esxi

vSphere Security Hardening Guide script by @lamw

Duncan Epping · Feb 8, 2010 ·

A couple of weeks ago I blogged about the vSphere Security Hardening Guide. Just a couple of days later William “the king of Perl” Lam already produced a script that checks the Hardening Guide best practices against your environment. It produces a great html based report.

Source

While going through the COS/HOST and VM documentation, I noticed there were quite a few checks that might benefit from having a script to validate the guidelines and that was the motivation for this script. Not all sections can be validated using the vSphere APIs and will require some manual validation and I’ve seperated the types of passes whether it’s a fail, pass or manual (which requires user intervention).

The script allows you to run the current existing guides as of (01/29/2010) against vCenter 4.0 hosting ESX(i) 4.0 hosts/virtual machines OR run it against an individual ESX(i) 4.0 host. The script allows you to run a subset of the checks and against different type of validation (ENTERPRISE,DMZ or SSLF). Upon completion, a report is generated including a grade for your environment.

A couple of details on the features:

Email report
Ability to execute subset of the checks (COS,HOST,VCENTER,VNETWORK,VM)
Ability execute specific test suite (ENTERPRISE,DMZ,SSLF)
Detail HTML summary report with letter grade

You can find an example report here. Great work again William, keep it up!

Win an Apple iPad for you and your friends!

Duncan Epping · Feb 3, 2010 ·

This is just a reminder. The ESXi scripting contest is still running. Make sure you enter the competition. So far not many people have so chances of winning are pretty big!

VMware challenges you to build the best, most creative ESXi management scripts possible. The goal of the ScriptoMania contest is to help our wider community adopt ESXi by providing useful, fun and powerful scripts to manage the ESXi platform. The best part is that we give our winners bragging rights and we put some hard cold cash in your pockets. Are you up to the challenge?

Contest Overview:

Chance to win up to $2500 for your very best ESXi scripts.

Contest ends March 15th, 2010

Details at: http://vmware.com/go/scriptomania

RVTools 2.8

Duncan Epping · Jan 31, 2010 ·

Rob de Veij just released a brand new version of RVTools. Download it while it is still hot! Please note that this application supports ESX(i) Server 3.5 and vCenter 2.5. vSphere 4 is in experimental support.

Latest Version: 2.8 | January 31, 2010
Download | Documentation

On vHost tab field “# VMs” now only powered on VMs are counted.
On vHost tab field “VMs per core” now only powered on VMs are counted.
On vHost tab field “vCPUs per core” now only powered on VMs are counted.
On vDatastore tab field “# VMs” now only calculated for VM’s which are powered on.
Health check “Number of running virtual CPUs per core” now only powered on VMs are counted.
Health check “Number of running VMs per datastore” now only powered on VMs are counted.
During Installation there will be an application event source created for RVTools. This to fix some security related problems.
Some users run into a timeout exception from the SDK Web server. The default web service timeout value is now changed to a higher value.
New fields on vHost tab: NTP Server(s), time zone information, Hyper Threading information (available and active), Boot time, DNS Servers, DHCP flag, Domain name and DNS Search order
New Health Check: Inconsistent folder names.
Improved exception handling on vDisk, vSwitch and vPort tab pages.

Remove the ESXi web welcome screen

Duncan Epping · Jan 28, 2010 ·

I received a question from a customer who wanted, for security reasons, to remove the ESXi web welcome screen. This is the screen that enables you to download the vSphere Client and RCLI and even browse datastores.

I’ve tested it and removing (or renaming) the following file will lead to a blank page when the ESXi host is accessed via http(s):

/usr/lib/vmware/hostd/docroot/index.html

<edit>

William Lam created another work around which is definitely a more elegant solution: Remove the ESXi web welcome screen.

</edit>

Draft version of the vSphere Security Hardening Guide available

Duncan Epping · Jan 26, 2010 ·

VMware published the draft version of the vSphere Security Hardening Guide. Keep in mind that it’s still draft and needs tweaking. The Team needs your feedback, so if you have any comments please don’t hesitate to reach out and leave a comment on the community forums.

Overall, there are more than 100 guidelines. The guide itself is split into the following major sections:

Please bare in mind the following:

Another new aspect of the guide is the desire to create it with input from the VMware community. This draft is available for public comment for a period of approximately one month. VMware’s intention is to incorporate public feedback into the next revision of the guide, which will be the final version. However, this current revision is the result of a private review of an initial draft, and so we believe that the final version will not differ too significantly. This revision can therefore be used for customer production deployments today, with the caveat that some new guidelines might be added and some existing ones slightly modified.

Thanks Charu for posting these! They contain really valuable info.