VMware 5.1 DISA STIG and Hardening Guide PowerCLI

I had the challenge of applying the new hot off the press DISA STIG 5.1.  This goes hand in hand with VMware 5.1 hardening guide.  In fact those are the resources that I used to craft the powershell script.  The VCenter and ESXi STIG could help some powershell love too but I want to focus on the vm stig because this is the most time consuming if not scripted.  First and foremost you need to download and install the latest VMware PowerCLI.  I created a file in D:\vmware stig\stig_vm.txt and put the following fixes extracted from reading the DISA STIG and Hardening guide:

isolation.bios.bbs.disable,TRUE
isolation.device.connectable.disable,TRUE
isolation.monitor.control.disable,TRUE
isolation.tools.diskShrink.disable,TRUE
isolation.tools.diskWiper.disable,TRUE
log.keepOld,10
log.rotateSize,100000
RemoteDisplay.maxConnections,1
tools.guestlib.enableHostInfo,FALSE
tools.setInfo.sizeLimit,1048576
vmci0.unrestricted,FALSE
isolation.tools.hgfsServerSet.disable,TRUE
isolation.device.edit.disable,TRUE
isolation.tools.autoInstall.disable,TRUE
isolation.tools.copy.disable,TRUE
isolation.tools.dnd.disable,FALSE
isolation.tools.setGUIOptions.enable,FALSE
isolation.tools.paste.disable,TRUE
isolation.tools.ghi.autologon.disable,TRUE
isolation.bios.bbs.disable,TRUE
isolation.tools.getCreds.disable,TRUE
isolation.tools.ghi.launchmenu.change,TRUE
isolation.tools.memSchedFakeSampleStats.disable,TRUE
isolation.tools.ghi.protocolhandler.info.disable,TRUE
isolation.ghi.host.shellAction.disable,TRUE
isolation.tools.dispTopoRequest.disable,TRUE
isolation.tools.trashFolderState.disable,TRUE
isolation.tools.ghi.trayicon.disable,TRUE
isolation.tools.unity.disable,TRUE
isolation.tools.unityInterlockOperation.disable,TRUE
isolation.tools.unity.push.update.disable,TRUE
isolation.tools.unity.taskbar.disable,TRUE
isolation.tools.unityActive.disable,TRUE
isolation.tools.unity.windowContents.disable,TRUE
isolation.tools.vmxDnDVersionGet.disable,TRUE
isolation.tools.guestDnDVersionSet.disable,TRUE
isolation.tools.vixMessage.disable,TRUE
tools.setinfo.sizeLimit,1048576
 

From “Windows PowerShell ISE” Issue the following command first to extend powershell’s capability:

Set-ExecutionPolicy RemoteSigned
Add-PsSnapin VMware.VimAutomation.Core
 
Okay, we are now ready for the meat and potato:.

$stig_vm = Import-Csv  ‘D:\VMWARE STIG\stig_vm.txt’ -Header Name,Value

::APPLY TO JUST MY_VM1

foreach ($line in $stig_vm) {
New-AdvancedSetting -Entity MY_VM1 -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value
}

::APPLY TO ALL VM

foreach ($line in $stig_vm) {
Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value
}

 ::TO VERIFY

Get-VM | Get-AdvancedSetting -Name  “isolation.tools.autoInstall.disable”| Select Entity, Name, Value

Get-VM MY_VM1 | Get-AdvancedSetting | Select Entity, Name, Value

Get-VM | Get-AdvancedSetting | Select Entity, Name, Value

Unfortunately the script still takes a while to complete and this is a known PowerCLI issue, but it is still 100 times faster than doing it manually.  There’s more things I can add to to the script but this is just a quick and dirty post.  You can pipe the output to a csv file as well, you can also make one for a monthly auditing purposes.

Reference:
http://www.yellow-bricks.com/2009/03/11/powershell-and-importing-csv-files/#comment-72824
http://blogs.vmware.com/vsphere/2012/06/automate-the-hardening-of-your-virtual-machine-vmx-configurations.html#comment-210699
Advertisements

9 responses to “VMware 5.1 DISA STIG and Hardening Guide PowerCLI

  1. There are two possibly three setting you need to still do manually. (CAT I) scsi0:0.mode = persistent , (CAT II) logging = TRUE, and (CAT II) usb.present = False The USB is optional if you use USB attached devices such as the smart card and you can disable logging if you find that it hampers performance. These setting at this time can’t be set by using New-AdvancedSetting, or Set-AdvacnedSetting..

  2. How would you go about doing this for ESXI/VCenter server instances? I’m still very new to PS and I’m trying to find a way to A: Implement these changes and B: Test these changes to show how they came back in an audit. I’m missing something very basic in all of this. Can you push changes to ESXI/VCenter server in the same way? I have been manually changing these settings and it just takes way too long. Sorry for my ignorance. I have spent an upsetting amount of time trying to figure this out and I have joined the group on forge.mil dealing with the STIGs, we don’t have access to vCOps or to vMA so I feel like we are trying to reinvent the wheel. Any and all resources that you, or anyone could point me to would be greatly appreciated.

    • “Can you push changes to ESXI/VCenter server in the same way?” – Yes, that is exactly what PowerCLI does. Instead of using vSphere Client, you use PowerCLI for the repetitive job that you can script. You are running these scripts against your vCenter or ESXi. As far as automation, PowerCLI is the answer to your questions. You really need to invest your time to learn PowerCLI to do the things you are asking. When it comes to resources I trust William Lam and Alan Renouf from VMware. Lucky for you, Alan has “vcheck” script that will do 95% of what you are asking. You can extend its capability if you like since it is built on PowerCLI. You can also take a look at VMware Compliance Checker, it’s free http://www.vmware.com/products/vsphere-compliance-checker. Both of these does audit only, my script above applies the fix. My suggestion is start with my script above just to get your feet wet, then try to extend it to your need. Good luck…

      http://www.virtu-al.net/vcheck-pluginsheaders/vcheck/

  3. Totie,
    Thank you for your response and for pointing me in the right direction. I have been able to setup a hardening guide check against our hosts. Now I am waiting on the ability to upload the Virtu-Al.net Scripts.powerpack in order run all of the applicable ESXI STIGs/vCenter checks in one script. I have found the vSphere compliance checker has issues with over 5 ESXI hosts. As a matter of fact, you cannot select which hosts you want to check at all without actually removing a host from the vCenter Server instance completely (maintenance mode, shutting the host down or moving it to another cluster did not work for me) to be able to scan different machines than had been automatically been scanned before. There is little if any scalability for the compliance checker as far as I can tell. When I have cleaned things up a bit and have managed to complete a full check with results from a script, I would like to submit it in order to helps someone else out. I will still need to work on the remediation portion for the hosts and for vCenter.

    • nice!!! I think I agree with the compliance checker, last time I use it in 5.0 I did not run for me. But I did not bother troubleshooting it since it wasn’t that important to me. I thought the new versions would fix it.. Honestly we might be missing a piece there, I can’t imagine VMware releasing a product that is inoperable… Be patient with your scripts I know I had to spend a full day on mine just to get it to work the way I wanted..

      • The first version of the compliance checker I was unable to get working either. I had to download the 5.5 tool version as it is backwards compatible with 5.0 and 5.1. The 5.0 compliance checker did not work at all for me. The 5.5 version will only scan 5 hosts and you are not given the option to select which hosts to scan. I think the vCOps with Configuration Manager is the preferred solution for the STIGS. That said, I wish the compliance check utility worked a bit better.

        For others who come across this thread and have access to military sites via a Common Access Card (CAC) there is a project that is working on creating custom VIBs and script tests to check for STIG compliance. The announcement can be found here: http://www.vmfieldtips.com/ The project is on this site: https://software.forge.mil/sf/projects/esxi-stig-toolset. More participation is sought for this group. I have learned a lot there and I highly encourage others to purse this avenue if they have the need to do so.

        At this point I am getting much further into the weeds with vCLI and it’s both very rewarding but I’m missing things that should be easy. I’ve been going over this video: http://www.youtube.com/watch?v=AnEImKPJbBU about creating custom images or adding custom VIBs/rule sets to an ESXI image but I’m missing a lot. There was not a software depot before I began the process and now I’m trying to figure out if I need to pull in just the latest patches or all ESXI image files with the VIBs in order to compile it into something useable or if I need go back and get full image versions along the way. The side of the patches make it look like there are version roll-ups that would encompass previous patches and images but I’m not certain of this. All I really want to do is a test where I install the VIB rules to my test cluster after I create an image that I can easily go back to. This is something that I have not been able to make this work as yet.

      • Thanks on the forge.mil ref. I will definitely check that out.. Another tip for ESXi hardening would be the vcenter “host profiles”, I use it to take a known good STIGed baseline of ESXi host and notify me for the difference from the other ESXi hosts. You’re ahead of me on the custom VIB’s, the only custom VIB that I use are the TERADICI APEX card and for onboard NIC ESXI whitebox which both I did not build from scratch. When it comes to patches, I would download the cumulative zip file patches to make sure I did not miss anything. This might surprise you, but I don’t use VUM so the VUM STIG does not apply to me. I guess I’m just rebelling at VMware, I just don’t like the VUM architecture being on Windows, there is no reason why VMware can’t do VUM as a linux lockdown appliance just like VCent and VDP.

        Thanks for your insight, I enjoy pickin’ ideas from you regarding STIG on vSphere…

  4. First round of changes for the 6.x stigs (as of 15 Dec 2015)

    Changed
    isolation.tools.dnd.disable,FALSE

    New
    RemoteDisplay.vnc.enabled,FALSE

    Not present
    isolation.monitor.control.disable,TRUE
    log.keepOld,10
    log.rotateSize,100000
    vmci0.unrestricted,FALSE
    isolation.tools.dnd.disable,FALSE
    isolation.bios.bbs.disable,TRUE

    Some singular settings that might be useful
    :: Singular settings

    Get-VM “VM Name” | Get-HardDisk | Set-HardDisk -Persistence IndependentPersistent

    Get-VM “VM Name” | Get-AdvancedSetting -Name sched.mem.pshare.salt | Remove-AdvancedSetting

    Get-VM “VM Name” | Get-FloppyDrive | Remove-FloppyDrive

    Get-VM “VM Name” | Get-CDDrive | Set-CDDrive -NoMedia

    Get-VM “VM Name” | Get-USBDevice | Remove-USBDevice

    ::Note: Change the X and Y values to match the specific setting in your environment.
    Get-VM “VM Name” | Get-AdvancedSetting -Name ethernetX.filterY.name | Remove-AdvancedSetting

  5. feedback on this script has also made it over to the VMTN VMware Communities…
    https://communities.vmware.com/thread/488611?start=0&tstart=0 and https://communities.vmware.com/thread/488539

    another good post on this same topic of automating VMX DISA STIG hardening is over at http://blogs.vmware.com/vsphere/2013/06/its-a-unix-system-i-know-this.html under his “It’s a Unix system, I know this” blog post showing security in scale without touching the ESXi shell.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s