hardening report script

If any of you are familiar with the following script:

https://communities.vmware.com/docs/DOC-11901

A few questions if I may:

1) Can it only be run against hosts running v5.1 of vsphere? Or will it also audit older version of vsphere?

2) Can you run it remotely? I.e. from a workstation in the same domain as the vcenter? I was a bit confused when it said "download the script and upload it to upload to your vMA 4.x/5.x host" - indicating perhaps you need to upload it to every host you want to audit?

3) Any idea how long it takes to run and does it have any performance impact on the systems being scanned?

4) If you can run it just against vcenter as opposed each host, where exactly do you enter you vcenter and admin credentials within the scipt?
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
1.     Supports ESX(i) 4.x/5.x (licensed version only), Supports vCenter 4.x/5.x

2.  It's a perl script, so Yes, it can be run remotely, or from the VMA appliance.

3. It does not perform any impact, approx 60 seconds. But does depend on the environment size.

4. --server [SERVER] --username [USERNAME]
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Thanks, the only thing that confused me was the comment:

"The only required parameter is the type of validation you would like to run against by specifying ----recommend_check_level and choosing (enterprise,dmz or sslf)"

If your running it against a vCenter, then do you ignore that paramter, as you may have hosts in your private network - presumably "enterprise", and hosts in DMZ?
0
pma111Author Commented:
5) If you run it against a vCenter, does the report show which hosts the issues were found on?

6) Does it show just failed issues, i.e. security weaknesses in the end report, or does it flag up security checks where you do comply with the best practices? i.e. failed and passed?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
The different levels, enterprise, sslf and dmz, determine which tests are performed, how many checks....

e.g. double the number of checks from sslf to enterprise are performed.

5. Yes, the best way is to run against vCenter Server, because it will then check

1. Hosts
2. vCenter Server
3. VMs

Please note, that 45% of the checks require manual validation for hosts, 90% for vCenter, and 50% for virtual machines, but the script does highlight what needs to be manually checked off.

6. It shows, Pass, Fail and Manual - with a reason for the Fail, Pass and Manual.

You are also given an overall Grade!
0
pma111Author Commented:
Do you assign a value when creating a host as to whether its DMZ, SSLF, or ENTERPRISE, or is this based on judgement on where the host is siutated in your LAN?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
It's based on your judgement.

Obviously, you need better security if you drop servers in your DMZ, compared to Production LAN - or do you?

Again, comes down to Server Design and Policy, Security.
0
pma111Author Commented:
Does enterprise = your private network ,i.e. non DMZ

And what does SSLF represent, can you provide an example
0
pma111Author Commented:
I  just wondered if the script was intelligent enough, if you ran it against a vCenter, that it would run DMZ checks for DMZ hosts, enterprise checks for enterprise hosts, SSLF checks for SSLF hosts etc.
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
It's based on what flag you give the checker!

So does assume some intelligence on behalf of the Administrator using the script!
0
pma111Author Commented:
But cant you have  many types of host attached to a vcenter, i.e. enterprise and DMZ hosts joined to the same vcenter, so in which case you'd have to supply multiple flags if your runing the scan against the vcenter, which doesnt seem possible?

I can see if you were just scanning one enterprise host, or one DMZ host, but I cant understand how you do that when pointing the script at the vcenter?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
The script is designed to be run, with DMZ, Enterprise or SSLF flags.

different flags, suggest and check for different items, which maybe applicable to DMZ, Enterprise - the Administrator applying and checking the servers, needs to recognise what is relevant for his environment.

We do not have many clients, that put hosts in the DMZ!

As for running the script, we run it with all flags, and compare output.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.