powercli config on vmware esx boxes with report in html and email

I have a script that runs through various configs, I need a way to make it pretty in html and email please.

example of code is below:
# v1.1   original
# v1.2  added pssanpin / switch command for differing sha1 paths
# v1.3  Removed vmware hardening guide checks that do not cross reference to a DISA stig  8/1/2012 mb
# v1.4 Put variables in front.  added name to title of reports.  Added  OK and NOT OK status to reports

# Do these first if running script from scratch
# Add-pssnapin vmware.*
# Add-pssnapin vmware.vumautomation


# Get data
$vCenter = "vcenterser.domain.com" 
Connect-viserver $vCenter
$hosts = Get-VMHost
$VdS = Get-VDSwitch
$VDSpg = Get-Vdportgroup | Where {$_.name -notlike '*DVUplinks*'}
$VDSpvlan = Get-VDSwitchPrivateVlan -VDSwitch $Vds
$User = read-host "User with root access"
# Read-Host -AsSecureString "Root Users Password" | ConvertFrom-SecureString | Out-File C:\securestring.txt
$Pswd =  Read-Host "root user's password " ####cat C:\securestring.txt | ConvertTo-SecureString
# Report formating options
$CR = "`r" + "`r"

# Set up plink options
$plink = "C:\putty\plink.exe"
$plinkOptions = " -v -batch -pw $pswd"


# Loop through each ESXi host and perform checks
ForEach ($vmhost in $hosts) 
{ if ($vmhost.Version -eq "5.5.0")
	{Get-VMHost $vmhost

$hostName = $vmhost.Name -replace ".domain.com", ""
$hostName = $hostName.TrimEnd()
$count = 0
$pass = 0

$VSS = Get-VirtualSwitch -Standard -VMHost $vmhost
$VSSpg = Get-VirtualPortGroup -Standard -VMHost $vmhost

#initialize the report
$outputPath = "C:\Users\user1\Desktop\reports\" + $hostname + ".csv"

# Label & Time Stamp the report
$vmhost.Name | Out-File -FilePath $outputPath -Append
Get-Date | Out-File -filePath $outputPath -append



#
# Start checks here
#

($vmhost | get-view).ExitLockdownMode()
Get-vmhostService -VMHost $vmhost | Where {$_.key -eq "TSM-SSH"} | Start-VMHostService

sleep -Seconds 10

$StigID = "GEN002430-ESXI5"
$VulnID = "V-39381"
$Cat = "II"
$Title = "Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option."
$count++
$remoteCommand = '"' + 'cat /etc/fstab | grep -i nfs | grep -v "nodev" ' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command

	if ($msg -eq $null) {$grade = "Pass"; $pass++;}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000001"
$VulnID = "V-39356"
$Cat = "III"
$Title = "All dvPortgroup VLAN IDs must be fully documented."
$msg = $VDSpg | select Name, VlanConfiguration
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000002"
$VulnID = " V-39357"
$Cat = "III"
$Title = "All dvSwitch Private VLAN IDs must be fully documented."
$msg = $VDSpvlan
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000003"
$Title = "All virtual switches must have a clear network label."
$VulnID = "V-39358"
$Cat = "III"
$msg_1 = $VDSpg  |Select Name
$msg_2 = $VSSpg | Select Name
$msg = $msg_1 + $msg_2
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000004"
$Title = "Virtual switch VLANs must be fully documented and have only the required VLANs."
$VulnID = " V-39359"
$Cat = "III"
$msg_1 = $VDSpg | Select Name, VlanConfiguration
$msg_2 = $VSSpg | Select Name, VLanID
$msg = $msg_1 + $msg_2
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000005"
$Title = "All vSwitch and VLAN IDs must be fully documented."
$VulnID = " V-39360"
$Cat = "III"
$msg = $VSSpg | Select Name, VLanID
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000006"
$Title = "All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor."
$VulnID = " V-39361"
$Cat = "III"
$msg = "This check is NA because we do not currently use IP based storage in our environment."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000007"
$Title = "Only authorized administrators must have access to virtual networking components."
$VulnID = " V-39364"
$Cat = "III"
$msg = Get-viPermission -Entity (Get-VDPortgroup)
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000008"
$Title = "All physical switch ports must be configured with spanning tree disabled."
$VulnID = " V-39365"
$Cat = "III"
$msg = "This check requires an inquiry to Network Team to ensure all physical switch ports have Spanning Tree funtion disabled"
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000009"
$Title = "All port groups must be configured with a clear network label."
$VulnID = " V-39366"
$Cat = "III"
$msg_1 = $VDSpg | Select Name
$msg_2 = $VSSpg | Select Name
$msg = $msg_1 + $msg_2
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000010"
$Title = "All port groups must be configured to a value other than that of the native VLAN."
$VulnID = " V-39367"
$Cat = "II"
$count++
$flg = $false
$msg_1 = $VDSpg | select Name, VlanConfiguration
$msg_2 =$VSSpg | Select Name, @{N='VlanConfiguraiton'; E={$_.VLanID}}
$msg = $msg_1 + $msg_2
	foreach ($pg in $msg_1) 
		{
		if ($pg.vlanConfiguration -eq "VLAN 1") {$flg = $true}
		}
	foreach ($pg in $msg_2)
		{
		if ($pg.VLanConfiguration -eq 1) {$flg = $true}
		}
if ($flg -eq $true) {$grade = "Fail"} 
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000011"
$Title = "All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT)."
$VulnID = " V-39368"
$Cat = "II"
$count++
$flg = $false
$msg_1 = $VDSpg | select Name, VlanConfiguration
$msg_2 =$VSSpg | Select Name, @{N='VlanConfiguraiton'; E={$_.VLanID}}
$msg = $msg_1 + $msg_2
	foreach ($pg in $msg_1) 
		{
		if ($pg.vlanConfiguration -eq "VLAN 4095") {$flg = $true}
		}
	foreach ($pg in $msg_2)
		{
		if ($pg.VLanConfiguration -eq 4095) {$flg = $true}
		}
if ($flg -eq $true) {$grade = "Fail"} 
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000012"
$Title = "All port groups must not be configured to VLAN values reserved by upstream physical switches."
$VulnID = " V-39369"
$Cat = "II"
$count++
$flg = $false
$msg_1 = $VDSpg | select Name, VlanConfiguration
$msg_2 =$VSSpg | Select Name, @{N='VlanConfiguraiton'; E={$_.VLanID}}
$msg = $msg_1 + $msg_2
	
	foreach ($pg in $msg_1) 
		{
		if (($pg.VlanConfiguration -eq "VLAN 4094") -or ($pg.VlanConfiguration -eq "VLAN 1001") -or ($pg.VlanConfiguration -eq "VLAN 1002") -or ($pg.VlanConfiguration -eq "VLAN 1003") -or ($pg.VlanConfiguration -eq "VLAN 1004") -or ($pg.VlanConfiguration -eq "VLAN 1005") -or ($pg.VlanConfiguration -eq "VLAN 1006") -or ($pg.VlanConfiguration -eq "VLAN 1007") -or ($pg.VlanConfiguration -eq "VLAN 1008") -or ($pg.VlanConfiguration -eq "VLAN 1009") -or ($pg.VlanConfiguration -eq "VLAN 1010") -or ($pg.VlanConfiguration -eq "VLAN 1011") -or ($pg.VlanConfiguration -eq "VLAN 1012") -or ($pg.VlanConfiguration -eq "VLAN 1013") -or ($pg.VlanConfiguration -eq "VLAN 1014") -or ($pg.VlanConfiguration -eq "VLAN 1015") -or ($pg.VlanConfiguration -eq "VLAN 1016") -or ($pg.VlanConfiguration -eq "VLAN 1017") -or ($pg.VlanConfiguration -eq "VLAN 1018") -or ($pg.VlanConfiguration -eq "VLAN 1019") -or ($pg.VlanConfiguration -eq "VLAN 1020") -or ($pg.VlanConfiguration -eq "VLAN 1021") -or ($pg.VlanConfiguration -eq "VLAN 1022") -or ($pg.VlanConfiguration -eq "VLAN 1023") -or ($pg.VlanConfiguration -eq "VLAN 1024"))  {$flg = $true}
		}
	foreach ($pg in $msg_2)
		{
		if (($pg.VlanConfiguration -eq 4094) -or ($pg.VlanConfiguration -eq 1001) -or ($pg.VlanConfiguration -eq 1002) -or ($pg.VlanConfiguration -eq 1003) -or ($pg.VlanConfiguration -eq 1004) -or ($pg.VlanConfiguration -eq 1005) -or ($pg.VlanConfiguration -eq 1006) -or ($pg.VlanConfiguration -eq 1007) -or ($pg.VlanConfiguration -eq 1008) -or ($pg.VlanConfiguration -eq 1009) -or ($pg.VlanConfiguration -eq 1010) -or ($pg.VlanConfiguration -eq 1011) -or ($pg.VlanConfiguration -eq 1012) -or ($pg.VlanConfiguration -eq 1013) -or ($pg.VlanConfiguration -eq 1014) -or ($pg.VlanConfiguration -eq 1015) -or ($pg.VlanConfiguration -eq 1016) -or ($pg.VlanConfiguration -eq 1017) -or ($pg.VlanConfiguration -eq 1018) -or ($pg.VlanConfiguration -eq 1019) -or ($pg.VlanConfiguration -eq 1020) -or ($pg.VlanConfiguration -eq 1021) -or ($pg.VlanConfiguration -eq 1022) -or ($pg.VlanConfiguration -eq 1023) -or ($pg.VlanConfiguration -eq 1024)) {$flg = $true}
		}
if ($flg -eq $true) {$grade = "Fail"} else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000013"
$Title = "The system must ensure that the virtual switch Forged Transmits policy is set to reject."
$VulnID = "V-39370"
$Cat = "II"
$count++
$msg = $VSS | Select Name, @{N="ForgedTransmits"; E={$_.ExtensionData.Spec.Policy.Security.ForgedTransmits}}
$flg = $false
foreach ($vs in $msg)
        	{
         	if ($vs.ForgedTransmits -ne $false) {$flg = $true}
            }
if ($flg -eq $true) {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000014"
$Title = "The system must ensure that the dvPortgroup Forged Transmits policy is set to reject.."
$VulnID = " V-39371"
$Cat = "II"
$count++
$msg = $VDSpg |  Get-VDSecurityPolicy
$flg = $false
foreach ($vpg in $msg)
                     {
                     if ($vpg.ForgedTransmits -ne $false) 
                       {
                        $flg = $true
                       }
                      }

if ($flg -eq $true){$grade = "Fail"}
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000015"
$Title = "The system must ensure the dvPortGroup MAC Address Change policy is set to reject."
$VulnID = "V-39372"
$Cat = "I"
$count++
$msg = $VDSpg |  Get-VDSecurityPolicy
$flg = $false
foreach ($vpg in $msg)
                     {
                     if ($vpg.MacChanges -ne $false) 
                       {
                        $flg = $true
                       }
                      }

if ($flg -eq $true) {$grade = "Fail"}
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000016"
$Title = "The system must ensure the virtual switch MAC Address Change policy is set to reject."
$VulnID = "V-39373"
$Cat = "I"
$count++
$msg = $VSS | Select Name, @{N="MacChanges"; E={$_.ExtensionData.Spec.Policy.Security.MacChanges}}
$flg = $false
foreach ($vs in $msg)
                     {
                     if ($vs.MacChanges -ne $false) 
                       {
                        $flg = $true
                       }
                      }

if ($flg -eq $true){$grade = "Fail"}
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000017"
$Title = "The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode."
$VulnID = "V-39374"
$Cat = "II"
$msg = "This check needs an inquiry to Network team. Virtual Switch Tagging (VST) mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000018"
$Title = "The system must ensure the virtual switch Promiscuous Mode policy is set to reject."
$VulnID = "V-39375"
$Cat = "II"
$count++
$msg = $VSS | Select Name, @{N="AllowPromiscuous"; E={$_.ExtensionData.Spec.Policy.Security.AllowPromiscuous}}
$flg = $false
foreach ($vs in $msg)
                     {
                     if ($vs.AllowPromiscuous -ne $false) 
                       {
                        $flg = $true
                       }
                      }

if ($flg -eq $true){
          $grade = "Fail"
         }
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000015"
$Title = "The system must ensure the dvPortGroup MAC Address Change policy is set to reject."
$VulnID = "V-39372"
$Cat = "I"
$count++
$msg = $VDSpg |  Get-VDSecurityPolicy
$flg = $false
foreach ($vpg in $msg)
                     {
                     if ($vpg.MacChanges -ne $false) 
                       {
                        $flg = $true
                       }
                      }

if ($flg -eq $true){
          $grade = "Fail"
         }
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000020"
$Title = "The system must ensure there are no unused ports on a distributed virtual port group."
$VulnID = " V-39377"
$Cat = "II"
$msg = "This check is a filed Deviation:   "
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000021"
$Title = "vMotion traffic must be isolated."
$VulnID = " V-39378"
$Cat = "III"
$msg = "This check is a filed Deviation:   "
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000023"
$Title = "Access to the management network must be strictly controlled through a network gateway."
$VulnID = " V-39400"
$Cat = "II"
$msg = "This check is a manual verification. Document a controlled gateway or other controlled access method to the management network."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000024"
$Title = "Access to the management network must be strictly controlled through a network jump box."
$VulnID = " V-39401"
$Cat = "II"
$msg = "This check is a filed Deviation:   "
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000025"
$Title = "Spanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic."
$VulnID = " V-39379"
$Cat = "III"
$msg = "This check needs an inquiry to Network team.  If a guest VM is configured to perform a bridging function, enable spanning tree protocol for the VMs switch port."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "ESXI5-VMNET-000026"
$Title = "The system must disable the autoexpand option for VDS dvPortgroups."
$VulnID = " V-39380"
$Cat = "III"
$count++
$msg = $VDSpg | Select Name, @{N='AutoExpand'; E={$_.ExtensionData.config.AutoExpand}}
$flg = $false
foreach ($vpg in $msg)
                     {
                     if ($vpg.AutoExpand -ne $False) 
                       {
                        $flg = $true
                       }
                      }

if ($flg -eq $true){
          $grade = "Fail"
         }
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append



$StigID = "ESXI5-VMNET-000036"
$Title = "All IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch."
$VulnID = " V-39362"
$Cat = "III"
$msg = "This check is NA since there is no IP based storage currently in this environment."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append



$StigID = "ESXI5-VMNET-000046"
$Title = "All IP-based storage traffic must be isolated using a vSwitch containing management-only port groups."
$VulnID = " V-39363"
$Cat = "III"
$msg = "This check is NA since there is no IP based storage currently in this environment."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN000950-ESXI5-444"
$VulnID = "V-39383"
$Cat = "II"
$Title = "The root accounts list of preloaded libraries must be empty."
$count++
$remoteCommand = '"' + 'grep LD_PRELOAD /etc/vmware/config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005516-ESXI5-703"
$VulnID = "V-39249"
$Cat = "III"
$Title = "The SSH client must be configured to not allow TCP forwarding."
$count++
$remoteCommand = '"' + 'grep Forward /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -contains "yes")
    	{
		 $grade = "Fail" 
		}
else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005516-ESXI5-704"
$VulnID = "V-39251"
$Cat = "III"
$Title = "The SSH client must be configured to not allow gateway ports."
$count++
$remoteCommand = '"' + 'grep -i GatewayPorts /etc/ssh/ssh_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -contains "yes")
    	{
		 $grade = "Fail" 
		}
else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005520-ESXI5-705"
$VulnID = "V-39271"
$Cat = "III"
$Title = "The SSH client must be configured to not allow X11 forwarding."
$count++
$remoteCommand = '"' + 'grep -i "^ForwardX11"  /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -contains "yes")
    	{$grade = "Fail"}
else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005529-ESXI5-708"
$VulnID = "V-39269"
$Cat = "II"
$Title = "The SSH client must not send environment variables to the server or must only send those pertaining to locale."
$count++
$remoteCommand = '"' + 'grep SendEnv /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -ne "SendEnv LOCALE")
    	{$grade = "Fail"}
else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005529-ESXI5-709"
$VulnID = "V-39270"
$Cat = "II"
$Title = "The SSH client must not permit tunnels."
$count++
$remoteCommand = '"' + 'grep Tunnel /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -ne "Tunnel no")
    	{$grade = "Fail"}
else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000023-ESXI5"
$VulnID = "V-39394"
$Cat = "II"
$Title = "The SSH daemon must be configured with the Department of Defense (DoD) logon banner."
$count++
$remoteCommand = '"' + 'cat /etc/issue' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null)
    	{$grade = "Fail"}
else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = " SRG-OS-000027-ESXI5"
$VulnID = "V-39253"
$Cat = "II"
$Title = "The SSH daemon must limit connections to a single session."
$count++
$remoteCommand = '"' + 'grep MaxSessions /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -ne "MaxSessions 1")
    	{$grade = "Fail"}
else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000033-ESXI5"
$VulnID = "V-39411"
$Cat = "I"
$Title = "The operating system must use cryptography to protect the confidentiality of remote access sessions."
$count++
$remoteCommand = '"' + 'grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v "^#" ' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -ne "/etc/ssh/sshd_config:Protocol 2")
    	{$grade = "Fail"}
else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000056-ESXI5"
$VulnID = "V-39254"
$Cat = "II"
$Title = "The system must use time sources local to the enclave."
$count++
$msg = Get-VMHostNtpServer -VMHost $vmhost
if ($msg -ne "ntp.domain.com")
    	{$grade = "Fail"}
else {$grade = "Pass"; $pass++} 
$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000069-ESXI5"
$VulnID = "V-39255"
$Cat = "II"
$Title = "The system must require that passwords contain at least one uppercase alphabetic character."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8*")
    	{$grade = "Pass"; $pass++}
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000070-ESXI5"
$VulnID = "V-39256"
$Cat = "II"
$Title = "The system must require passwords contain at least one lowercase alphabetic character."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8*")
    	{$grade = "Pass"; $pass++}
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000072-ESXI5 "
$VulnID = "V-39259"
$Cat = "II"
$Title = "The system must require at least four characters be changed between the old and new passwords during a password change."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "similar=deny"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*similar=deny*")
    	{$grade = "Pass"; $pass++} 
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000077-ESXI5"
$VulnID = "V-39261"
$Cat = "II"
$Title = "The system must prohibit the reuse of passwords within five iterations."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep sufficient | grep "remember="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*remember=5*")
    	{$grade = "Pass"; $pass++} 
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000078-ESXI5 "
$VulnID = "V-39262"
$Cat = "II"
$Title = "The system must require that passwords contain a minimum of 14 characters."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8*")
    	{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$grade = $grade + "      Deviation # D000x"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000080-ESXI5"
$VulnID = "V-39264"
$Cat = "II"
$Title = "System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others."
$msg = "This check is a manual check.  On systems with a BIOS or system controller, set the supervisor or administrator password."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = " SRG-OS-000090-ESXI5"
$VulnID = "V-39287"
$Cat = "I"
$Title = "The system must verify the integrity of the installation media before installing ESXi."
$msg = "This check is a manual check"
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000095-ESXI5"
$VulnID = "V-39386"
$Cat = "I"
$Title = "Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled."
$count++
$remoteCommand = '"' + 'grep -v "^ssh" /var/run/inetd.conf | grep -v "^authd" | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -Command $command
if ($msg -eq "")
    	{$grade = "Pass"; $pass++}
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000109-ESXI5"
$VulnID = "V-39391"
$Cat = "II"
$Title = "The system must not permit root logins using remote access programs, such as SSH."
$count++
$remoteCommand = '"' + 'grep PermitRootLogin /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "PermitRootLogin no")
	{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000112-ESXI5"
$VulnID = "V-39412"
$Cat = "I"
$Title = "The SSH daemon must be configured to only use the SSHv2 protocol."
$count++
$remoteCommand = '"' + 'grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v "^#" ' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "/etc/ssh/sshd_config:Protocol 2")
	{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000113-ESXI5"
$VulnID = "V-39413"
$Cat = "I"
$Title = "The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts."
$count++
$remoteCommand = '"' + 'grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "/etc/ssh/sshd_config:Protocol 2")
	{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000120-ESXI5"
$VulnID = "V-39260"
$Cat = "II"
$Title = "The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm."
$count++
$remoteCommand = '"' + 'grep "^password   sufficient" /etc/pam.d/passwd | grep sha512' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*sha512*")
	{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000121-ESXI5"
$VulnID = "V-39388"
$Cat = "II"
$Title = "All accounts on the system must have unique user or account names."
$count++
Connect-VIServer -Server $VMHost -User $User -Password $Pswd
$msg = $null
$msg_1 = Get-VMHostAccount -User
$msg_2 = $msg_1|sort|Get-Unique
$msg = Compare-Object -ReferenceObject $msg_2 -DifferenceObject $msg_1
if ($msg -eq $null)
    	{$grade = "Pass"; $pass++}
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg_1, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000126-ESXI5"
$VulnID = "V-39392"
$Cat = "II"
$Title = "The system must set a timeout for the ESXi Shell to automatically disable idle sessions after a predetermined period."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $vmhost -Name UserVars.ESXiShellTimeOut
if ($msg.values -eq 900)
	{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000132-ESXI5"
$VulnID = "V-39393"
$Cat = "II"
$Title = "vSphere management traffic must be on a restricted network."
$msg = "This is a manual check."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000144-ESXI5"
$VulnID = "V-39397"
$Cat = "II"
$Title = "The operating system must monitor and control communications at the external boundary of the information system and at key internal boundaries within the system."
$msg = Get-VMHostFirewallException -VMHost $vmhost 
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000145-ESXI5"
$VulnID = "V-39395"
$Cat = "II"
$Title = "The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router."
$count++
$msg = Get-VMHostNetwork -VMHost $VMHost | select VMHost, VMKernelGateway  
if ($msg.VMKernelGateway -ne $null)
	{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000147-ESXI5"
$VulnID = "V-39398"
$Cat = "II"
$Title = "The operating system, at managed interfaces, must deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception)."
$msg = Get-VMHostFirewallException -VMHost $vmhost 
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000152-ESXI5"
$VulnID = "V-39396"
$Cat = "II"
$Title = "The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices."
$msg = Get-VMHostFirewallException -VMHost $vmhost 
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000157-ESXI5"
$VulnID = "V-39402"
$Cat = "II"
$Title = "The SSH client must be configured to not use CBC-based ciphers."
$count++
$remoteCommand = '"' + 'grep -i ciphers /etc/ssh/ssh_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = $null
$msg = Invoke-Expression -command $command
	if (($msg -eq "") -or ($msg -like "cbc")) {$grade = "Fail"}
	else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000158-ESXI5"
$VulnID = "V-39403"
$Cat = "II"
$Title = "The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."
$count++
$remoteCommand = '"' + 'grep -i macs /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = $null
$msg = Invoke-Expression -command $command
	if (($msg -eq "MACs hmac-sha1") -or ($msg -eq "MACs hmac-sha2")) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000159-ESXI5"
$VulnID = "V-39404"
$Cat = "II"
$Title = "The SSH client must be configured to only use FIPS 140-2 approved ciphers."
$count++
$remoteCommand = '"' + 'grep -i ciphers /etc/ssh/ssh_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = $null
$msg = Invoke-Expression -command $command
	if ($msg -eq "Ciphers aes-256-ctr, aes-192-ctr, aes-128-ctr") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000163-ESXI5"
$VulnID = "V-39405"
$Cat = "II"
$Title = "The operating system must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $vmhost -Name UserVars.ESXiShellTimeOut
if ($msg.Values -eq 900)
	{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000193-ESXI5"
$VulnID = "V-39407"
$Cat = "II"
$Title = "The Image Profile and VIB Acceptance Levels must be verified."
$count++
$remoteCommand = '"' + 'esxcli software acceptance get' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "CommunitySupported") {$grade = "Fail"}
	else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000197-ESXI5"
$VulnID = "V-39408"
$Cat = "II"
$Title = "Remote logging for ESXi hosts must be configured."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
	if (($msg.values -eq "10.10.10.10") -or ($msg.values -eq "server1.domain.com"))  {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000215-ESXI"
$VulnID = "V-39409"
$Cat = "II"
$Title = "The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
	if (($msg.values -eq "server1.domain.com") -or ($msg.values -eq "10.10.10.10")) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000217-ESXI"
$VulnID = "V-39410"
$Cat = "II"
$Title = "The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
	if (($msg.values -eq "server1.domain.com") -or ($msg.Values -eq "10.10.10.10")) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000231-ESXI5"
$VulnID = "V-39399"
$Cat = "II"
$Title = "The operating system must enforce requirements for remote connections to the information system."
$msg = Get-VMHostFirewallException -VMHost $vmhost 
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000248-ESXI5"
$VulnID = "V-39252"
$Cat = "I"
$Title = "There must be no .rhosts  or hosts.equiv files on the system."
$count++
$remoteCommand = '"' + 'find / | grep .rhosts; rm -f /etc/hosts.equiv' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = $null
$msg = Invoke-Expression -command $command
	if ($msg -ne $null) {$grade = "Fail"}
	else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000266-ESXI5"
$VulnID = "V-39416"
$Cat = "II"
$Title = "The system must require that passwords contain at least one special character."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8")
    	{$grade = "Pass"; $pass++} 
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005501-ESXI5-9778"
$VulnID = "V-39414"
$Cat = "II"
$Title = "The SSH client must be configured to only use the SSHv2 protocol."
$count++
$remoteCommand = '"' + 'grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "/etc/ssh/sshd_config:Protocol 2")
    	{$grade = "Pass"; $pass++}
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN002400-ESXI5-10047"
$VulnID = " V-39425"
$Cat = "II"
$Title = "The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files."
$msg = "This is a manual check.  Configure the system to check for unauthorized setuid files on a weekly basis." 
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN002420-ESXI5-00878 "
$VulnID = "V-39422"
$Cat = "II"
$Title = "Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option."
$count++
$remoteCommand = '"' + 'cat /etc/fstab | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null)	{$grade = "Pass"; $pass++}
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN002400-ESXI5-10047"
$VulnID = " V-39425"
$Cat = "II"
$Title = "The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files."
$msg = "This is a manual check.  Configure the system to check for unauthorized setuid files on a weekly basis." 
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005900-ESXI5-00891"
$VulnID = "V-39423"
$Cat = "II"
$Title = "The nosuid option must be enabled on all NFS client mounts."
$count++
$remoteCommand = '"' + 'cat /etc/fstab | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null)	{$grade = "Pass"; $pass++}
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN000100-ESXI5-000062"
$VulnID = "V-39429"
$Cat = "I"
$Title = "The operating system must be a supported release."
$count++
$msg = Get-VMHost $vmhost |select name,version
	if ($msg.version -ne "5.5.0") {$grade = "Fail"}
	else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN000240-ESXI5-000058"
$VulnID = "V-39430"
$Cat = "II"
$Title = "The system clock must be synchronized to an authoritative DoD time source."
$count++
$msg = Get-VMHostntpServer $vmhost 
	if ($msg -eq "ntp.domain.com") {$grade = "Pass"; $pass++}
	else {$grade -eq "Fail"}
	$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN000585-ESXI5-000080 "
$VulnID = " V-39263"
$Cat = "II"
$Title = "The system must enforce the entire password during authentication."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8")
    	{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN000790-ESXI5-000085"
$VulnID = "V-39246"
$Cat = "II"
$Title = "The system must prevent the use of dictionary words for passwords."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8")
    	{$grade = "Pass"; $pass++}
else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = " GEN000940-ESXI5-000042"
$VulnID = "V-39273"
$Cat = "II"
$Title = "The root accounts executable search path must be the vendor default and must contain only absolute paths."
$count++
$remoteCommand = '"' + 'grep PATH= /etc/profile' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "PATH=/bin:/sbin") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN000945-ESXI5-000333"
$VulnID = "V-39382"
$Cat = "II"
$Title = "The root accounts library search path must be the system default and must contain only absolute paths."
$count++
$remoteCommand = '"' + 'grep libdir /etc/vmware/config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq 'libdir = "/usr/lib/vmware"') {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN001375-ESXI5-000086"
$VulnID = "V-39427"
$Cat = "III"
$Title = "For systems using DNS resolution, at least two name servers must be configured."
$count++
$msg = Get-VMHostNetwork -VMHost $vmhost | select DnsAddress
	if ($msg.DnsAddress.Count -ge 2) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
	$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN000945-ESXI5-000333"
$VulnID = "V-39382"

$Cat = "II"
$Title = "The /etc/shells (or equivalent) file must exist."
$count++
$remoteCommand = '"' + 'ls -l /etc/shells' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -like "No such file or directory") {$grade = "Fail"}
	else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN002140-ESXI5-000046"
$VulnID = "V-39276"
$Cat = "II"
$Title = "All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins."
$count++
$remoteCommand = '"' + 'ls -lL ``cat /etc/shells``' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ((($msg[0] -like "*/bin/ash") -or ($msg[0] -like "*/bin/sh")) -and (($msg[1] -like "*/bin/sh") -or ($msg[1] -like "*/bin/ash"))) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN002260-ESXI5-000047"
$VulnID = " V-39424"
$Cat = "II"
$Title = "The system must be checked for extraneous device files at least weekly."
$msg = "This is a manual check.  Configure the system to check for extraneous device files on a weekly basis." 
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN003510-ESXI5-006660"
$VulnID = " V-39355"
$Cat = "II"
$Title = "Kernel core dumps must be disabled unless needed."
$msg = "This is a manual check.  If the ESXi 5.0 server's local dump partition size is at least 100 MB, this is not a finding." 
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005300-ESXI5-000099"
$VulnID = " V-39247"
$Cat = "II"
$Title = "SNMP communities, users, and passphrases must be changed from the default."
$count++
$remoteCommand = '"' + 'egrep -i "community|communities" /etc/vmware/snmp.xml' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if (($msg -like "public") -or ($msg -like "private") -or ($msg -like "password")) {$grade = "Fail"}
	else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005440-ESXI5-000078"
$VulnID = " V-39279"
$Cat = "II"
$Title = "The system must not be used as a syslog server (log host) for systems external to the enclave."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
	if (($msg.Values -eq "10.10.10.10") -or ($msg.Values -eq "server1.domain.com")) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005460-ESXI5-000060"
$VulnID = " V-39278"
$Cat = "II"
$Title = "The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
	if (($msg.Values -eq "10.10.10.10") -or ($msg.Values -eq "server1.domain.com")) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005515-ESXI5-000100"
$VulnID = " V-39248"
$Cat = "III"
$Title = "The SSH daemon must be configured to not allow TCP connection forwarding."
$count++
$remoteCommand = '"' + 'grep -i AllowTCPForwarding /etc/ssh/sshd_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "AllowTCPForwarding no") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005517-ESXI5-000101"
$VulnID = " V-39250"
$Cat = "III"
$Title = "The SSH daemon must be configured to not allow gateway ports."
$count++
$remoteCommand = '"' + 'grep -i GatewayPorts /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "GatewayPorts no") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005519-ESXI5-000102"
$VulnID = "V-39265"
$Cat = "II"
$Title = "The SSH daemon must be configured to not allow X11 forwarding."
$count++
$remoteCommand = '"' + 'grep -i "^X11Forwarding"  /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "X11Forwarding no") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005521-ESXI5-00010"
$VulnID = "V-39419"
$Cat = "II"
$Title = "The SSH daemon must restrict login ability to specific users and/or groups."
$count++
$remoteCommand = '"' + 'grep -i "^AllowGroups" /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "AllowGroups") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005528-ESXI5-000106"
$VulnID = "V-39266"
$Cat = "II"
$Title = "The SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale."
$count++
$remoteCommand = '"' + 'grep AcceptEnv /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "AcceptEnv LOCALE") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005530-ESXI5-000107"
$VulnID = "V-39267"
$Cat = "II"
$Title = "The SSH daemon must not permit user environment settings."
$count++
$remoteCommand = '"' + 'grep PermitUserEnvironment /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "PermitUserEnvironment no") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = " GEN005531-ESXI5-000108"
$VulnID = "V-39268"
$Cat = "II"
$Title = "The SSH daemon must not permit tunnels."
$count++
$remoteCommand = '"' + 'grep PermitTunnel /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "PermitTunnel no") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005536-ESXI5-000110"
$VulnID = "V-39420"
$Cat = "II"
$Title = "The SSH daemon must perform strict mode checking of home directory configuration files."
$count++
$remoteCommand = '"' + 'grep StrictModes /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "StrictModes yes") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005539-ESXI5-000113"
$VulnID = "V-39285"
$Cat = "II"
$Title = "The SSH daemon must not allow compression or must only allow compression after successful authentication."
$count++
$remoteCommand = '"' + 'grep Compression /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq "Compression yes") {$grade = "Fail"}
	else {$grade = "Pass"; $pass++} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN005570-ESXI5-000115"
$VulnID = "V-39286"
$Cat = "II"
$Title = "The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router."
$msg = Get-VMHostNetwork -VMHost $VMHost |Select Hostname, ipv6Enabled 
if ($msg.ipv6Enabled -eq $false){$grade = "NA"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway -eq $null)) {$count++; $grade = "Fail"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway)) {$count++; $grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN007700-ESXI5-000116"
$VulnID = "V-39286"
$Cat = "II"
$Title = "The IPv6 protocol handler must not be bound to the network stack unless needed."
$msg = Get-VMHostNetwork -VMHost $VMHost |Select Hostname, ipv6Enabled
if ($msg.ipv6Enabled -eq $false){$grade = "NA"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway -eq $null)) {$count++; $grade = "Fail"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway)) {$count++; $grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = " GEN007740-ESXI5-000118"
$VulnID = "V-39432"
$Cat = "II"
$Title = "The IPv6 protocol handler must not be installed unless needed."
$msg = Get-VMHostNetwork -VMHost $VMHost |Select Hostname, ipv6Enabled
if ($msg.ipv6Enabled -eq $false){$grade = "NA"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway -eq $null)) {$count++; $grade = "Fail"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway)) {$count++; $grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN007840-ESXI5-000119"
$VulnID = "V-39432"
$Cat = "II"
$Title = "The DHCP client must be disabled if not used."
$count++
$msg = Get-VMHostNetworkAdapter -VMHost $VMHost |Select Name, DhcpEnabled
$flg = $false
foreach ($item in $msg)
	{
	if ($item.DhcpEnabled -eq $true){$flg = $true}
	}
if ($flg -eq $false) {$grade = "Pass"; $pass++}
elseif ($flg -eq $true) {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN008460-ESXI5-000121"
$VulnID = "V-39288"
$Cat = "III"
$Title = "The system must have USB disabled unless needed."
$msg = "To verify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for USB device connectivity."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = " GEN007740-ESXI5-000122"
$VulnID = "V-39289"
$Cat = "III"
$Title = "The system must have USB Mass Storage disabled unless needed."
$msg = "To verify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for USB mass storage connectivity."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = " GEN007740-ESXI5-000123"
$VulnID = "V-39291"
$Cat = "III"
$Title = "The system must have IEEE 1394 (Firewire) disabled unless needed."
$msg = "To verify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu.  Inspect the menu option for IEEE 1394 device connectivity."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append



$StigID = "GEN008600-ESXI5-000050"
$VulnID = "V-39384"
$Cat = "I"
$Title = "The system must be configured to only boot from the system boot device."
$msg = "Note: Checking a system's BIOS is vendor and hardware dependent. To verify media boot options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for boot order.
If any media other than the ESXi boot disk is listed as a boot option, this is a finding."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN008640-ESXI5-000055"
$VulnID = "V-39277"
$Cat = "I"
$Title = "The system must not use removable media as the boot loader."
$msg = "Note: Checking a system's BIOS is vendor and hardware dependent. To verify media boot options: Interrupt the host computer's boot process and enter the BIOS menu.  Inspect the menu option for boot order. If any media other than the ESXi boot disk is listed as a boot option, this is a finding.
If any media other than the ESXi boot disk is listed as a boot option, this is a finding."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "GEN008680-ESXI5-000056"
$VulnID = "V-39428"
$Cat = "I"
$Title = "If the system boots from removable media, it must be stored in a safe or similarly secured container."
$msg = "Ask the SA if the system boots from removable media. If so, ask if the boot media is stored in a secure container when not in use. If it is not, this is a finding."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000131"
$VulnID = "V-39292"
$Cat = "II"
$Title = "NTP time synchronization must be configured."
$count++
$msg = Get-VMHostNtpServer -VMHost $vmhost
if ($msg -ne "ntp.domain.com") 	{$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-00013"
$VulnID = "V-39293"
$Cat = "II"
$Title = "Persistent logging for all ESXi hosts must be configured."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $VMHost -Name Syslog.global.logDir 
$msg_1 = ($msg["Syslog.global.logDir"] | Out-String)
	if ($msg_1 -Like "*vAdmin*") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000135"
$VulnID = "V-39294"
$Cat = "II"
$Title = "The system must disable DCUI to prevent local administrative control."
$msg = "The DCUI is enabled. This check is a deviation filed under D0005"
$grade = "Deviation     "
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000136"
$VulnID = "V-39295"
$Cat = "II"
$Title = "TThe system must disable ESXi Shell unless needed for diagnostics or troubleshooting."
$msg = Get-VMHost $vmhost | Get-VMHostService | Where {$_.Key -eq "DCUI"} | Select Label, Policy, Running
$grade = "Deviation D00004"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000137"
$VulnID = "V-39296"
$Cat = "II"
$Title = "The system must disable the Managed Object Browser (MOB)."
$count++
$remoteCommand = '"' + 'vim-cmd proxysvc/service_list | grep proxy-mob' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
	if ($msg -eq $null) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000139"
$VulnID = "V-39297"
$Cat = "II"
$Title = "The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications."
$count++
$msg = Get-VIPermission -Entity $vmhost -Principal "NGSCORP\SolarWinds" | Select Principal, Role
	if ($msg.Role -eq "Monitor RO") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000141"
$VulnID = "V-39298"
$Cat = "III"
$Title = "The system must enable bidirectional CHAP authentication for iSCSI traffic."
$msg = "This check applies to the use of iSCSI storage. If iSCSI storage is not used, this check is not applicable."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000143"
$VulnID = "V-39299"
$Cat = "III"
$Title = "The system must enable SSL for NFC."
$count++
$msg = Get-AdvancedSetting -Entity $vcenter | Where {$_.name -eq "config.nfc.useSSL"} |Select Name, Value 
if ($msg.Value -eq $true ) {$grade = "Pass"; $pass++}
elseif (($msg -eq $null) -or ($msg.value -eq $false)) {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000144"
$VulnID = "V-39417"
$Cat = "II"
$Title = "The system must ensure proper SNMP configuration."
$count++
$msg = Get-VMHostSnmp | Select Enabled, @{N= 'Communities'; E={$_.ReadOnlyCommunities}}
if (($msg.Enabled -eq $false) -or (($msg.Enabled -eq $true) -and ($msg.Communities -eq "03Tremble"))) {$grade = "Pass"; $pass++}
elseif (($msg.Enabled -eq $true) -and (($msg.Communities -eq "public") -or ($msg.Communities -eq "private"))) {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = " SRG-OS-99999-ESXI5-000145"
$VulnID = "V-39300"
$Cat = "II"
$Title = "The system must ensure the vpxuser auto-password change meets policy."
$count++
$msg = Get-AdvancedSetting -Entity $vcenter | Where {$_.name -eq "VirtualCenter.VimPasswordExpirationInDays"} | Select Name, Desription, Value
if ($msg.Value -le 60) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000146"
$VulnID = "V-39302"
$Cat = "II"
$Title = "The system must ensure the vpxuser password meets length policy."
$count++
$vpxcfgFile = 
$msg = "This setting is not configurable in v 5.5. Default length is 32 characters"
$grade = "Pass"; $pass++
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000147"
$VulnID = "V-39303"
$Cat = "III"
$Title = "The system must ensure uniqueness of CHAP authentication secrets."
$msg = " iSCSI is not used in this environment.  If iSCSI is not used, this is not a finding."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append

$StigID = "SRG-OS-99999-ESXI5-000150"
$VulnID = "V-39304"
$Cat = "III"
$Title = "SAN resources must be masked and zoned appropriately."
$msg = " This is a Manual check. A vendor-specific procedure must be developed and documented to mask/zone host LUNs."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000151"
$VulnID = "V-39346"
$Cat = "III"
$Title = "The system must prevent unintended use of dvfilter network APIs."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $vmhost -Name Net.DVFilterBindIpAddress
	if ($msg["Net.DVFilterBindIpAddress"] -eq "") {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000152"
$VulnID = "V-39347"
$Cat = "II"
$Title = "Keys from SSH authorized_keys file must be removed."
$remoteCommand = '"' + 'cat /etc/ssh/keys-root/authorized_keys' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
$count++
	if ($msg -eq $null) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"} 
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000154"
$VulnID = "V-39348"
$Cat = "III"
$Title = "The system must use Active Directory for local user authentication for accounts other than root and the vpxuser."
$count++
$msg = Get-VMHostAuthentication -VMHost $vmhost | Select Domain, DomainMembershipStatus
	if (($msg.Domain) -and ($msg.DomainMembershipStatus = "Ok")) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000155"
$VulnID = "V-39349"
$Cat = "II"
$Title = "Active Directory ESX Admin group membership must be verified unused."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $vmhost -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup
	if ($msg.Value -eq "ESX Admins") {$grade = "Fail"}
	else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000156"
$VulnID = "V-39350"
$Cat = "II"
$Title = "The contents of exposed configuration files must be verified."
$msg = "This check is a manual check.  Ask the SA if a cryptographically hashed file integrity baseline has been created and maintained for the system."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000158"
$VulnID = "V-39351"
$Cat = "II"
$Title = "Unauthorized kernel modules must not be loaded on the host."
$count++
$listing = $esxcli.system.module.list() |select Name
$output = foreach ($module in $listing) {$esxcli.system.module.get($module.name)}
$msg = $output | Select Module, SignedStatus
$flg = $false
	foreach ($item in $msg) {
 							if ($item.SignedStatus -eq "Unsigned") {$flg = $true}
						 	}
	if ($flg -eq $true) {$grade = "Failed"}
	else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000160"
$VulnID = "V-39352"
$Cat = "II"
$Title = "The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory."
$count++
$hostprofiles = Get-VMHostProfile 
$msg = "This check applies to environments using host profiles.`n" + $hostprofiles
if ($hostprofiles -eq $null){$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-99999-ESXI5-000156"
$VulnID = "V-39353"
$Cat = "II"
$Title = "The contents of exposed configuration files must be verified."
$msg = "This check is a manual check  Ask the SA if a cryptographically hashed file integrity baseline has been created and maintained for the system.."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


# These checks must be the last check for each host.
($vmhost | get-view).EnterLockdownMode();
Stop-VMHostService -HostService (Get-VMHostService -VMHost $vmhost | Where { $_.Key -eq "TSM-SSH"}) -Confirm:$false


$StigID = "SRG-OS-99999-ESXI5-000138"
$VulnID = "V-39390"
$Cat = "II"
$Title = "The system must disable SSH."
$count++
$msg = Get-VMHostService -VMHost $vmhost | Where {$_.Key -eq "TSM-SSH"} | Select Label, Policy, Running
	if ($msg.Running -eq $false) {$grade = "Pass"; $pass++}
	else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$StigID = "SRG-OS-000092-ESXI5"
$VulnID = "V-39285"
$Cat = "II"
$Title = "The system must enable lockdown mode to restrict remote access."
$count++
$msg = Get-vmhost $vmhost | Select Name,@{N="LockedMode";E={$_.ExtensionData.Config.AdminDisabled}}
 	if ($VMHost.ExtensionData.Config.AdminDisabled -eq $true)  {$grade = "Pass"; $pass++}
	else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append


$passRate = ($pass/$count)*100
"Pass rate is:  " + $passRate + "%" | Out-File -filePath $outputPath -Append
"`n`n=================End Of File===========================" | Out-File -filePath $outputPath -append # end of report marker

# Disconnect-VIServer $vmhost -Confirm:$false -Force:$false
Sleep -Seconds 20
}
#############################
# go to next host

} 

# close the vcenter and any open connection
disconnect-viserver -Force -Confirm:$false

Open in new window

LVL 5
IndyrbAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
lookup the convertto-html and why are you not using the convertto-csv ?
Personally I'd use objects add the items to the object and only at the end output the data.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IndyrbAuthor Commented:
can you give me and example please
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization

From novice to tech pro — start learning today.