor.control.disable,TRUE
isolation.tools.diskShrink.disable,TRUE
isolation.tools.diskWiper.disable,TRUE
log.keepOld,10
log.rotateSize,100000
RemoteDisplay.maxConnections,1
tools.guestlib.enableHostInfo,FALSE
tools.setInfo.sizeLimit,1048576
vmci0.unrestricted,FALSE
isolation.tools.hgfsServerSet.disable,TRUE
isolation.device.edit.disable,TRUE
isolation.tools.autoInstall.disable,TRUE
isolation.tools.copy.disable,TRUE
isolation.tools.dnd.disable,FALSE
isolation.tools.setGUIOptions.enable,FALSE
isolation.tools.paste.disable,TRUE
isolation.tools.ghi.autologon.disable,TRUE
isolation.bios.bbs.disable,TRUE
isolation.tools.getCreds.disable,TRUE
isolation.tools.ghi.launchmenu.change,TRUE
isolation.tools.memSchedFakeSampleStats.disable,TRUE
isolation.tools.ghi.protocolhandler.info.disable,TRUE
isolation.ghi.host.shellAction.disable,TRUE
isolation.tools.dispTopoRequest.disable,TRUE
isolation.tools.trashFolderState.disable,TRUE
isolation.tools.ghi.trayicon.disable,TRUE
isolation.tools.unity.disable,TRUE
isolation.tools.unityInterlockOperation.disable,TRUE
isolation.tools.unity.push.update.disable,TRUE
isolation.tools.unity.taskbar.disable,TRUE
isolation.tools.unityActive.disable,TRUE
isolation.tools.unity.windowContents.disable,TRUE
isolation.tools.vmxDnDVersionGet.disable,TRUE
isolation.tools.guestDnDVersionSet.disable,TRUE
isolation.tools.vixMessage.disable,TRUE
tools.setinfo.sizeLimit,1048576
 

From “Windows PowerShell ISE” Issue the following command first to extend powershell’s capability:

Set-ExecutionPolicy RemoteSigned
Add-PsSnapin VMware.VimAutomation.Core
 
Okay, we are now ready for the meat and potato:.

$stig_vm = Import-Csv  ‘D:\VMWARE STIG\stig_vm.txt’ -Header Name,Value

::APPLY TO JUST MY_VM1

foreach ($line in $stig_vm) {
New-AdvancedSetting -Entity MY_VM1 -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value
}

::APPLY TO ALL VM

foreach ($line in $stig_vm) {
Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value
}

 ::TO VERIFY

Get-VM | Get-AdvancedSetting -Name  “isolation.tools.autoInstall.disable”| Select Entity, Name, Value

Get-VM MY_VM1 | Get-AdvancedSetting | Select Entity, Name, Value

Get-VM | Get-AdvancedSetting | Select Entity, Name, Value

Unfortunately the script still takes a while to complete and this is a known PowerCLI issue, but it is still 100 times faster than doing it manually.  There’s more things I can add to to the script but this is just a quick and dirty post.  You can pipe the output to a csv file as well, you can also make one for a monthly auditing purposes.

Reference:
http://www.yellow-bricks.com/2009/03/11/powershell-and-importing-csv-files/#comment-72824
http://blogs.vmware.com/vsphere/2012/06/automate-the-hardening-of-your-virtual-machine-vmx-configurations.html#comment-210699
Advertisements