Avatar of Pau Lo
Pau Lo asked on

hardening report script

If any of you are familiar with the following script:

https://communities.vmware.com/docs/DOC-11901

A few questions if I may:

1) Can it only be run against hosts running v5.1 of vsphere? Or will it also audit older version of vsphere?

2) Can you run it remotely? I.e. from a workstation in the same domain as the vcenter? I was a bit confused when it said "download the script and upload it to upload to your vMA 4.x/5.x host" - indicating perhaps you need to upload it to every host you want to audit?

3) Any idea how long it takes to run and does it have any performance impact on the systems being scanned?

4) If you can run it just against vcenter as opposed each host, where exactly do you enter you vcenter and admin credentials within the scipt?
VMwareVirtualization

Avatar of undefined
Last Comment
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Pau Lo

Thanks, the only thing that confused me was the comment:

"The only required parameter is the type of validation you would like to run against by specifying ----recommend_check_level and choosing (enterprise,dmz or sslf)"

If your running it against a vCenter, then do you ignore that paramter, as you may have hosts in your private network - presumably "enterprise", and hosts in DMZ?
ASKER
Pau Lo

5) If you run it against a vCenter, does the report show which hosts the issues were found on?

6) Does it show just failed issues, i.e. security weaknesses in the end report, or does it flag up security checks where you do comply with the best practices? i.e. failed and passed?
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

The different levels, enterprise, sslf and dmz, determine which tests are performed, how many checks....

e.g. double the number of checks from sslf to enterprise are performed.

5. Yes, the best way is to run against vCenter Server, because it will then check

1. Hosts
2. vCenter Server
3. VMs

Please note, that 45% of the checks require manual validation for hosts, 90% for vCenter, and 50% for virtual machines, but the script does highlight what needs to be manually checked off.

6. It shows, Pass, Fail and Manual - with a reason for the Fail, Pass and Manual.

You are also given an overall Grade!
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
Pau Lo

Do you assign a value when creating a host as to whether its DMZ, SSLF, or ENTERPRISE, or is this based on judgement on where the host is siutated in your LAN?
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

It's based on your judgement.

Obviously, you need better security if you drop servers in your DMZ, compared to Production LAN - or do you?

Again, comes down to Server Design and Policy, Security.
ASKER
Pau Lo

Does enterprise = your private network ,i.e. non DMZ

And what does SSLF represent, can you provide an example
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Pau Lo

I  just wondered if the script was intelligent enough, if you ran it against a vCenter, that it would run DMZ checks for DMZ hosts, enterprise checks for enterprise hosts, SSLF checks for SSLF hosts etc.
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

It's based on what flag you give the checker!

So does assume some intelligence on behalf of the Administrator using the script!
ASKER
Pau Lo

But cant you have  many types of host attached to a vcenter, i.e. enterprise and DMZ hosts joined to the same vcenter, so in which case you'd have to supply multiple flags if your runing the scan against the vcenter, which doesnt seem possible?

I can see if you were just scanning one enterprise host, or one DMZ host, but I cant understand how you do that when pointing the script at the vcenter?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

The script is designed to be run, with DMZ, Enterprise or SSLF flags.

different flags, suggest and check for different items, which maybe applicable to DMZ, Enterprise - the Administrator applying and checking the servers, needs to recognise what is relevant for his environment.

We do not have many clients, that put hosts in the DMZ!

As for running the script, we run it with all flags, and compare output.