Pau Lo
asked on
hardening report script
If any of you are familiar with the following script:
https://communities.vmware.com/docs/DOC-11901
A few questions if I may:
1) Can it only be run against hosts running v5.1 of vsphere? Or will it also audit older version of vsphere?
2) Can you run it remotely? I.e. from a workstation in the same domain as the vcenter? I was a bit confused when it said "download the script and upload it to upload to your vMA 4.x/5.x host" - indicating perhaps you need to upload it to every host you want to audit?
3) Any idea how long it takes to run and does it have any performance impact on the systems being scanned?
4) If you can run it just against vcenter as opposed each host, where exactly do you enter you vcenter and admin credentials within the scipt?
https://communities.vmware.com/docs/DOC-11901
A few questions if I may:
1) Can it only be run against hosts running v5.1 of vsphere? Or will it also audit older version of vsphere?
2) Can you run it remotely? I.e. from a workstation in the same domain as the vcenter? I was a bit confused when it said "download the script and upload it to upload to your vMA 4.x/5.x host" - indicating perhaps you need to upload it to every host you want to audit?
3) Any idea how long it takes to run and does it have any performance impact on the systems being scanned?
4) If you can run it just against vcenter as opposed each host, where exactly do you enter you vcenter and admin credentials within the scipt?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
5) If you run it against a vCenter, does the report show which hosts the issues were found on?
6) Does it show just failed issues, i.e. security weaknesses in the end report, or does it flag up security checks where you do comply with the best practices? i.e. failed and passed?
6) Does it show just failed issues, i.e. security weaknesses in the end report, or does it flag up security checks where you do comply with the best practices? i.e. failed and passed?
The different levels, enterprise, sslf and dmz, determine which tests are performed, how many checks....
e.g. double the number of checks from sslf to enterprise are performed.
5. Yes, the best way is to run against vCenter Server, because it will then check
1. Hosts
2. vCenter Server
3. VMs
Please note, that 45% of the checks require manual validation for hosts, 90% for vCenter, and 50% for virtual machines, but the script does highlight what needs to be manually checked off.
6. It shows, Pass, Fail and Manual - with a reason for the Fail, Pass and Manual.
You are also given an overall Grade!
e.g. double the number of checks from sslf to enterprise are performed.
5. Yes, the best way is to run against vCenter Server, because it will then check
1. Hosts
2. vCenter Server
3. VMs
Please note, that 45% of the checks require manual validation for hosts, 90% for vCenter, and 50% for virtual machines, but the script does highlight what needs to be manually checked off.
6. It shows, Pass, Fail and Manual - with a reason for the Fail, Pass and Manual.
You are also given an overall Grade!
ASKER
Do you assign a value when creating a host as to whether its DMZ, SSLF, or ENTERPRISE, or is this based on judgement on where the host is siutated in your LAN?
It's based on your judgement.
Obviously, you need better security if you drop servers in your DMZ, compared to Production LAN - or do you?
Again, comes down to Server Design and Policy, Security.
Obviously, you need better security if you drop servers in your DMZ, compared to Production LAN - or do you?
Again, comes down to Server Design and Policy, Security.
ASKER
Does enterprise = your private network ,i.e. non DMZ
And what does SSLF represent, can you provide an example
And what does SSLF represent, can you provide an example
ASKER
I just wondered if the script was intelligent enough, if you ran it against a vCenter, that it would run DMZ checks for DMZ hosts, enterprise checks for enterprise hosts, SSLF checks for SSLF hosts etc.
It's based on what flag you give the checker!
So does assume some intelligence on behalf of the Administrator using the script!
So does assume some intelligence on behalf of the Administrator using the script!
ASKER
But cant you have many types of host attached to a vcenter, i.e. enterprise and DMZ hosts joined to the same vcenter, so in which case you'd have to supply multiple flags if your runing the scan against the vcenter, which doesnt seem possible?
I can see if you were just scanning one enterprise host, or one DMZ host, but I cant understand how you do that when pointing the script at the vcenter?
I can see if you were just scanning one enterprise host, or one DMZ host, but I cant understand how you do that when pointing the script at the vcenter?
The script is designed to be run, with DMZ, Enterprise or SSLF flags.
different flags, suggest and check for different items, which maybe applicable to DMZ, Enterprise - the Administrator applying and checking the servers, needs to recognise what is relevant for his environment.
We do not have many clients, that put hosts in the DMZ!
As for running the script, we run it with all flags, and compare output.
different flags, suggest and check for different items, which maybe applicable to DMZ, Enterprise - the Administrator applying and checking the servers, needs to recognise what is relevant for his environment.
We do not have many clients, that put hosts in the DMZ!
As for running the script, we run it with all flags, and compare output.
VMware
VMware, a software company founded in 1998, was one of the first commercially successful companies to offer x86 virtualization. The storage company EMC purchased VMware in 1994. Dell Technologies acquired EMC in 2016. VMware’s parent company is now Dell Technologies. VMware has many software products that run on desktops, Microsoft Windows, Linux, and macOS, which allows the virtualizing of the x86 architecture. Its enterprise software hypervisor for servers, VMware vSphere Hypervisor (ESXi), is a bare-metal hypervisor that runs directly on the server hardware and does not require an additional underlying operating system.
39K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
"The only required parameter is the type of validation you would like to run against by specifying ----recommend_check_level and choosing (enterprise,dmz or sslf)"
If your running it against a vCenter, then do you ignore that paramter, as you may have hosts in your private network - presumably "enterprise", and hosts in DMZ?