-
Notifications
You must be signed in to change notification settings - Fork 16
/
VMware_vSphere_6.7_VM_STIG_Remediation.ps1
210 lines (196 loc) · 7.33 KB
/
VMware_vSphere_6.7_VM_STIG_Remediation.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
<#
.SYNOPSIS
Remediates virtual machines against the vSphere ESXi 6.7 STIG.
.DESCRIPTION
-This script assumes there is a vCenter server managing the virtual machines.
-Please review the $vmsettings below and update as appropriate for your environment
.NOTES
File Name : VMware_vSphere_6.7_VM_STIG_Remediation.ps1
Author : Ryan Lakey
Version : 1.0
Tested against
-PowerCLI 11.3
-Powershell 5
-vCenter/ESXi 6.7 U3+
.PARAMETER vcenter
Enter the vcenter to connect to for remediation
.PARAMETER all
Specifying the -all option remediates all virtual machines found in the target vCenter
.PARAMETER cluster
Specifying the -cluster option only remediates virtual machines in the target vCenter and specified cluster
.PARAMETER virtualmachine
Specifying the -vm option will only remediate the target virtual machine
#>
[CmdletBinding()]
param (
[Parameter(Mandatory=$true,
HelpMessage="Enter the vCenter/ESXi FQDN or IP to connect to")]
[ValidateNotNullOrEmpty()]
[string]$vcenter,
[Parameter(Mandatory=$false)]
[ValidateNotNullOrEmpty()]
[string]$virtualmachine,
[Parameter(Mandatory=$false)]
[ValidateNotNullOrEmpty()]
[string]$cluster,
[Parameter(Mandatory=$false,
HelpMessage="Use -all option to remediate all VMs in target vCenter/ESXi")]
[ValidateNotNullOrEmpty()]
[switch]$all=$false
)
$vmconfig = @{
#Hardening/STIG Settings
vmAdvSettings = @{
"isolation.tools.copy.disable" = $true
"isolation.tools.dnd.disable" = $true
"isolation.tools.paste.disable" = $true
"isolation.tools.diskShrink.disable" = $true
"isolation.tools.diskWiper.disable" = $true
"isolation.tools.hgfsServerSet.disable" = $true
"RemoteDisplay.maxConnections" = "1"
"RemoteDisplay.vnc.enabled" = $false
"tools.setinfo.sizeLimit" = "1048576"
"isolation.device.connectable.disable" = $true
"tools.guestlib.enableHostInfo" = $false
"tools.guest.desktop.autolock" = $true
"mks.enable3d" = $false
}
vmAdvSettingsRemove = ("sched.mem.pshare.salt")
vmotionEncryption = "opportunistic" #disabled, required, opportunistic
}
#Modules needed to run script and load
$modules = @("VMware.PowerCLI")
#Check for correct modules
Function checkModule ($m){
if (Get-Module | Where-Object {$_.Name -eq $m}) {
Write-Host "Module $m is already imported."
}
else{
Write-Host "Trying to import module $m"
Import-Module $m -Verbose
}
}
Function Write-ToConsole ($Details){
$LogDate = Get-Date -Format T
Write-Host "$($LogDate) $Details"
}
#Load Modules
Try
{
ForEach($module in $modules){
checkModule $module
}
}
Catch
{
Write-Error "Failed to load modules"
Write-Error $_.Exception
Exit
}
#Get Credentials for vCenter
Write-ToConsole "...Enter credentials to connect to vCenter"
$vccred = Get-Credential -Message "Enter credentials for vCenter"
#Connect to vCenter Server
Try
{
Write-ToConsole "...Connecting to vCenter Server $vcenter"
Connect-VIServer -Server $vcenter -Credential $vccred -Protocol https -ErrorAction Stop | Out-Null
}
Catch
{
Write-Error "Failed to connect to $vcenter"
Write-Error $_.Exception
Exit
}
#Get host objects
Try{
If($all){
Write-ToConsole "...Getting PowerCLI objects for all virtual machines hosts in vCenter: $vcenter"
$vms = Get-VM | Sort-Object Name
}elseif($cluster) {
Write-ToConsole "...Getting PowerCLI objects for all virtual machines in cluster: $cluster"
$vms = Get-Cluster -Name $cluster | Get-VM | Sort-Object Name
}elseif($virtualmachine){
Write-ToConsole "...Getting PowerCLI object for virtual machine: $virtualmachine"
$vms = Get-VM -Name $virtualmachine | Sort-Object Name
}else{
Write-ToConsole "...No remediation options specified exiting script"
Exit
}
}
Catch{
Write-Error "...Failed to get PowerCLI objects"
Write-Error $_.Exception
Disconnect-VIServer -Server $vcenter -Force -Confirm:$false
Exit
}
## Remediate Virtual Machine advanced settings
Try{
ForEach($vm in $vms){
Write-ToConsole "...Remediating advanced settings on $vm on $vcenter"
ForEach($setting in ($vmconfig.vmAdvSettings.GetEnumerator() | Sort-Object Name)){
#Pulling values for each setting specified
$name = $setting.name
$value = $setting.value
#Checking to see if current setting exists
If($asetting = $vm | Get-AdvancedSetting -Name $name){
If($asetting.value -eq $value){
Write-ToConsole "...Setting $name is already configured correctly to $value on $vm"
}else{
Write-ToConsole "...Setting $name was incorrectly set to $($asetting.value) on $vm setting to $value"
$asetting | Set-AdvancedSetting -Value $value -Confirm:$false
}
}else{
Write-ToConsole "...Setting $name does not exist on $vm creating setting..."
$vm | New-AdvancedSetting -Name $name -Value $value -Confirm:$false
}
}
}
}Catch{
Write-Error "...Failed to get set virtual machine advanced settings"
Write-Error $_.Exception
Disconnect-VIServer -Server $vcenter -Force -Confirm:$false
Exit
}
## Remove advanced settings
Try{
ForEach($vm in $vms){
Write-ToConsole "...Removing advanced settings if necessary on $vm on $vcenter"
ForEach($setting in ($vmconfig.vmAdvSettingsRemove | Sort-Object Name)){
#Checking to see if current setting exists
If($asetting = $vm | Get-AdvancedSetting -Name $setting){
Write-ToConsole "...Setting $setting exists on $vm...removing setting"
$asetting | Remove-AdvancedSetting -Confirm:$false
}
else{
Write-ToConsole "...Setting $setting does not exist on $vm"
}
}
}
}Catch{
Write-Error "...Failed to remove virtual machine advanced settings"
Write-Error $_.Exception
Disconnect-VIServer -Server $vcenter -Force -Confirm:$false
Exit
}
## Set virtual machine vMotion Encryption
Try{
ForEach($vm in $vms){
If($vm.extensiondata.Config.MigrateEncryption -eq $vmconfig.vmotionEncryption){
Write-ToConsole "...vMotion encryption set correctly on $vm to $($vmconfig.vmotionEncryption)"
}else{
$vmv = $vm | get-view
$config = new-object VMware.Vim.VirtualMachineConfigSpec
$config.MigrateEncryption = New-object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes
$config.MigrateEncryption = "$($vmconfig.vmotionEncryption)"
$vmv.ReconfigVM($config)
}
}
}Catch{
Write-Error "...Failed to configure virtual machine vMotion encryption"
Write-Error $_.Exception
Disconnect-VIServer -Server $vcenter -Force -Confirm:$false
Exit
}
Write-ToConsole "...Disconnecting from vCenter"
Disconnect-VIServer -Server $vcenter -Force -Confirm:$false