Avatar of Pau Lo
Pau Lo

asked on 

hardening report script

If any of you are familiar with the following script:


A few questions if I may:

1) Can it only be run against hosts running v5.1 of vsphere? Or will it also audit older version of vsphere?

2) Can you run it remotely? I.e. from a workstation in the same domain as the vcenter? I was a bit confused when it said "download the script and upload it to upload to your vMA 4.x/5.x host" - indicating perhaps you need to upload it to every host you want to audit?

3) Any idea how long it takes to run and does it have any performance impact on the systems being scanned?

4) If you can run it just against vcenter as opposed each host, where exactly do you enter you vcenter and admin credentials within the scipt?

Avatar of undefined
Last Comment
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Pau Lo
Pau Lo


Thanks, the only thing that confused me was the comment:

"The only required parameter is the type of validation you would like to run against by specifying ----recommend_check_level and choosing (enterprise,dmz or sslf)"

If your running it against a vCenter, then do you ignore that paramter, as you may have hosts in your private network - presumably "enterprise", and hosts in DMZ?
Avatar of Pau Lo
Pau Lo


5) If you run it against a vCenter, does the report show which hosts the issues were found on?

6) Does it show just failed issues, i.e. security weaknesses in the end report, or does it flag up security checks where you do comply with the best practices? i.e. failed and passed?
The different levels, enterprise, sslf and dmz, determine which tests are performed, how many checks....

e.g. double the number of checks from sslf to enterprise are performed.

5. Yes, the best way is to run against vCenter Server, because it will then check

1. Hosts
2. vCenter Server
3. VMs

Please note, that 45% of the checks require manual validation for hosts, 90% for vCenter, and 50% for virtual machines, but the script does highlight what needs to be manually checked off.

6. It shows, Pass, Fail and Manual - with a reason for the Fail, Pass and Manual.

You are also given an overall Grade!
Avatar of Pau Lo
Pau Lo


Do you assign a value when creating a host as to whether its DMZ, SSLF, or ENTERPRISE, or is this based on judgement on where the host is siutated in your LAN?
It's based on your judgement.

Obviously, you need better security if you drop servers in your DMZ, compared to Production LAN - or do you?

Again, comes down to Server Design and Policy, Security.
Avatar of Pau Lo
Pau Lo


Does enterprise = your private network ,i.e. non DMZ

And what does SSLF represent, can you provide an example
Avatar of Pau Lo
Pau Lo


I  just wondered if the script was intelligent enough, if you ran it against a vCenter, that it would run DMZ checks for DMZ hosts, enterprise checks for enterprise hosts, SSLF checks for SSLF hosts etc.
It's based on what flag you give the checker!

So does assume some intelligence on behalf of the Administrator using the script!
Avatar of Pau Lo
Pau Lo


But cant you have  many types of host attached to a vcenter, i.e. enterprise and DMZ hosts joined to the same vcenter, so in which case you'd have to supply multiple flags if your runing the scan against the vcenter, which doesnt seem possible?

I can see if you were just scanning one enterprise host, or one DMZ host, but I cant understand how you do that when pointing the script at the vcenter?
The script is designed to be run, with DMZ, Enterprise or SSLF flags.

different flags, suggest and check for different items, which maybe applicable to DMZ, Enterprise - the Administrator applying and checking the servers, needs to recognise what is relevant for his environment.

We do not have many clients, that put hosts in the DMZ!

As for running the script, we run it with all flags, and compare output.

VMware, a software company founded in 1998, was one of the first commercially successful companies to offer x86 virtualization. The storage company EMC purchased VMware in 1994. Dell Technologies acquired EMC in 2016. VMware’s parent company is now Dell Technologies. VMware has many software products that run on desktops, Microsoft Windows, Linux, and macOS, which allows the virtualizing of the x86 architecture. Its enterprise software hypervisor for servers, VMware vSphere Hypervisor (ESXi), is a bare-metal hypervisor that runs directly on the server hardware and does not require an additional underlying operating system.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo