powercli config on vmware esx boxes with report in html and email
I have a script that runs through various configs, I need a way to make it pretty in html and email please.
example of code is below:
example of code is below:
# v1.1 original
# v1.2 added pssanpin / switch command for differing sha1 paths
# v1.3 Removed vmware hardening guide checks that do not cross reference to a DISA stig 8/1/2012 mb
# v1.4 Put variables in front. added name to title of reports. Added OK and NOT OK status to reports
# Do these first if running script from scratch
# Add-pssnapin vmware.*
# Add-pssnapin vmware.vumautomation
# Get data
$vCenter = "vcenterser.domain.com"
Connect-viserver $vCenter
$hosts = Get-VMHost
$VdS = Get-VDSwitch
$VDSpg = Get-Vdportgroup | Where {$_.name -notlike '*DVUplinks*'}
$VDSpvlan = Get-VDSwitchPrivateVlan -VDSwitch $Vds
$User = read-host "User with root access"
# Read-Host -AsSecureString "Root Users Password" | ConvertFrom-SecureString | Out-File C:\securestring.txt
$Pswd = Read-Host "root user's password " ####cat C:\securestring.txt | ConvertTo-SecureString
# Report formating options
$CR = "`r" + "`r"
# Set up plink options
$plink = "C:\putty\plink.exe"
$plinkOptions = " -v -batch -pw $pswd"
# Loop through each ESXi host and perform checks
ForEach ($vmhost in $hosts)
{ if ($vmhost.Version -eq "5.5.0")
{Get-VMHost $vmhost
$hostName = $vmhost.Name -replace ".domain.com", ""
$hostName = $hostName.TrimEnd()
$count = 0
$pass = 0
$VSS = Get-VirtualSwitch -Standard -VMHost $vmhost
$VSSpg = Get-VirtualPortGroup -Standard -VMHost $vmhost
#initialize the report
$outputPath = "C:\Users\user1\Desktop\reports\" + $hostname + ".csv"
# Label & Time Stamp the report
$vmhost.Name | Out-File -FilePath $outputPath -Append
Get-Date | Out-File -filePath $outputPath -append
#
# Start checks here
#
($vmhost | get-view).ExitLockdownMode()
Get-vmhostService -VMHost $vmhost | Where {$_.key -eq "TSM-SSH"} | Start-VMHostService
sleep -Seconds 10
$StigID = "GEN002430-ESXI5"
$VulnID = "V-39381"
$Cat = "II"
$Title = "Removable media, remote file systems, and any file system that does not contain approved device files must be mounted with the nodev option."
$count++
$remoteCommand = '"' + 'cat /etc/fstab | grep -i nfs | grep -v "nodev" ' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null) {$grade = "Pass"; $pass++;}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000001"
$VulnID = "V-39356"
$Cat = "III"
$Title = "All dvPortgroup VLAN IDs must be fully documented."
$msg = $VDSpg | select Name, VlanConfiguration
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000002"
$VulnID = " V-39357"
$Cat = "III"
$Title = "All dvSwitch Private VLAN IDs must be fully documented."
$msg = $VDSpvlan
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000003"
$Title = "All virtual switches must have a clear network label."
$VulnID = "V-39358"
$Cat = "III"
$msg_1 = $VDSpg |Select Name
$msg_2 = $VSSpg | Select Name
$msg = $msg_1 + $msg_2
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000004"
$Title = "Virtual switch VLANs must be fully documented and have only the required VLANs."
$VulnID = " V-39359"
$Cat = "III"
$msg_1 = $VDSpg | Select Name, VlanConfiguration
$msg_2 = $VSSpg | Select Name, VLanID
$msg = $msg_1 + $msg_2
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000005"
$Title = "All vSwitch and VLAN IDs must be fully documented."
$VulnID = " V-39360"
$Cat = "III"
$msg = $VSSpg | Select Name, VLanID
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000006"
$Title = "All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor."
$VulnID = " V-39361"
$Cat = "III"
$msg = "This check is NA because we do not currently use IP based storage in our environment."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000007"
$Title = "Only authorized administrators must have access to virtual networking components."
$VulnID = " V-39364"
$Cat = "III"
$msg = Get-viPermission -Entity (Get-VDPortgroup)
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000008"
$Title = "All physical switch ports must be configured with spanning tree disabled."
$VulnID = " V-39365"
$Cat = "III"
$msg = "This check requires an inquiry to Network Team to ensure all physical switch ports have Spanning Tree funtion disabled"
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000009"
$Title = "All port groups must be configured with a clear network label."
$VulnID = " V-39366"
$Cat = "III"
$msg_1 = $VDSpg | Select Name
$msg_2 = $VSSpg | Select Name
$msg = $msg_1 + $msg_2
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000010"
$Title = "All port groups must be configured to a value other than that of the native VLAN."
$VulnID = " V-39367"
$Cat = "II"
$count++
$flg = $false
$msg_1 = $VDSpg | select Name, VlanConfiguration
$msg_2 =$VSSpg | Select Name, @{N='VlanConfiguraiton'; E={$_.VLanID}}
$msg = $msg_1 + $msg_2
foreach ($pg in $msg_1)
{
if ($pg.vlanConfiguration -eq "VLAN 1") {$flg = $true}
}
foreach ($pg in $msg_2)
{
if ($pg.VLanConfiguration -eq 1) {$flg = $true}
}
if ($flg -eq $true) {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000011"
$Title = "All port groups must not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT)."
$VulnID = " V-39368"
$Cat = "II"
$count++
$flg = $false
$msg_1 = $VDSpg | select Name, VlanConfiguration
$msg_2 =$VSSpg | Select Name, @{N='VlanConfiguraiton'; E={$_.VLanID}}
$msg = $msg_1 + $msg_2
foreach ($pg in $msg_1)
{
if ($pg.vlanConfiguration -eq "VLAN 4095") {$flg = $true}
}
foreach ($pg in $msg_2)
{
if ($pg.VLanConfiguration -eq 4095) {$flg = $true}
}
if ($flg -eq $true) {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000012"
$Title = "All port groups must not be configured to VLAN values reserved by upstream physical switches."
$VulnID = " V-39369"
$Cat = "II"
$count++
$flg = $false
$msg_1 = $VDSpg | select Name, VlanConfiguration
$msg_2 =$VSSpg | Select Name, @{N='VlanConfiguraiton'; E={$_.VLanID}}
$msg = $msg_1 + $msg_2
foreach ($pg in $msg_1)
{
if (($pg.VlanConfiguration -eq "VLAN 4094") -or ($pg.VlanConfiguration -eq "VLAN 1001") -or ($pg.VlanConfiguration -eq "VLAN 1002") -or ($pg.VlanConfiguration -eq "VLAN 1003") -or ($pg.VlanConfiguration -eq "VLAN 1004") -or ($pg.VlanConfiguration -eq "VLAN 1005") -or ($pg.VlanConfiguration -eq "VLAN 1006") -or ($pg.VlanConfiguration -eq "VLAN 1007") -or ($pg.VlanConfiguration -eq "VLAN 1008") -or ($pg.VlanConfiguration -eq "VLAN 1009") -or ($pg.VlanConfiguration -eq "VLAN 1010") -or ($pg.VlanConfiguration -eq "VLAN 1011") -or ($pg.VlanConfiguration -eq "VLAN 1012") -or ($pg.VlanConfiguration -eq "VLAN 1013") -or ($pg.VlanConfiguration -eq "VLAN 1014") -or ($pg.VlanConfiguration -eq "VLAN 1015") -or ($pg.VlanConfiguration -eq "VLAN 1016") -or ($pg.VlanConfiguration -eq "VLAN 1017") -or ($pg.VlanConfiguration -eq "VLAN 1018") -or ($pg.VlanConfiguration -eq "VLAN 1019") -or ($pg.VlanConfiguration -eq "VLAN 1020") -or ($pg.VlanConfiguration -eq "VLAN 1021") -or ($pg.VlanConfiguration -eq "VLAN 1022") -or ($pg.VlanConfiguration -eq "VLAN 1023") -or ($pg.VlanConfiguration -eq "VLAN 1024")) {$flg = $true}
}
foreach ($pg in $msg_2)
{
if (($pg.VlanConfiguration -eq 4094) -or ($pg.VlanConfiguration -eq 1001) -or ($pg.VlanConfiguration -eq 1002) -or ($pg.VlanConfiguration -eq 1003) -or ($pg.VlanConfiguration -eq 1004) -or ($pg.VlanConfiguration -eq 1005) -or ($pg.VlanConfiguration -eq 1006) -or ($pg.VlanConfiguration -eq 1007) -or ($pg.VlanConfiguration -eq 1008) -or ($pg.VlanConfiguration -eq 1009) -or ($pg.VlanConfiguration -eq 1010) -or ($pg.VlanConfiguration -eq 1011) -or ($pg.VlanConfiguration -eq 1012) -or ($pg.VlanConfiguration -eq 1013) -or ($pg.VlanConfiguration -eq 1014) -or ($pg.VlanConfiguration -eq 1015) -or ($pg.VlanConfiguration -eq 1016) -or ($pg.VlanConfiguration -eq 1017) -or ($pg.VlanConfiguration -eq 1018) -or ($pg.VlanConfiguration -eq 1019) -or ($pg.VlanConfiguration -eq 1020) -or ($pg.VlanConfiguration -eq 1021) -or ($pg.VlanConfiguration -eq 1022) -or ($pg.VlanConfiguration -eq 1023) -or ($pg.VlanConfiguration -eq 1024)) {$flg = $true}
}
if ($flg -eq $true) {$grade = "Fail"} else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000013"
$Title = "The system must ensure that the virtual switch Forged Transmits policy is set to reject."
$VulnID = "V-39370"
$Cat = "II"
$count++
$msg = $VSS | Select Name, @{N="ForgedTransmits"; E={$_.ExtensionData.Spec.Policy.Security.ForgedTransmits}}
$flg = $false
foreach ($vs in $msg)
{
if ($vs.ForgedTransmits -ne $false) {$flg = $true}
}
if ($flg -eq $true) {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000014"
$Title = "The system must ensure that the dvPortgroup Forged Transmits policy is set to reject.."
$VulnID = " V-39371"
$Cat = "II"
$count++
$msg = $VDSpg | Get-VDSecurityPolicy
$flg = $false
foreach ($vpg in $msg)
{
if ($vpg.ForgedTransmits -ne $false)
{
$flg = $true
}
}
if ($flg -eq $true){$grade = "Fail"}
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000015"
$Title = "The system must ensure the dvPortGroup MAC Address Change policy is set to reject."
$VulnID = "V-39372"
$Cat = "I"
$count++
$msg = $VDSpg | Get-VDSecurityPolicy
$flg = $false
foreach ($vpg in $msg)
{
if ($vpg.MacChanges -ne $false)
{
$flg = $true
}
}
if ($flg -eq $true) {$grade = "Fail"}
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000016"
$Title = "The system must ensure the virtual switch MAC Address Change policy is set to reject."
$VulnID = "V-39373"
$Cat = "I"
$count++
$msg = $VSS | Select Name, @{N="MacChanges"; E={$_.ExtensionData.Spec.Policy.Security.MacChanges}}
$flg = $false
foreach ($vs in $msg)
{
if ($vs.MacChanges -ne $false)
{
$flg = $true
}
}
if ($flg -eq $true){$grade = "Fail"}
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000017"
$Title = "The non-negotiate option must be configured for trunk links between external physical switches and virtual switches in VST mode."
$VulnID = "V-39374"
$Cat = "II"
$msg = "This check needs an inquiry to Network team. Virtual Switch Tagging (VST) mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000018"
$Title = "The system must ensure the virtual switch Promiscuous Mode policy is set to reject."
$VulnID = "V-39375"
$Cat = "II"
$count++
$msg = $VSS | Select Name, @{N="AllowPromiscuous"; E={$_.ExtensionData.Spec.Policy.Security.AllowPromiscuous}}
$flg = $false
foreach ($vs in $msg)
{
if ($vs.AllowPromiscuous -ne $false)
{
$flg = $true
}
}
if ($flg -eq $true){
$grade = "Fail"
}
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000015"
$Title = "The system must ensure the dvPortGroup MAC Address Change policy is set to reject."
$VulnID = "V-39372"
$Cat = "I"
$count++
$msg = $VDSpg | Get-VDSecurityPolicy
$flg = $false
foreach ($vpg in $msg)
{
if ($vpg.MacChanges -ne $false)
{
$flg = $true
}
}
if ($flg -eq $true){
$grade = "Fail"
}
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000020"
$Title = "The system must ensure there are no unused ports on a distributed virtual port group."
$VulnID = " V-39377"
$Cat = "II"
$msg = "This check is a filed Deviation: "
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000021"
$Title = "vMotion traffic must be isolated."
$VulnID = " V-39378"
$Cat = "III"
$msg = "This check is a filed Deviation: "
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000023"
$Title = "Access to the management network must be strictly controlled through a network gateway."
$VulnID = " V-39400"
$Cat = "II"
$msg = "This check is a manual verification. Document a controlled gateway or other controlled access method to the management network."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000024"
$Title = "Access to the management network must be strictly controlled through a network jump box."
$VulnID = " V-39401"
$Cat = "II"
$msg = "This check is a filed Deviation: "
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000025"
$Title = "Spanning tree protocol must be enabled and BPDU guard and Portfast must be disabled on the upstream physical switch port for virtual machines that route or bridge traffic."
$VulnID = " V-39379"
$Cat = "III"
$msg = "This check needs an inquiry to Network team. If a guest VM is configured to perform a bridging function, enable spanning tree protocol for the VMs switch port."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000026"
$Title = "The system must disable the autoexpand option for VDS dvPortgroups."
$VulnID = " V-39380"
$Cat = "III"
$count++
$msg = $VDSpg | Select Name, @{N='AutoExpand'; E={$_.ExtensionData.config.AutoExpand}}
$flg = $false
foreach ($vpg in $msg)
{
if ($vpg.AutoExpand -ne $False)
{
$flg = $true
}
}
if ($flg -eq $true){
$grade = "Fail"
}
Else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000036"
$Title = "All IP-based storage traffic must be isolated to a management-only network using a dedicated, management-only vSwitch."
$VulnID = " V-39362"
$Cat = "III"
$msg = "This check is NA since there is no IP based storage currently in this environment."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "ESXI5-VMNET-000046"
$Title = "All IP-based storage traffic must be isolated using a vSwitch containing management-only port groups."
$VulnID = " V-39363"
$Cat = "III"
$msg = "This check is NA since there is no IP based storage currently in this environment."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN000950-ESXI5-444"
$VulnID = "V-39383"
$Cat = "II"
$Title = "The root accounts list of preloaded libraries must be empty."
$count++
$remoteCommand = '"' + 'grep LD_PRELOAD /etc/vmware/config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005516-ESXI5-703"
$VulnID = "V-39249"
$Cat = "III"
$Title = "The SSH client must be configured to not allow TCP forwarding."
$count++
$remoteCommand = '"' + 'grep Forward /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -contains "yes")
{
$grade = "Fail"
}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005516-ESXI5-704"
$VulnID = "V-39251"
$Cat = "III"
$Title = "The SSH client must be configured to not allow gateway ports."
$count++
$remoteCommand = '"' + 'grep -i GatewayPorts /etc/ssh/ssh_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -contains "yes")
{
$grade = "Fail"
}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005520-ESXI5-705"
$VulnID = "V-39271"
$Cat = "III"
$Title = "The SSH client must be configured to not allow X11 forwarding."
$count++
$remoteCommand = '"' + 'grep -i "^ForwardX11" /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -contains "yes")
{$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005529-ESXI5-708"
$VulnID = "V-39269"
$Cat = "II"
$Title = "The SSH client must not send environment variables to the server or must only send those pertaining to locale."
$count++
$remoteCommand = '"' + 'grep SendEnv /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -ne "SendEnv LOCALE")
{$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005529-ESXI5-709"
$VulnID = "V-39270"
$Cat = "II"
$Title = "The SSH client must not permit tunnels."
$count++
$remoteCommand = '"' + 'grep Tunnel /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -ne "Tunnel no")
{$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000023-ESXI5"
$VulnID = "V-39394"
$Cat = "II"
$Title = "The SSH daemon must be configured with the Department of Defense (DoD) logon banner."
$count++
$remoteCommand = '"' + 'cat /etc/issue' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null)
{$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = " SRG-OS-000027-ESXI5"
$VulnID = "V-39253"
$Cat = "II"
$Title = "The SSH daemon must limit connections to a single session."
$count++
$remoteCommand = '"' + 'grep MaxSessions /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -ne "MaxSessions 1")
{$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000033-ESXI5"
$VulnID = "V-39411"
$Cat = "I"
$Title = "The operating system must use cryptography to protect the confidentiality of remote access sessions."
$count++
$remoteCommand = '"' + 'grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v "^#" ' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -ne "/etc/ssh/sshd_config:Protocol 2")
{$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000056-ESXI5"
$VulnID = "V-39254"
$Cat = "II"
$Title = "The system must use time sources local to the enclave."
$count++
$msg = Get-VMHostNtpServer -VMHost $vmhost
if ($msg -ne "ntp.domain.com")
{$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000069-ESXI5"
$VulnID = "V-39255"
$Cat = "II"
$Title = "The system must require that passwords contain at least one uppercase alphabetic character."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8*")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000070-ESXI5"
$VulnID = "V-39256"
$Cat = "II"
$Title = "The system must require passwords contain at least one lowercase alphabetic character."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8*")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000072-ESXI5 "
$VulnID = "V-39259"
$Cat = "II"
$Title = "The system must require at least four characters be changed between the old and new passwords during a password change."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "similar=deny"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*similar=deny*")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000077-ESXI5"
$VulnID = "V-39261"
$Cat = "II"
$Title = "The system must prohibit the reuse of passwords within five iterations."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep sufficient | grep "remember="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*remember=5*")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000078-ESXI5 "
$VulnID = "V-39262"
$Cat = "II"
$Title = "The system must require that passwords contain a minimum of 14 characters."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8*")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$grade = $grade + " Deviation # D000x"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000080-ESXI5"
$VulnID = "V-39264"
$Cat = "II"
$Title = "System BIOS or system controllers supporting password protection must have administrator accounts/passwords configured, and no others."
$msg = "This check is a manual check. On systems with a BIOS or system controller, set the supervisor or administrator password."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = " SRG-OS-000090-ESXI5"
$VulnID = "V-39287"
$Cat = "I"
$Title = "The system must verify the integrity of the installation media before installing ESXi."
$msg = "This check is a manual check"
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000095-ESXI5"
$VulnID = "V-39386"
$Cat = "I"
$Title = "Inetd and xinetd must be disabled or removed if no network services utilizing them are enabled."
$count++
$remoteCommand = '"' + 'grep -v "^ssh" /var/run/inetd.conf | grep -v "^authd" | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -Command $command
if ($msg -eq "")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000109-ESXI5"
$VulnID = "V-39391"
$Cat = "II"
$Title = "The system must not permit root logins using remote access programs, such as SSH."
$count++
$remoteCommand = '"' + 'grep PermitRootLogin /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "PermitRootLogin no")
{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000112-ESXI5"
$VulnID = "V-39412"
$Cat = "I"
$Title = "The SSH daemon must be configured to only use the SSHv2 protocol."
$count++
$remoteCommand = '"' + 'grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v "^#" ' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "/etc/ssh/sshd_config:Protocol 2")
{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000113-ESXI5"
$VulnID = "V-39413"
$Cat = "I"
$Title = "The operating system must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts."
$count++
$remoteCommand = '"' + 'grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "/etc/ssh/sshd_config:Protocol 2")
{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000120-ESXI5"
$VulnID = "V-39260"
$Cat = "II"
$Title = "The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm."
$count++
$remoteCommand = '"' + 'grep "^password sufficient" /etc/pam.d/passwd | grep sha512' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*sha512*")
{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000121-ESXI5"
$VulnID = "V-39388"
$Cat = "II"
$Title = "All accounts on the system must have unique user or account names."
$count++
Connect-VIServer -Server $VMHost -User $User -Password $Pswd
$msg = $null
$msg_1 = Get-VMHostAccount -User
$msg_2 = $msg_1|sort|Get-Unique
$msg = Compare-Object -ReferenceObject $msg_2 -DifferenceObject $msg_1
if ($msg -eq $null)
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg_1, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000126-ESXI5"
$VulnID = "V-39392"
$Cat = "II"
$Title = "The system must set a timeout for the ESXi Shell to automatically disable idle sessions after a predetermined period."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $vmhost -Name UserVars.ESXiShellTimeOut
if ($msg.values -eq 900)
{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000132-ESXI5"
$VulnID = "V-39393"
$Cat = "II"
$Title = "vSphere management traffic must be on a restricted network."
$msg = "This is a manual check."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000144-ESXI5"
$VulnID = "V-39397"
$Cat = "II"
$Title = "The operating system must monitor and control communications at the external boundary of the information system and at key internal boundaries within the system."
$msg = Get-VMHostFirewallException -VMHost $vmhost
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000145-ESXI5"
$VulnID = "V-39395"
$Cat = "II"
$Title = "The system must be configured with a default gateway for IPv4 if the system uses IPv4, unless the system is a router."
$count++
$msg = Get-VMHostNetwork -VMHost $VMHost | select VMHost, VMKernelGateway
if ($msg.VMKernelGateway -ne $null)
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000147-ESXI5"
$VulnID = "V-39398"
$Cat = "II"
$Title = "The operating system, at managed interfaces, must deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception)."
$msg = Get-VMHostFirewallException -VMHost $vmhost
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000152-ESXI5"
$VulnID = "V-39396"
$Cat = "II"
$Title = "The operating system must implement host-based boundary protection mechanisms for servers, workstations, and mobile devices."
$msg = Get-VMHostFirewallException -VMHost $vmhost
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000157-ESXI5"
$VulnID = "V-39402"
$Cat = "II"
$Title = "The SSH client must be configured to not use CBC-based ciphers."
$count++
$remoteCommand = '"' + 'grep -i ciphers /etc/ssh/ssh_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = $null
$msg = Invoke-Expression -command $command
if (($msg -eq "") -or ($msg -like "cbc")) {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000158-ESXI5"
$VulnID = "V-39403"
$Cat = "II"
$Title = "The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."
$count++
$remoteCommand = '"' + 'grep -i macs /etc/ssh/ssh_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = $null
$msg = Invoke-Expression -command $command
if (($msg -eq "MACs hmac-sha1") -or ($msg -eq "MACs hmac-sha2")) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000159-ESXI5"
$VulnID = "V-39404"
$Cat = "II"
$Title = "The SSH client must be configured to only use FIPS 140-2 approved ciphers."
$count++
$remoteCommand = '"' + 'grep -i ciphers /etc/ssh/ssh_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = $null
$msg = Invoke-Expression -command $command
if ($msg -eq "Ciphers aes-256-ctr, aes-192-ctr, aes-128-ctr") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000163-ESXI5"
$VulnID = "V-39405"
$Cat = "II"
$Title = "The operating system must terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $vmhost -Name UserVars.ESXiShellTimeOut
if ($msg.Values -eq 900)
{$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000193-ESXI5"
$VulnID = "V-39407"
$Cat = "II"
$Title = "The Image Profile and VIB Acceptance Levels must be verified."
$count++
$remoteCommand = '"' + 'esxcli software acceptance get' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "CommunitySupported") {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000197-ESXI5"
$VulnID = "V-39408"
$Cat = "II"
$Title = "Remote logging for ESXi hosts must be configured."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
if (($msg.values -eq "10.10.10.10") -or ($msg.values -eq "server1.domain.com")) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000215-ESXI"
$VulnID = "V-39409"
$Cat = "II"
$Title = "The operating system must back up audit records on an organization-defined frequency onto a different system or media than the system being audited."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
if (($msg.values -eq "server1.domain.com") -or ($msg.values -eq "10.10.10.10")) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000217-ESXI"
$VulnID = "V-39410"
$Cat = "II"
$Title = "The operating system must protect the audit records resulting from non-local accesses to privileged accounts and the execution of privileged functions."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
if (($msg.values -eq "server1.domain.com") -or ($msg.Values -eq "10.10.10.10")) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000231-ESXI5"
$VulnID = "V-39399"
$Cat = "II"
$Title = "The operating system must enforce requirements for remote connections to the information system."
$msg = Get-VMHostFirewallException -VMHost $vmhost
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000248-ESXI5"
$VulnID = "V-39252"
$Cat = "I"
$Title = "There must be no .rhosts or hosts.equiv files on the system."
$count++
$remoteCommand = '"' + 'find / | grep .rhosts; rm -f /etc/hosts.equiv' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = $null
$msg = Invoke-Expression -command $command
if ($msg -ne $null) {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000266-ESXI5"
$VulnID = "V-39416"
$Cat = "II"
$Title = "The system must require that passwords contain at least one special character."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005501-ESXI5-9778"
$VulnID = "V-39414"
$Cat = "II"
$Title = "The SSH client must be configured to only use the SSHv2 protocol."
$count++
$remoteCommand = '"' + 'grep -i "Protocol 2" /etc/ssh/sshd_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "/etc/ssh/sshd_config:Protocol 2")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN002400-ESXI5-10047"
$VulnID = " V-39425"
$Cat = "II"
$Title = "The system must be checked weekly for unauthorized setuid files, as well as, unauthorized modification to authorized setuid files."
$msg = "This is a manual check. Configure the system to check for unauthorized setuid files on a weekly basis."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN002420-ESXI5-00878 "
$VulnID = "V-39422"
$Cat = "II"
$Title = "Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option."
$count++
$remoteCommand = '"' + 'cat /etc/fstab | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN002400-ESXI5-10047"
$VulnID = " V-39425"
$Cat = "II"
$Title = "The system must be checked weekly for unauthorized setgid files, as well as, unauthorized modification to authorized setgid files."
$msg = "This is a manual check. Configure the system to check for unauthorized setuid files on a weekly basis."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005900-ESXI5-00891"
$VulnID = "V-39423"
$Cat = "II"
$Title = "The nosuid option must be enabled on all NFS client mounts."
$count++
$remoteCommand = '"' + 'cat /etc/fstab | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN000100-ESXI5-000062"
$VulnID = "V-39429"
$Cat = "I"
$Title = "The operating system must be a supported release."
$count++
$msg = Get-VMHost $vmhost |select name,version
if ($msg.version -ne "5.5.0") {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN000240-ESXI5-000058"
$VulnID = "V-39430"
$Cat = "II"
$Title = "The system clock must be synchronized to an authoritative DoD time source."
$count++
$msg = Get-VMHostntpServer $vmhost
if ($msg -eq "ntp.domain.com") {$grade = "Pass"; $pass++}
else {$grade -eq "Fail"}
$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN000585-ESXI5-000080 "
$VulnID = " V-39263"
$Cat = "II"
$Title = "The system must enforce the entire password during authentication."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN000790-ESXI5-000085"
$VulnID = "V-39246"
$Cat = "II"
$Title = "The system must prevent the use of dictionary words for passwords."
$count++
$remoteCommand = '"' + 'grep "^password" /etc/pam.d/passwd | grep requisite | grep "min="' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "*min=disabled,disabled,disabled,disabled,8")
{$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = " GEN000940-ESXI5-000042"
$VulnID = "V-39273"
$Cat = "II"
$Title = "The root accounts executable search path must be the vendor default and must contain only absolute paths."
$count++
$remoteCommand = '"' + 'grep PATH= /etc/profile' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "PATH=/bin:/sbin") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN000945-ESXI5-000333"
$VulnID = "V-39382"
$Cat = "II"
$Title = "The root accounts library search path must be the system default and must contain only absolute paths."
$count++
$remoteCommand = '"' + 'grep libdir /etc/vmware/config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq 'libdir = "/usr/lib/vmware"') {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN001375-ESXI5-000086"
$VulnID = "V-39427"
$Cat = "III"
$Title = "For systems using DNS resolution, at least two name servers must be configured."
$count++
$msg = Get-VMHostNetwork -VMHost $vmhost | select DnsAddress
if ($msg.DnsAddress.Count -ge 2) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN000945-ESXI5-000333"
$VulnID = "V-39382"
$Cat = "II"
$Title = "The /etc/shells (or equivalent) file must exist."
$count++
$remoteCommand = '"' + 'ls -l /etc/shells' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -like "No such file or directory") {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN002140-ESXI5-000046"
$VulnID = "V-39276"
$Cat = "II"
$Title = "All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins."
$count++
$remoteCommand = '"' + 'ls -lL ``cat /etc/shells``' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ((($msg[0] -like "*/bin/ash") -or ($msg[0] -like "*/bin/sh")) -and (($msg[1] -like "*/bin/sh") -or ($msg[1] -like "*/bin/ash"))) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN002260-ESXI5-000047"
$VulnID = " V-39424"
$Cat = "II"
$Title = "The system must be checked for extraneous device files at least weekly."
$msg = "This is a manual check. Configure the system to check for extraneous device files on a weekly basis."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN003510-ESXI5-006660"
$VulnID = " V-39355"
$Cat = "II"
$Title = "Kernel core dumps must be disabled unless needed."
$msg = "This is a manual check. If the ESXi 5.0 server's local dump partition size is at least 100 MB, this is not a finding."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005300-ESXI5-000099"
$VulnID = " V-39247"
$Cat = "II"
$Title = "SNMP communities, users, and passphrases must be changed from the default."
$count++
$remoteCommand = '"' + 'egrep -i "community|communities" /etc/vmware/snmp.xml' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if (($msg -like "public") -or ($msg -like "private") -or ($msg -like "password")) {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005440-ESXI5-000078"
$VulnID = " V-39279"
$Cat = "II"
$Title = "The system must not be used as a syslog server (log host) for systems external to the enclave."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
if (($msg.Values -eq "10.10.10.10") -or ($msg.Values -eq "server1.domain.com")) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005460-ESXI5-000060"
$VulnID = " V-39278"
$Cat = "II"
$Title = "The system must only use remote syslog servers (log hosts) justified and documented using site-defined procedures."
$count++
$msg = Get-VMHostAdvancedConfiguration -Name Syslog.global.logHost -VMHost $VMHost
if (($msg.Values -eq "10.10.10.10") -or ($msg.Values -eq "server1.domain.com")) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005515-ESXI5-000100"
$VulnID = " V-39248"
$Cat = "III"
$Title = "The SSH daemon must be configured to not allow TCP connection forwarding."
$count++
$remoteCommand = '"' + 'grep -i AllowTCPForwarding /etc/ssh/sshd_config | grep -v "^#"' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "AllowTCPForwarding no") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005517-ESXI5-000101"
$VulnID = " V-39250"
$Cat = "III"
$Title = "The SSH daemon must be configured to not allow gateway ports."
$count++
$remoteCommand = '"' + 'grep -i GatewayPorts /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "GatewayPorts no") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005519-ESXI5-000102"
$VulnID = "V-39265"
$Cat = "II"
$Title = "The SSH daemon must be configured to not allow X11 forwarding."
$count++
$remoteCommand = '"' + 'grep -i "^X11Forwarding" /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "X11Forwarding no") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005521-ESXI5-00010"
$VulnID = "V-39419"
$Cat = "II"
$Title = "The SSH daemon must restrict login ability to specific users and/or groups."
$count++
$remoteCommand = '"' + 'grep -i "^AllowGroups" /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "AllowGroups") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005528-ESXI5-000106"
$VulnID = "V-39266"
$Cat = "II"
$Title = "The SSH daemon must not accept environment variables from the client or must only accept those pertaining to locale."
$count++
$remoteCommand = '"' + 'grep AcceptEnv /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "AcceptEnv LOCALE") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005530-ESXI5-000107"
$VulnID = "V-39267"
$Cat = "II"
$Title = "The SSH daemon must not permit user environment settings."
$count++
$remoteCommand = '"' + 'grep PermitUserEnvironment /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "PermitUserEnvironment no") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = " GEN005531-ESXI5-000108"
$VulnID = "V-39268"
$Cat = "II"
$Title = "The SSH daemon must not permit tunnels."
$count++
$remoteCommand = '"' + 'grep PermitTunnel /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "PermitTunnel no") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005536-ESXI5-000110"
$VulnID = "V-39420"
$Cat = "II"
$Title = "The SSH daemon must perform strict mode checking of home directory configuration files."
$count++
$remoteCommand = '"' + 'grep StrictModes /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "StrictModes yes") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005539-ESXI5-000113"
$VulnID = "V-39285"
$Cat = "II"
$Title = "The SSH daemon must not allow compression or must only allow compression after successful authentication."
$count++
$remoteCommand = '"' + 'grep Compression /etc/ssh/sshd_config' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq "Compression yes") {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN005570-ESXI5-000115"
$VulnID = "V-39286"
$Cat = "II"
$Title = "The system must be configured with a default gateway for IPv6 if the system uses IPv6, unless the system is a router."
$msg = Get-VMHostNetwork -VMHost $VMHost |Select Hostname, ipv6Enabled
if ($msg.ipv6Enabled -eq $false){$grade = "NA"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway -eq $null)) {$count++; $grade = "Fail"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway)) {$count++; $grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN007700-ESXI5-000116"
$VulnID = "V-39286"
$Cat = "II"
$Title = "The IPv6 protocol handler must not be bound to the network stack unless needed."
$msg = Get-VMHostNetwork -VMHost $VMHost |Select Hostname, ipv6Enabled
if ($msg.ipv6Enabled -eq $false){$grade = "NA"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway -eq $null)) {$count++; $grade = "Fail"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway)) {$count++; $grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = " GEN007740-ESXI5-000118"
$VulnID = "V-39432"
$Cat = "II"
$Title = "The IPv6 protocol handler must not be installed unless needed."
$msg = Get-VMHostNetwork -VMHost $VMHost |Select Hostname, ipv6Enabled
if ($msg.ipv6Enabled -eq $false){$grade = "NA"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway -eq $null)) {$count++; $grade = "Fail"}
elseif (($msg.ipv6Enabled -eq $true) -and ($msg.vmkernelv6Gateway)) {$count++; $grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN007840-ESXI5-000119"
$VulnID = "V-39432"
$Cat = "II"
$Title = "The DHCP client must be disabled if not used."
$count++
$msg = Get-VMHostNetworkAdapter -VMHost $VMHost |Select Name, DhcpEnabled
$flg = $false
foreach ($item in $msg)
{
if ($item.DhcpEnabled -eq $true){$flg = $true}
}
if ($flg -eq $false) {$grade = "Pass"; $pass++}
elseif ($flg -eq $true) {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN008460-ESXI5-000121"
$VulnID = "V-39288"
$Cat = "III"
$Title = "The system must have USB disabled unless needed."
$msg = "To verify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for USB device connectivity."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = " GEN007740-ESXI5-000122"
$VulnID = "V-39289"
$Cat = "III"
$Title = "The system must have USB Mass Storage disabled unless needed."
$msg = "To verify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for USB mass storage connectivity."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = " GEN007740-ESXI5-000123"
$VulnID = "V-39291"
$Cat = "III"
$Title = "The system must have IEEE 1394 (Firewire) disabled unless needed."
$msg = "To verify hardware enabled options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for IEEE 1394 device connectivity."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN008600-ESXI5-000050"
$VulnID = "V-39384"
$Cat = "I"
$Title = "The system must be configured to only boot from the system boot device."
$msg = "Note: Checking a system's BIOS is vendor and hardware dependent. To verify media boot options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for boot order.
If any media other than the ESXi boot disk is listed as a boot option, this is a finding."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN008640-ESXI5-000055"
$VulnID = "V-39277"
$Cat = "I"
$Title = "The system must not use removable media as the boot loader."
$msg = "Note: Checking a system's BIOS is vendor and hardware dependent. To verify media boot options: Interrupt the host computer's boot process and enter the BIOS menu. Inspect the menu option for boot order. If any media other than the ESXi boot disk is listed as a boot option, this is a finding.
If any media other than the ESXi boot disk is listed as a boot option, this is a finding."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "GEN008680-ESXI5-000056"
$VulnID = "V-39428"
$Cat = "I"
$Title = "If the system boots from removable media, it must be stored in a safe or similarly secured container."
$msg = "Ask the SA if the system boots from removable media. If so, ask if the boot media is stored in a secure container when not in use. If it is not, this is a finding."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000131"
$VulnID = "V-39292"
$Cat = "II"
$Title = "NTP time synchronization must be configured."
$count++
$msg = Get-VMHostNtpServer -VMHost $vmhost
if ($msg -ne "ntp.domain.com") {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$msg = $msg -replace $msg, "***.***.***.***"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-00013"
$VulnID = "V-39293"
$Cat = "II"
$Title = "Persistent logging for all ESXi hosts must be configured."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $VMHost -Name Syslog.global.logDir
$msg_1 = ($msg["Syslog.global.logDir"] | Out-String)
if ($msg_1 -Like "*vAdmin*") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000135"
$VulnID = "V-39294"
$Cat = "II"
$Title = "The system must disable DCUI to prevent local administrative control."
$msg = "The DCUI is enabled. This check is a deviation filed under D0005"
$grade = "Deviation "
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000136"
$VulnID = "V-39295"
$Cat = "II"
$Title = "TThe system must disable ESXi Shell unless needed for diagnostics or troubleshooting."
$msg = Get-VMHost $vmhost | Get-VMHostService | Where {$_.Key -eq "DCUI"} | Select Label, Policy, Running
$grade = "Deviation D00004"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000137"
$VulnID = "V-39296"
$Cat = "II"
$Title = "The system must disable the Managed Object Browser (MOB)."
$count++
$remoteCommand = '"' + 'vim-cmd proxysvc/service_list | grep proxy-mob' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
if ($msg -eq $null) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000139"
$VulnID = "V-39297"
$Cat = "II"
$Title = "The system must not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications."
$count++
$msg = Get-VIPermission -Entity $vmhost -Principal "NGSCORP\SolarWinds" | Select Principal, Role
if ($msg.Role -eq "Monitor RO") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000141"
$VulnID = "V-39298"
$Cat = "III"
$Title = "The system must enable bidirectional CHAP authentication for iSCSI traffic."
$msg = "This check applies to the use of iSCSI storage. If iSCSI storage is not used, this check is not applicable."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000143"
$VulnID = "V-39299"
$Cat = "III"
$Title = "The system must enable SSL for NFC."
$count++
$msg = Get-AdvancedSetting -Entity $vcenter | Where {$_.name -eq "config.nfc.useSSL"} |Select Name, Value
if ($msg.Value -eq $true ) {$grade = "Pass"; $pass++}
elseif (($msg -eq $null) -or ($msg.value -eq $false)) {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000144"
$VulnID = "V-39417"
$Cat = "II"
$Title = "The system must ensure proper SNMP configuration."
$count++
$msg = Get-VMHostSnmp | Select Enabled, @{N= 'Communities'; E={$_.ReadOnlyCommunities}}
if (($msg.Enabled -eq $false) -or (($msg.Enabled -eq $true) -and ($msg.Communities -eq "03Tremble"))) {$grade = "Pass"; $pass++}
elseif (($msg.Enabled -eq $true) -and (($msg.Communities -eq "public") -or ($msg.Communities -eq "private"))) {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = " SRG-OS-99999-ESXI5-000145"
$VulnID = "V-39300"
$Cat = "II"
$Title = "The system must ensure the vpxuser auto-password change meets policy."
$count++
$msg = Get-AdvancedSetting -Entity $vcenter | Where {$_.name -eq "VirtualCenter.VimPasswordExpirationInDays"} | Select Name, Desription, Value
if ($msg.Value -le 60) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000146"
$VulnID = "V-39302"
$Cat = "II"
$Title = "The system must ensure the vpxuser password meets length policy."
$count++
$vpxcfgFile =
$msg = "This setting is not configurable in v 5.5. Default length is 32 characters"
$grade = "Pass"; $pass++
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000147"
$VulnID = "V-39303"
$Cat = "III"
$Title = "The system must ensure uniqueness of CHAP authentication secrets."
$msg = " iSCSI is not used in this environment. If iSCSI is not used, this is not a finding."
$grade = "NA"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000150"
$VulnID = "V-39304"
$Cat = "III"
$Title = "SAN resources must be masked and zoned appropriately."
$msg = " This is a Manual check. A vendor-specific procedure must be developed and documented to mask/zone host LUNs."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000151"
$VulnID = "V-39346"
$Cat = "III"
$Title = "The system must prevent unintended use of dvfilter network APIs."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $vmhost -Name Net.DVFilterBindIpAddress
if ($msg["Net.DVFilterBindIpAddress"] -eq "") {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000152"
$VulnID = "V-39347"
$Cat = "II"
$Title = "Keys from SSH authorized_keys file must be removed."
$remoteCommand = '"' + 'cat /etc/ssh/keys-root/authorized_keys' + '"'
$command = $plink + " " + $plinkOptions + " " + $User + "@" + $hostName + " " + $remoteCommand
$msg = Invoke-Expression -command $command
$count++
if ($msg -eq $null) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000154"
$VulnID = "V-39348"
$Cat = "III"
$Title = "The system must use Active Directory for local user authentication for accounts other than root and the vpxuser."
$count++
$msg = Get-VMHostAuthentication -VMHost $vmhost | Select Domain, DomainMembershipStatus
if (($msg.Domain) -and ($msg.DomainMembershipStatus = "Ok")) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000155"
$VulnID = "V-39349"
$Cat = "II"
$Title = "Active Directory ESX Admin group membership must be verified unused."
$count++
$msg = Get-VMHostAdvancedConfiguration -VMHost $vmhost -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup
if ($msg.Value -eq "ESX Admins") {$grade = "Fail"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000156"
$VulnID = "V-39350"
$Cat = "II"
$Title = "The contents of exposed configuration files must be verified."
$msg = "This check is a manual check. Ask the SA if a cryptographically hashed file integrity baseline has been created and maintained for the system."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000158"
$VulnID = "V-39351"
$Cat = "II"
$Title = "Unauthorized kernel modules must not be loaded on the host."
$count++
$listing = $esxcli.system.module.list() |select Name
$output = foreach ($module in $listing) {$esxcli.system.module.get($module.name)}
$msg = $output | Select Module, SignedStatus
$flg = $false
foreach ($item in $msg) {
if ($item.SignedStatus -eq "Unsigned") {$flg = $true}
}
if ($flg -eq $true) {$grade = "Failed"}
else {$grade = "Pass"; $pass++}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000160"
$VulnID = "V-39352"
$Cat = "II"
$Title = "The system must use the vSphere Authentication Proxy to protect passwords when adding ESXi hosts to Active Directory."
$count++
$hostprofiles = Get-VMHostProfile
$msg = "This check applies to environments using host profiles.`n" + $hostprofiles
if ($hostprofiles -eq $null){$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-99999-ESXI5-000156"
$VulnID = "V-39353"
$Cat = "II"
$Title = "The contents of exposed configuration files must be verified."
$msg = "This check is a manual check Ask the SA if a cryptographically hashed file integrity baseline has been created and maintained for the system.."
$grade = "Manual"
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
# These checks must be the last check for each host.
($vmhost | get-view).EnterLockdownMode();
Stop-VMHostService -HostService (Get-VMHostService -VMHost $vmhost | Where { $_.Key -eq "TSM-SSH"}) -Confirm:$false
$StigID = "SRG-OS-99999-ESXI5-000138"
$VulnID = "V-39390"
$Cat = "II"
$Title = "The system must disable SSH."
$count++
$msg = Get-VMHostService -VMHost $vmhost | Where {$_.Key -eq "TSM-SSH"} | Select Label, Policy, Running
if ($msg.Running -eq $false) {$grade = "Pass"; $pass++}
else {$grade = "Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$StigID = "SRG-OS-000092-ESXI5"
$VulnID = "V-39285"
$Cat = "II"
$Title = "The system must enable lockdown mode to restrict remote access."
$count++
$msg = Get-vmhost $vmhost | Select Name,@{N="LockedMode";E={$_.ExtensionData.Config.AdminDisabled}}
if ($VMHost.ExtensionData.Config.AdminDisabled -eq $true) {$grade = "Pass"; $pass++}
else {$grade="Fail"}
$StigID, $Title, $vulnID, $Cat, $msg, $grade | Out-File -FilePath $OutputPath -append
$CR | Out-File -filePath $OutputPath -append
$passRate = ($pass/$count)*100
"Pass rate is: " + $passRate + "%" | Out-File -filePath $outputPath -Append
"`n`n=================End Of File===========================" | Out-File -filePath $outputPath -append # end of report marker
# Disconnect-VIServer $vmhost -Confirm:$false -Force:$false
Sleep -Seconds 20
}
#############################
# go to next host
}
# close the vcenter and any open connection
disconnect-viserver -Force -Confirm:$falseASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER