PSVMware.psm1
|
function ConvertTo-Template { <# .SYNOPSIS Function to retrieve the Network Configuration info of a vSphere host. .DESCRIPTION Function to retrieve the Network Configuration info of a vSphere host. .PARAMETER VMHost A vSphere ESXi Host object .INPUTS System.Management.Automation.PSObject. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> ConvertTo-Template -Template templateWS2016 .EXAMPLE PS> Get-ContentLibraryItem templateWS2016 -ContentLibrary CL_WIN | ConvertTo-Template .NOTES NAME: Get-VMHostNetworkConfig AUTHOR: CarlosDZRZ .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli #> [CmdletBinding()] param ( [parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [Alias('Template')] [ValidateNotNullOrEmpty()] #Ensure From is not equal to $null or "" [string]$Name, [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] #Ensure From is not equal to $null or "" [string]$ContentLibrary, [parameter(Mandatory=$false)] [Alias('Datacenter')] [string]$DC_Name, [parameter(Mandatory=$false)] [Alias('VMHost')] [string]$VMHost_Name, [parameter(Mandatory=$false)] [Alias('Datastore')] [string]$Datastore_Name ) begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } #Para poder tener control de errores necesitamos para la ejecucion cuando haya un error $ErrorActionPreference = 'Stop' #variable para controlar si todo ha ido bien o ha habido algun problema [bool]$status = $true #$cred = Get-Credential; New-VICredentialStoreItem -Host hostname.domain -User $cred.UserName -Password $cred.GetNetworkCredential().password $now = Get-Date $Datacenter = $null $VMHost = $null $Datastore = $null } process { try{ #El Get-ContentLibraryItem no se puede hacer en el begin porque si $Name llega por pipe hasta el bloque process no tiene valor $Template = Get-ContentLibraryItem -Name $Name -ContentLibrary $ContentLibrary if ($DC_Name -eq ""){ $Datacenter = Get-Datacenter | Get-Random } else { $Datacenter = Get-Datacenter -Name $DC_Name } if ($VMHost_Name -eq ""){ $VMHost = Get-VMHost | Get-Random } else { $VMHost = Get-VMHost -Name $VMHost_Name } if ($Datastore_Name -eq ""){ $Datastore = Get-Datastore | Get-Random } else { $Datastore = Get-Datastore -Name $Datastore_Name } $isTemplate = Get-Template $Name -ErrorAction SilentlyContinue if ($null -ne $isTemplate) { Write-Host -ForegroundColor Yellow "la plantilla existe en local hay que borrarla" Remove-Template $Name -DeletePermanently -Confirm:$false } $Cluster = $Datacenter | Get-Cluster | Get-Random # SPLATTING WITH HASH TABLE $HashArgumentsVM = @{ Name = $Template.Name ContentLibraryItem = $Template ResourcePool = $Cluster VMHost = $VMHost Datastore = $Datastore DiskStorageFormat = 'Thin' } # Deploy VM $vm_obj = New-VM @HashArgumentsVM Set-VM $vm_obj -ToTemplate -Confirm:$false } catch [VMware.VimAutomation.ViCore.Types.V1.ErrorHandling.InvalidLogin]{ Write-Host "Permission issue" $status = $false } catch [VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViServerConnectionException]{ Write-Host "Cannot connect to vCenter Server" $status = $false } catch { Write-Host "Exception Type: $($PSItem.Exception.GetType().FullName)" -ForegroundColor Cyan Write-Host "Exception UnderlyingSystemType: $($PSItem.Exception.GetType().UnderlyingSystemType)" -ForegroundColor Cyan Write-Host "Exception Message: $($PSItem.Exception.Message)" -ForegroundColor Red $status = $false } } end { $later = Get-Date $nts = New-TimeSpan -Start $now -End $later Write-Host -ForegroundColor Green "La copia de la plantilla ha tardado: " $nts.ToString("d'.'hh':'mm':'ss") return $status } } #End Function ConvertTo-Template function Get-VIAlerts { <# .SYNOPSIS Function to retrieve Active Alerts. .DESCRIPTION Function to retrieve Active Alerts. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> Get-VIAlerts .NOTES NAME: Get-VIAlerts AUTHOR: CarlosDZRZ .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli #> [CmdletBinding()] param () begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } $Alarm_obj = @() } process { $SInstance = Get-View ServiceInstance $RootFolder = Get-View -Id $SInstance.Content.RootFolder $Alarms = $RootFolder.TriggeredAlarmState foreach ($Alarm in $Alarms){ $Entity = Get-View -Id $Alarm.Entity -Property Name $Alarm_details = Get-View -Id $Alarm.Alarm -Property Info $Alarm_obj += [PSCustomObject]@{ Entity = $Entity.Name Time = $Alarm.Time OverallStatus = $Alarm.OverallStatus Acknowledged = $Alarm.Acknowledged Alarm = $Alarm_details.Info.Name Description = $Alarm_details.Info.Description } } } end { return $Alarm_obj } }#End Function Get-VIAlerts function Get-VMCustomizationSpec { <# .SYNOPSIS Function to retrieve info of Get-OSCustomizationSpec and Get-OSCustomizationNicMapping. .DESCRIPTION Function to retrieve info of Get-OSCustomizationSpec and Get-OSCustomizationNicMapping. .PARAMETER CProfile A vSphere OSCustomizationSpecImpl object .INPUTS System.Management.Automation.PSObject. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> Get-VMCustomizationSpec -CProfile CP_Linux_Suse_12 .EXAMPLE PS> Get-OSCustomizationSpec | Get-VMCustomizationSpec .NOTES NAME: Get-VMCustomizationSpec AUTHOR: CarlosDZRZ .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli #> [CmdletBinding()] param ( [parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [string[]]$CProfiles ) begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } $CProfile_obj = @() } process { foreach ($CProfile in $CProfiles) { $CProfile = Get-OSCustomizationSpec $CProfile $ProfileNic = $CProfile | Get-OSCustomizationNicMapping $CProfile_obj += [PSCustomObject]@{ Name = $CProfile.Name Description = $CProfile.Description AutoLogonCount = $CProfile.AutoLogonCount ChangeSid = $CProfile.ChangeSid Type = $CProfile.Type OSType = $CProfile.OSType LastUpdate = $CProfile.LastUpdate Server = $CProfile.Server TimeZone = $CProfile.TimeZone Workgroup = $CProfile.Workgroup IPMode = $ProfileNic.IPMode IPAddress = $ProfileNic.IPAddress SubnetMask = $ProfileNic.SubnetMask DefaultGateway = $ProfileNic.DefaultGateway AlternateGateway = $ProfileNic.AlternateGateway DnsServer = $CProfile.DnsServer DnsSuffix = $CProfile.DnsSuffix Domain = $CProfile.Domain }#EndPSCustomObject } } end { return $CProfile_obj } }#End Function Get-VMCustomizationSpec function Get-VMConfig { <# .SYNOPSIS Function to retrieve Configuration info of a VM. .DESCRIPTION Function to retrieve Configuration info of a VM. .PARAMETER VM A vSphere VM object .INPUTS System.Management.Automation.PSObject. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> Get-VMConfig -VM VM01, VM02 .EXAMPLE PS> Get-VM VM01, VM02 | Get-VMConfig .NOTES NAME: Get-VMConfig AUTHOR: CarlosDZRZ .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli #> [CmdletBinding()] param ( [parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [string[]]$VM ) begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } $VMConfig_obj = @() $excludedFolders = "Datacenters","vm","host","Network","Datastore" } process { foreach ($VMName in $VM) { $VMName = Get-VM $VMName $VMDT = $VMName | Get-Datastore $vSwitch = $VMName | Get-VirtualSwitch $vPortGroup = $VMName | Get-VirtualPortGroup $VMDisks = $VMName | Get-HardDisk | Select-Object Parent, Name, StorageFormat, CapacityGB, Filename $VMView = $VMName | Get-View $Folder = Get-Folder -Id $VMView.Parent #Calculamos el folder path de la VM $FolderPath = $Folder.Name while($Folder.Parent){ $Folder = Get-View $Folder.Parent if($excludedFolders -notcontains $Folder.Name){ $FolderPath = $Folder.Name + "\" + $FolderPath } } #Es necesario volver a inicializar $Folder porque la variable la hemos usado para ir calculando los padres. $Folder = Get-Folder -Id $VMView.Parent $VMConfig_obj += [PSCustomObject]@{ Name = $VMName.Name Folder = $Folder.Name FolderPath = $FolderPath PowerState = $VMName.PowerState NumCpu = $VMName.NumCpu MemoryGB = $VMName.MemoryGB MemoryHotAddEnabled = $VMView.Config.MemoryHotAddEnabled CpuHotAddEnabled = $VMView.Config.CpuHotAddEnabled CpuHotRemoveEnabled = $VMView.Config.CpuHotRemoveEnabled MaxCpuUsage = $VMView.Runtime.MaxCpuUsage MaxMemoryUsage = $VMView.Runtime.MaxMemoryUsage OverallCpuUsage = $VMView.Summary.QuickStats.OverallCpuUsage OverallCpuDemand = $VMView.Summary.QuickStats.OverallCpuDemand GuestMemoryUsage = $VMView.Summary.QuickStats.GuestMemoryUsage VMMemoryUsage = $VMView.Summary.QuickStats.HostMemoryUsage Uptime = (New-TimeSpan -Seconds $VMView.Summary.QuickStats.UptimeSeconds).ToString("d'.'hh':'mm':'ss") VMHost = $VMName.VMHost UsedSpaceGB = [math]::Round($VMName.UsedSpaceGB, 2) ProvisionedSpaceGB = [math]::Round($VMName.ProvisionedSpaceGB, 2) CreateDate = $VMName.CreateDate OSFullName = $VMName.Guest.OSFullName "VMTools Version" = $VMView.Config.Tools.ToolsVersion IPAddress = $VMName.Guest.IPAddress Nics = $VMName.Guest.Nics Datastore_Name = $VMDT.Name VirtualSwitch = $vSwitch.Name vPortGroup = $vPortGroup.Name VLanId = $vPortGroup.VLanId Disks = $VMDisks }#EndPSCustomObject } } end { return $VMConfig_obj } }#End Function Get-VMConfig function Get-VMHostCDPInfo { <# .SYNOPSIS Function to retrieve the information about the uplink Cisco switch and related configured physical switch ports with CDP. .DESCRIPTION Function to retrieve the information about the uplink Cisco switch and related configured physical switch ports with CDP. .PARAMETER VMHost A vSphere ESXi Host object .INPUTS System.Management.Automation.PSObject. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> Get-VMHostCDPInfo -VMHost ESXi01, ESXi02 .EXAMPLE PS> Get-VMHost ESXi01,ESXi02 | Get-VMHostCDPInfo .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli https://kb.vmware.com/s/article/1007069 https://www.powershellgallery.com/packages/PowerCLITools/1.0.1/Content/Functions%5CGet-VMHostNetworkAdapterCDP.psm1 #> [CmdletBinding()][OutputType('System.Management.Automation.PSObject')] param ( [parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [string[]]$VMHost ) begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } $VMHostCDPinfo_obj = @() } process { try { foreach ($vHost in $VMHost) { $vHost = Get-VMHost $VMHost if ($vHost.ConnectionState -ne "Connected") { Write-Host "Host $($vHost) state is not connected, skipping." } else { $HostNetworkSystem = Get-View $vHost.ExtensionData.ConfigManager.NetworkSystem $vSwitches = $HostNetworkSystem.NetworkInfo.Vswitch foreach ($vSwitch in $vSwitches){ $PNICs = $vSwitch.Pnic foreach ($PNIC in $PNICs){ #En PNIC tengo esto: key-vim.host.PhysicalNic-vmnic10. Para el QueryNetworkHint necesito solo el Device Name. $PNICDevice = $PNIC.split("-")[-1] $PNicHintInfo = $HostNetworkSystem.QueryNetworkHint($PNICDevice) if ($PNicHintInfo.ConnectedSwitchPort){ $Connected = $true } else { $Connected = $false } $VMHostCDPinfo_obj += [PSCustomObject]@{ VMHost = $vHost.Name vSwitch = $vSwitch.Name NIC = $PNICDevice Connected = $Connected Switch = $PNicHintInfo.ConnectedSwitchPort.DevId HardwarePlatform = $PNicHintInfo.ConnectedSwitchPort.HardwarePlatform SoftwareVersion = $PNicHintInfo.ConnectedSwitchPort.SoftwareVersion MangementAddress = $PNicHintInfo.ConnectedSwitchPort.MgmtAddr PortId = $PNicHintInfo.ConnectedSwitchPort.PortId }#EndPSCustomObject } } } } } catch [Exception] { throw "Unable to retreive CDP info" } } end { return $VMHostCDPinfo_obj } }#End Function Get-VMHostCDPInfo function Get-VMHostConfig { <# .SYNOPSIS Function to retrieve the Configuration info of a vSphere host. .DESCRIPTION Function to retrieve the Configuration info of a vSphere host. .PARAMETER VMHost A vSphere ESXi Host object .INPUTS System.Management.Automation.PSObject. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> Get-VMHostConfig -VMHost ESXi01, ESXi02 .EXAMPLE PS> Get-VMHost ESXi01,ESXi02 | Get-VMHostConfig .NOTES NAME: Get-VMHostConfig AUTHOR: CarlosDZRZ .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli #> [CmdletBinding()] param ( [parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [string[]]$VMHost ) begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } $VMHostConfig_obj = @() } process { foreach ($vHost in $VMHost) { $vHost = Get-VMHost $VMHost $HostDTlist = $vHost | Get-Datastore $VMHostView = $vHost | Get-View $VMHostConfig_obj += [PSCustomObject]@{ Name = $vHost.Name ConnectionState = $vHost.ConnectionState PowerState = $vHost.PowerState OverallStatus = $VMHostView.Summary.OverallStatus Manufacturer = $vHost.Manufacturer Model = $vHost.Model NumCpuSockets = $VMHostView.Summary.Hardware.NumCpuPkgs NumCpuCores = $vHost.NumCpu NumCpuThreads = $VMHostView.Summary.Hardware.NumCpuThreads NumNics = $VMHostView.Summary.Hardware.NumNics NumHBAs = $VMHostView.Summary.Hardware.NumHBAs CpuTotalMhz = $vHost.CpuTotalMhz CpuUsageMhz = $vHost.CpuUsageMhz MemoryTotalGB = [math]::Round($vHost.MemoryTotalGB, 2) MemoryUsageGB = [math]::Round($vHost.MemoryUsageGB, 2) ProcessorType = $vHost.ProcessorType HyperthreadingActive = $vHost.HyperthreadingActive MaxEVCMode = $vHost.MaxEVCMode Uptime = (New-TimeSpan -Seconds $VMHostView.Summary.QuickStats.Uptime).ToString("d'.'hh':'mm':'ss") ManagementServerIp = $VMHostView.Summary.ManagementServerIp VMSwapfileDatastore = $vHost.VMSwapfileDatastore Datastores = $HostDTlist }#EndPSCustomObject } } end { return $VMHostConfig_obj } }#End Function Get-VMHostConfig function Get-VMHostNetworkConfig { <# .SYNOPSIS Function to retrieve the Network Configuration info of a vSphere host. .DESCRIPTION Function to retrieve the Network Configuration info of a vSphere host. .PARAMETER VMHost A vSphere ESXi Host object .INPUTS System.Management.Automation.PSObject. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> Get-VMHostNetworkConfig -VMHost ESXi01, ESXi02 .EXAMPLE PS> Get-VMHost ESXi01,ESXi02 | Get-VMHostNetworkConfig .NOTES NAME: Get-VMHostNetworkConfig AUTHOR: CarlosDZRZ .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli #> [CmdletBinding()] param ( [parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [string[]]$VMHost ) begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } $VMHostNetworkConfig_obj = @() } process { foreach ($vHost in $VMHost) { $vHost = Get-VMHost $VMHost $vSwitches = $vHost | Get-VirtualSwitch -Standard $vDSwitches = $vHost | Get-VDSwitch #Standard Switches foreach ($vSwitch in $vSwitches) { $vPortGroups = $vSwitch | Get-VirtualPortGroup foreach ($vPortGroup in $vPortGroups){ $VMHostNetworkConfig_obj += [PSCustomObject]@{ VMHost = $vHost VirtualSwitch = $vSwitch.Name vPortGroup = $vPortGroup.Name Nic = [string]$vSwitch.Nic VLanId = $vPortGroup.VLanId }#EndPSCustomObject } } #Distributed Switches foreach ($vDSwitch in $vDSwitches) { $vDSwitch = Get-VDSwitch $vDSwitch $vDPortGroups = $vDSwitch | Get-VDPortgroup foreach ($vDPortGroup in $vDPortGroups){ $vDPorts = $vDPortGroup | Get-VDPort $VMHostNetworkConfig_obj += [PSCustomObject]@{ VMHost = $vHost VirtualSwitch = $vDSwitch.Name vPortGroup = $vDPortGroup.Name VLanId = $vDPortGroup.VlanConfiguration }#EndPSCustomObject } } } } end { return $VMHostNetworkConfig_obj } } #End Function Get-VMHostNetworkConfig function Get-VMHostPhysicalAdapterStatus { <# .SYNOPSIS Function to retrieve the information about the status vmnics. .DESCRIPTION Function to retrieve the information about the status vmnics. .PARAMETER VMHost A vSphere ESXi Host object .INPUTS System.Management.Automation.PSObject. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> Get-VMHostPhysicalAdapterStatus -VMHost ESXi01, ESXi02 .EXAMPLE PS> Get-VMHost ESXi01,ESXi02 | Get-VMHostPhysicalAdapterStatus .EXAMPLE PS> Get-VMHost ESXi01 | Get-VMHostNetworkAdapter | Where-Object {$PSItem.Name -eq "vmnicX"} | Get-VMHostPhysicalAdapterStatus .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli https://kb.vmware.com/s/article/1007069 https://github.com/anksos/vmware-scripts/blob/master/Get-ObservedIPRange.ps1 #> [CmdletBinding()][OutputType('System.Management.Automation.PSObject')] param ( [parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [string[]]$VMHost ) begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } $VMHostPhysicalAdapterStatus_obj = @() } process { try { foreach ($vHost in $VMHost) { $vHost = Get-VMHost $VMHost if ($vHost.ConnectionState -ne "Connected") { Write-Host "Host $($vHost) state is not connected, skipping." } else { $HostNetworkSystem = Get-View $vHost.ExtensionData.ConfigManager.NetworkSystem $PNICs = $HostNetworkSystem.NetworkInfo.Pnic foreach ($PNIC in $PNICs){ $PNicHintInfo = $HostNetworkSystem.QueryNetworkHint($PNIC.Device) if ($PNicHintInfo.ConnectedSwitchPort){ $Connected = $true } else { $Connected = $false } foreach ($subnet in $PNicHintInfo.subnet){ $VMHostPhysicalAdapterStatus_obj += [PSCustomObject]@{ VMHost = $vHost.Name NIC = $PNIC.Device Connected = $Connected IPSubnet = $subnet.IPSubnet VlanId = $subnet.VlanId }#EndPSCustomObject } } } } } catch [Exception] { throw "Unable to retreive Status physical nic info" } } end { return $VMHostPhysicalAdapterStatus_obj } }#End Function Get-VMHostPhysicalAdapterStatus function Get-VMwareLicenses { <# .SYNOPSIS Function to retrieve all assigned licenses of a vSphere host and vCenter. .DESCRIPTION Function to retrieve all assigned licenses of a vSphere host and vCenter. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> Get-VMwareLicenses vCenter : VCSA01.contoso.com EntityDisplayName : EXS01.contoso.com LicenseKey : XXXXX-XXXXX-XXXXX-XXXXX-XXXXX LicenseName : VMware vSphere 6 Standard ExpirationDate : 01/01/2021 0:00:00 .NOTES NAME: Get-VMwareLicenses AUTHOR: CarlosDZRZ .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli #> [CmdletBinding()] param ( ) begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } $AssignedLic_obj = @() } process { foreach ($VCSA in $global:DefaultVIServers) { $licMgr = Get-View LicenseManager -Server $VCSA $licAssignmentMgr = Get-View -Id $licMgr.LicenseAssignmentManager -Server $VCSA $AssignedLics = $licAssignmentMgr.QueryAssignedLicenses($VCSA.InstanceUid) foreach ($AssignedLic in $AssignedLics){ $AssignedLic_obj += [PSCustomObject]@{ vCenter = $VCSA.Name EntityDisplayName = $AssignedLic.EntityDisplayName LicenseKey = $AssignedLic.AssignedLIcense.LicenseKey LicenseName = $AssignedLic.AssignedLicense.Name ExpirationDate = $AssignedLic.Properties.value.Properties.where{$_.Key -eq 'expirationDate'}.Value }#EndPSCustomObject } } } end { return $AssignedLic_obj } } #End Function Get-VMwareLicenses Function Get-SerialPort { Param ( [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)] $VM ) Process { Foreach ($VMachine in $VM) { Foreach ($Device in $VMachine.ExtensionData.Config.Hardware.Device) { If ($Device.gettype().Name -eq "VirtualSerialPort"){ $Details = New-Object PsObject $Details | Add-Member Noteproperty VM -Value $VMachine $Details | Add-Member Noteproperty Name -Value $Device.DeviceInfo.Label If ($Device.Backing.FileName) { $Details | Add-Member Noteproperty Filename -Value $Device.Backing.FileName } If ($Device.Backing.Datastore) { $Details | Add-Member Noteproperty Datastore -Value $Device.Backing.Datastore } If ($Device.Backing.DeviceName) { $Details | Add-Member Noteproperty DeviceName -Value $Device.Backing.DeviceName } $Details | Add-Member Noteproperty Connected -Value $Device.Connectable.Connected $Details | Add-Member Noteproperty StartConnected -Value $Device.Connectable.StartConnected $Details } } } } } Function Remove-SerialPort { Param ( [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)] $VM, [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)] $Name ) Process { $VMSpec = New-Object VMware.Vim.VirtualMachineConfigSpec $VMSpec.deviceChange = New-Object VMware.Vim.VirtualDeviceConfigSpec $VMSpec.deviceChange[0] = New-Object VMware.Vim.VirtualDeviceConfigSpec $VMSpec.deviceChange[0].operation = "remove" $Device = $VM.ExtensionData.Config.Hardware.Device | ForEach-Object { $_ | Where-Object {$_.gettype().Name -eq "VirtualSerialPort"} | Where-Object { $_.DeviceInfo.Label -eq $Name } } $VMSpec.deviceChange[0].device = $Device $VM.ExtensionData.ReconfigVM_Task($VMSpec) } } Function Get-ParallelPort { Param ( [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)] $VM ) Process { Foreach ($VMachine in $VM) { Foreach ($Device in $VMachine.ExtensionData.Config.Hardware.Device) { If ($Device.gettype().Name -eq "VirtualParallelPort"){ $Details = New-Object PsObject $Details | Add-Member Noteproperty VM -Value $VMachine $Details | Add-Member Noteproperty Name -Value $Device.DeviceInfo.Label If ($Device.Backing.FileName) { $Details | Add-Member Noteproperty Filename -Value $Device.Backing.FileName } If ($Device.Backing.Datastore) { $Details | Add-Member Noteproperty Datastore -Value $Device.Backing.Datastore } If ($Device.Backing.DeviceName) { $Details | Add-Member Noteproperty DeviceName -Value $Device.Backing.DeviceName } $Details | Add-Member Noteproperty Connected -Value $Device.Connectable.Connected $Details | Add-Member Noteproperty StartConnected -Value $Device.Connectable.StartConnected $Details } } } } } Function Remove-ParallelPort { Param ( [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)] $VM, [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)] $Name ) Process { $VMSpec = New-Object VMware.Vim.VirtualMachineConfigSpec $VMSpec.deviceChange = New-Object VMware.Vim.VirtualDeviceConfigSpec $VMSpec.deviceChange[0] = New-Object VMware.Vim.VirtualDeviceConfigSpec $VMSpec.deviceChange[0].operation = "remove" $Device = $VM.ExtensionData.Config.Hardware.Device | ForEach-Object { $_ | Where-Object {$_.gettype().Name -eq "VirtualParallelPort"} | Where-Object { $_.DeviceInfo.Label -eq $Name } } $VMSpec.deviceChange[0].device = $Device $VM.ExtensionData.ReconfigVM_Task($VMSpec) } } function Test-SecurityConfiguration { <# .SYNOPSIS Function to test security guidelines describes in the vSphere Security Configuration Guide. .DESCRIPTION Function to test security guidelines describes in the vSphere Security Configuration Guide. .OUTPUTS System.Management.Automation.PSObject. .EXAMPLE PS> Test-SecurityConfiguration .NOTES NAME: Test-SecurityConfiguration AUTHOR: CarlosDZRZ .LINK https://code.vmware.com/web/tool/12.0.0/vmware-powercli #> [CmdletBinding()] param ( ) begin { if ( -not (Get-Module VMware.VimAutomation.Core)) { Import-Module VMware.VimAutomation.Core } if ($null -eq $global:DefaultVIServers.Name) { Write-Host -ForegroundColor Red "You are not currently connected to any servers. Please connect first using a Connect-VIServer cmdlet." break } $results = $null } process { Write-Host -ForegroundColor DarkCyan "Audit the list of users who are on the Exception Users List and whether the have administrator privileges" $esxihosts = Get-VMHost $cred = Get-Credential -Message "Introduzca las credenciales de root del ESX" foreach ($esxihost in $esxihosts){ $Local:ErrorActionPreference = 'Stop' Write-Output "Host is: " $esxihost Write-Output "Exception Users from vCenter" $myhost = Get-VMHost $esxihost | Get-View $lockdown = Get-View $myhost.ConfigManager.HostAccessManager $LDusers = $lockdown.QueryLockdownExceptions() Write-Output $LDusers # Connect to each ESXi host in the cluster to retrieve the list of local users. Write-Output "Lockdown user: " $LDuser Write-Output "Connecting to: " $esxihost try{ Connect-VIServer -Server $esxihost -Credential $cred #Loop through the list of Exception Users and check to see if they have accounts on #the ESXi server and if that account in an administrator account. foreach ($LDuser in $LDusers){ Write-Output "Get-VMHostAccount" $HostAccountName = Get-VMHostAccount $LDuser -ErrorAction SilentlyContinue Write-Output "Check to see if user exists" if ($HostAccountName.Name){ Write-Output $HostAccountName.Name Write-Output "Get-VIPermission" $isadmin = Get-VIPermission -Principal $LDuser -ErrorAction SilentlyContinue | Where-Object {$_.Role -eq "Admin"} Write-Output "Admin Role: " $isadmin.Role if ($isadmin.Role -eq "Admin") { Write-Output $LDuser is an "Exception User with Admin accounts on " $esxihost } } } Disconnect-VIServer -Server $esxihost.Name -Force -Confirm:$false } catch [VMware.VimAutomation.ViCore.Types.V1.ErrorHandling.InvalidLogin]{ Write-Output "Permission issue" } catch [VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViServerConnectionException]{ Write-Output "Cannot connect to vCenter Server" } catch { Write-Output "Cannot connect to ESXi Server" } $Local:ErrorActionPreference = 'Continue' } #Check to see if the SSH Server Is running Write-Host -ForegroundColor DarkCyan "Ensure that the SSH default disablement has not been changed" foreach ($esxihost in $esxihosts){ $ServiceList = Get-VMHostService -VMhost $esxihost $SSHservice = $ServiceList | Where-Object {$_.Key -eq "TSM-SSH"} If ($SSHservice.Running -eq $true) {Write-Host -ForegroundColor DarkRed "SSH Server on host $esxihost is running"} else {Write-Host -ForegroundColor Green "SSH Server on host $esxihost is Stopped"} } # List the NTP Settings for all hosts Write-Host -ForegroundColor DarkCyan "Configure NTP time synchronization" $esxihosts | Select-Object Name, @{N="NTPSetting";E={$_ | Get-VMHostNtpServer}} | Format-Table -AutoSize # List Syslog.global.logDir for each host Write-Host -ForegroundColor DarkCyan "Configure persistent logging for all ESXi host" $esxihosts | Select-Object Name, @{N="Syslog.global.logDir";E={$_ | Get-AdvancedSetting Syslog.global.logDir | Select-Object -ExpandProperty Value}} | Format-Table -AutoSize # List the SNMP Configuration of a host (single host connection required) Write-Host -ForegroundColor DarkCyan "Ensure proper SNMP configuration" Get-VMHostSNMP | Format-Table -AutoSize # Check Managed Object Browser (MOB) status Write-Host -ForegroundColor DarkCyan "Disable Managed Object Browser (MOB)" $results = $esxihosts | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | ? Value -eq $false if ($null -eq $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green "Para solucionar el problema: Get-VMHost <host> | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -value 'false'" } else{ Write-Host -ForegroundColor Green "MOB deshabilitado en todos los ESXi" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # Check each host and their domain membership status Write-Host -ForegroundColor DarkCyan "Use Active Directory for local user authentication" $esxihosts | Get-VMHostAuthentication | Select-Object VmHost, Domain, DomainMembershipStatus | Format-Table -AutoSize # Check the host profile is using vSphere Authentication proxy to add the host to the domain Write-Host -ForegroundColor DarkCyan "When adding ESXi hosts to Active Directory use the vSphere Authentication Proxy to protect passwords" $esxihosts | Select-Object Name, @{N="HostProfile";E={$_ | Get-VMHostProfile}}, @{N="JoinADEnabled";E={($_ | Get-VmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, @{N="JoinDomainMethod";E={(($_ | Get-VMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select-Object -ExpandProperty Policy | Where-Object {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}} | Format-Table -AutoSize # List Iscsi Initiator and CHAP Name if defined Write-Host -ForegroundColor DarkCyan "Enable bidirectional CHAP, also known as Mutual CHAP, authentication for iSCSI traffic" $esxihosts | Get-VMHostHba | Where-Object {$_.Type -eq "Iscsi"} | Select-Object VMHost, Device, ChapType, @{N="CHAPName";E={$_.AuthenticationProperties.ChapName}} | Format-Table -AutoSize # To check if Lockdown mode is enabled Write-Host -ForegroundColor DarkCyan "Enable Normal Lockdown Mode to restrict access" $results = $esxihosts | Select-Object Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}} | ? Value -eq $true if ($null -eq $results){ Write-Host -ForegroundColor Yellow "El valor deseado es Enable / True" $results | Format-Table -AutoSize Write-Host -ForegroundColor Green "Para solucionar el problema: Get-VMHost | Foreach { '$_.EnterLockdownMode()' }" } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | Format-Table -AutoSize } #To display the mode #$esxihosts = Get-VMHost foreach ($esxihost in $esxihosts){ $myhost = $esxihost | Get-View $lockdown = Get-View $myhost.ConfigManager.HostAccessManager Write-Output "--------------------" $lockdown.UpdateViewData() $lockdownstatus = $lockdown.LockdownMode Write-Output "Lockdown mode on $esxihost is set to $lockdownstatus" Write-Output "--------------------" } # To check if remote logging is configure Write-Host -ForegroundColor DarkCyan "Configure remote logging for ESXi hosts" $results = $esxihosts | Get-AdvancedSetting -Name Syslog.global.logHost | Where-Object{$_.Value -ne ""} if ($null -eq $results){ Write-Host -ForegroundColor Yellow "El valor deseado es tener un log server" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "<insert syslog server hostname>"' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # List the services which are enabled and have rules defined for specific IP ranges to access the service $esxihosts | Get-VMHostFirewallException | Where-Object {$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)} Select-Object VMHost,Name,Enabled,IncomingPorts,OutgoingPorts,Protocols,ServiceRunning | Format-Table -AutoSize # List the services which are enabled and do not have rules defined for specific IP ranges to access the service Write-Host -ForegroundColor DarkCyan "Configure the ESXi host firewall to restrict access to services running on the host" $esxihosts | Get-VMHostFirewallException | Where-Object {$_.Enabled -and ($_.ExtensionData.AllowedHosts.AllIP)} | Select-Object VMHost,Name,Enabled,IncomingPorts,OutgoingPorts,Protocols,ServiceRunning | Format-Table -AutoSize # Set the time after which a locked account is automatically unlocked Write-Host -ForegroundColor DarkCyan "Set the time after which a locked account is automatically unlocked" $results = $esxihosts | Get-AdvancedSetting -Name Security.AccountUnlockTime | ? value -eq "900" if ($null -eq $results){ Write-Host -ForegroundColor Yellow "El valor deseado es 900" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green "Para solucionar el problema: Get-VMHost | Get-AdvancedSetting -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900" } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # Set the count of maximum failed login attempts before the account is locked out Write-Host -ForegroundColor DarkCyan "Set the count of maximum failed login attempts before the account is locked out" $results = $esxihosts | Get-AdvancedSetting -Name Security.AccountLockFailures $correct = $results | ? value -eq "3" if ($null -eq $correct){ Write-Host -ForegroundColor Yellow "El valor deseado es 3" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green "Para solucionar el problema: Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 3" } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # Set DCUI.Access to allow trusted users to override lockdown mode Write-Host -ForegroundColor DarkCyan "Set DCUI.Access to allow trusted users to override lockdown mode" $esxihosts | Get-AdvancedSetting -Name DCUI.Access | Format-Table -AutoSize # Audit DCUI timeout value Write-Host -ForegroundColor DarkCyan "Audit DCUI timeout value" $results = $esxihosts | Get-AdvancedSetting -Name UserVars.DcuiTimeOut $correct = $results | ? value -eq "600" if ($null -eq $correct){ Write-Host -ForegroundColor Yellow "El valor deseado es 600" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green "Para solucionar el problema: Get-VMHost | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600" } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # Establish a password policy for password complexity Write-Host -ForegroundColor DarkCyan "Establish a password policy for password complexity" $esxihosts | Get-AdvancedSetting -Name Security.PasswordQualityControl | Format-Table -AutoSize # Set a timeout to automatically terminate idle ESXi Shell and SSH sessions Write-Host -ForegroundColor DarkCyan "Set a timeout to automatically terminate idle ESXi Shell and SSH sessions" $results = $esxihosts | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut $correct = $results | ? value -eq "900" if ($null -eq $correct){ Write-Host -ForegroundColor Yellow "El valor deseado es 900" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green "Para solucionar el problema: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 900" } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # Set a timeout to limit how long the ESXi Shell and SSH services are allowed to run Write-Host -ForegroundColor DarkCyan "Set a timeout to limit how long the ESXi Shell and SSH services are allowed to run" $results = $esxihosts | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut $correct = $results | ? value -eq "900" if ($null -eq $correct){ Write-Host -ForegroundColor Yellow "El valor deseado es 900" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green "Para solucionar el problema: Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 900" } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # Ensure default setting for intra-VM TPS is correct Write-Host -ForegroundColor DarkCyan "Ensure default setting for intra-VM TPS is correct" $results = $esxihosts | Get-AdvancedSetting -Name Mem.ShareForceSalting $correct = $results | ? value -eq "2" if ($null -eq $correct){ Write-Host -ForegroundColor Yellow "El valor deseado es 2" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green "Para solucionar el problema: Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2" } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # List the Software AcceptanceLevel for each host Write-Host -ForegroundColor DarkCyan "Verify Image Profile and VIB Acceptance Levels" Foreach ($VMHost in $esxihosts ) { $EsxCli = Get-EsxCli -VMHost $VMHost.Name -V2 $Vibs = $EsxCli | Select-Object VMHost, @{N="AcceptanceLevel";E={$_.software.acceptance.get.Invoke()}} $Vibs } # List only the vibs which are not at "VMwareCertified" or "VMwareAccepted" or "PartnerSupported" acceptance level $Vibs | Where-Object {($_.AcceptanceLevel -ne "VMwareCertified") -and ($_.AcceptanceLevel -ne "VMwareAccepted") -and ($_.AcceptanceLevel -ne "PartnerSupported")} | Format-Table -AutoSize # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Explicitly disable copy/paste operations" $vms = Get-VM $results = $vms | Get-AdvancedSetting -Name "isolation.tools.copy.disable" | Where-Object {$_.value -eq "false"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es true" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | New-AdvancedSetting -Name "isolation.tools.copy.disable" -value $true' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Explicitly disable copy/paste operations" $results = $vms | Get-AdvancedSetting -Name "isolation.tools.paste.disable" | Where-Object {$_.value -eq "false"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es true" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | New-AdvancedSetting -Name "isolation.tools.paste.disable" -value $true' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Disable virtual disk shrinking" $results = $vms | Get-AdvancedSetting -Name "isolation.tools.diskShrink.disable" | Where-Object {$_.value -eq "false"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es true" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | New-AdvancedSetting -Name "isolation.tools.diskShrink.disable" -value $true' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Disable virtual disk shrinking" $results = $vms | Get-AdvancedSetting -Name "isolation.tools.diskWiper.disable" | Where-Object {$_.value -eq "false"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es true" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | New-AdvancedSetting -Name "isolation.tools.diskWiper.disable" -value $true' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } #List the VM's and their disk types Write-Host -ForegroundColor DarkCyan "Avoid using independent nonpersistent disks" $results = $vms | Get-HardDisk | Where-Object {$_.Persistence -ne "Persistent"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es Persistent" $results | %{Write-Host -ForegroundColor DarkRed $_.Parent $_.Name $_.Filename $_.DiskType $_.Persistence} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | Get-HardDisk | Set-HardDisk' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Parent $_.Name $_.Filename $_.DiskType $_.Persistence} | Format-Table -AutoSize } # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Disable 3D features on Server and desktop virtual machines" $results = $vms | Get-AdvancedSetting -Name "mks.enable3d" | Where-Object {$_.value -eq "true"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | New-AdvancedSetting -Name "mks.enable3d" -value $false' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # Check for Floppy Devices attached to VMs Write-Host -ForegroundColor DarkCyan "Disconnect unauthorized devices" $results = $vms | Get-FloppyDrive | Select-Object Parent, Name, ConnectionState | Format-Table -AutoSize # In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html # Check for Parallel ports attached to VMs Write-Host -ForegroundColor DarkCyan "Disconnect unauthorized devices" $vms | Get-ParallelPort | Format-Table -AutoSize # In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/05/working-with-vm-devices-in-powercli.html # Check for Serial ports attached to VMs Write-Host -ForegroundColor DarkCyan "Disconnect unauthorized devices" $vms | Get-SerialPort | Format-Table -AutoSize # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Disable all but VGA mode on specific virtual machines" $results = $vms | Get-AdvancedSetting -Name "svga.vgaOnly" | Where-Object {$_.value -eq "true"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | New-AdvancedSetting -Name "svga.vgaOnly" -value $true' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Limit informational messages from the VM to the VMX file" $results = $vms | Get-AdvancedSetting -Name "tools.setInfo.sizeLimit" | Where-Object {$_.Value -gt "1048576"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es menor que 1048576" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Get-VM | New-AdvancedSetting -Name "tools.setInfo.sizeLimit" -value 1048576' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Control access to VM console via VNC protocol" $results = $vms | Get-AdvancedSetting -Name "RemoteDisplay.vnc.enabled" | Where-Object {$_.Value -eq "True"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | New-AdvancedSetting -Name "RemoteDisplay.vnc.enabled" -value $false' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Do not send host information to guests" $results = $vms | Get-AdvancedSetting -Name "tools.guestlib.enableHostInfo"| Where-Object {$_.Value -eq "True"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | New-AdvancedSetting -Name "tools.guestlib.enableHostInfo" -value $false' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Check for enablement of salted VM's that are sharing memory pages" $vms | Get-AdvancedSetting -Name "Mem.ShareForceSalting" | Where-Object {$_.Value -eq "1"} | Select-Object Entity, Name, Value | Format-Table -AutoSize # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Control access to VMs through the dvfilter network APIs" $vms | Get-AdvancedSetting -Name "ethernet*.filter*.name*" | Select-Object Entity, Name, Value | Format-Table -AutoSize # List the VMs and their current settings Write-Host -ForegroundColor DarkCyan "Audit all uses of PCI or PCIe passthrough functionality" $results = $vms | Get-AdvancedSetting -Name "pciPassthru*.present" if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es ''" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VM | New-AdvancedSetting -Name "pciPassthru*.present" -value ""' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # Enable BPDU filter on the ESXi host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled Write-Host -Fore DarkCyan "Enable BPDU filter on the ESXi host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled" $results = $esxihosts | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Where-Object {$_.Value -eq "0"} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es 1" $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VMHost | Get-AdvancedSetting -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } # Enable VDS network healthcheck only if you need it Write-Host -ForegroundColor DarkCyan "Enable VDS network healthcheck only if you need it" $vds = Get-VDSwitch $results = $vds.ExtensionData.Config.HealthCheckConfig $correct = $results | Where-Object {$_.Enable -eq "True"} if ($null -ne $correct){ Write-Host -ForegroundColor Yellow "El valor deseado es Disable" $vds | %{Write-Host -ForegroundColor DarkRed $_.Name; $_.ExtensionData.Config.HealthCheckConfig | Format-Table -AutoSize} Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}), (New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $vds | %{Write-Host -ForegroundColor Green $_.Name; $_.ExtensionData.Config.HealthCheckConfig | Format-Table -AutoSize} } # Ensure that the "Forged Transmits" policy is set to reject Write-Host -ForegroundColor DarkCyan "Ensure that the Forged Transmits policy is set to reject" Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Distributed Switch" foreach ($esxihost in $esxihosts){ $results = Get-VDSwitch -VMHost $esxihost | Get-VDSecurityPolicy | Where-Object{$_.ForgedTransmits -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false' } } Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Distributed Port Group" foreach ($esxihost in $esxihosts){ $results = Get-VDPortgroup | Where-Object{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Where-Object{$_.ForgedTransmits -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VDPortgroup | ?{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $false' } } # Ensure that the "Forged Transmits" policy is set to reject Write-Host -ForegroundColor DarkCyan "Ensure that the Forged Transmits policy is set to reject" Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Switch" foreach ($esxihost in $esxihosts){ $results = Get-VirtualSwitch -VMHost $esxihost -Standard | Get-SecurityPolicy | Where-Object{$_.ForgedTransmits -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false' } } Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Port Group" foreach ($esxihost in $esxihosts){ $results = Get-VirtualPortGroup -VMHost $esxihost -Standard | Get-SecurityPolicy | Where-Object{$_.ForgedTransmits -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true' } } # Ensure that the “MAC Address Changes” policy is set to reject Write-Host -ForegroundColor DarkCyan "Ensure that the MAC Address Changes policy is set to reject" Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Distributed Switch" foreach ($esxihost in $esxihosts){ $results = Get-VDSwitch -VMHost $esxihost | Get-VDSecurityPolicy | Where-Object{$_.MacChanges -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false' } } Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Distributed Port Group" foreach ($esxihost in $esxihosts){ $results = Get-VDPortgroup | Where-Object{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Where-Object{$_.MacChanges -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VDPortgroup | Get-VDSecurityPolicy | Set-VDSecurityPolicy -MacChanges $false' } } # Ensure that the “MAC Address Changes” policy is set to reject Write-Host -ForegroundColor DarkCyan "Ensure that the MAC Address Changes policy is set to reject" Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Switch" foreach ($esxihost in $esxihosts){ $results = Get-VirtualSwitch -VMHost $esxihost -Standard | Get-SecurityPolicy | Where-Object{$_.MacChanges -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false' } } Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Port Group" foreach ($esxihost in $esxihosts){ $results = Get-VirtualPortGroup -VMHost $esxihost -Standard | Get-SecurityPolicy | Where-Object{$_.MacChanges -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true' } } # Ensure that the “Promiscuous Mode” policy is set to reject Write-Host -ForegroundColor DarkCyan "Ensure that the Promiscuous Mode policy is set to reject" Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Distributed Switch" foreach ($esxihost in $esxihosts){ $results = Get-VDSwitch -VMHost $esxihost | Get-VDSecurityPolicy | Where-Object{$_.AllowPromiscuous -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VDSwitch | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false' } } Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Distributed Port Group" foreach ($esxihost in $esxihosts){ $results = Get-VDPortgroup | Where-Object{$_.IsUplink -eq $false} | Get-VDSecurityPolicy | Where-Object{$_.AllowPromiscuous -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VDPortgroup | Get-VDSecurityPolicy | Set-VDSecurityPolicy -AllowPromiscuous $false' } } # Ensure that the “Promiscuous Mode” policy is set to reject Write-Host -ForegroundColor DarkCyan "Ensure that the Promiscuous Mode policy is set to reject" Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Switch" foreach ($esxihost in $esxihosts){ $results = Get-VirtualSwitch -VMHost $esxihost -Standard | Get-SecurityPolicy | Where-Object{$_.AllowPromiscuous -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false' } } Write-Host -ForegroundColor DarkCyan "Show security Policy Virtual Port Group" foreach ($esxihost in $esxihosts){ $results = Get-VirtualPortGroup -VMHost $esxihost -Standard | Get-SecurityPolicy | Where-Object{$_.AllowPromiscuous -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor deseado es false" Write-Host -ForegroundColor Green $esxihost.Name $results | ft -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true' } } # Ensure that VDS Netflow traffic is only being sent to authorized collector IPs Write-Host -ForegroundColor DarkCyan "Ensure that VDS Netflow traffic is only being sent to authorized collector IPs" $results = Get-VDPortgroup | Select-Object Name, VDSwitch, @{Name="NetflowEnabled";Expression={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}} | Where-Object {$_.NetflowEnabled -eq $true} if ($null -ne $results){ Write-Host -ForegroundColor Yellow "El valor por defecto es False" $results | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: # Disable Netfow for a VDPortgroup $DPortgroup = <name of portgroup> Get-VDPortgroup $DPortGroup | Disable-PGNetflow #Function for Disable-PGNetflow #From: http://www.virtu-al.net/2013/07/23/disabling-netflow-with-powercli/' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | Format-Table -AutoSize } # Restrict port-level configuration overrides on VDS Write-Host -ForegroundColor DarkCyan "Restrict port-level configuration overrides on VDS " Get-VDPortgroup | Get-VDPortgroupOverridePolicy | Format-Table -AutoSize # Audit use of dvfilter network APIs Write-Host -ForegroundColor DarkCyan "Audit use of dvfilter network APIs" $results = $esxihosts | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Where-Object{$_.Value -ne ""} if ($null -ne $results){ Write-Host -ForegroundColor Yellow 'El valor por defecto es ""' $results | %{Write-Host -ForegroundColor DarkRed $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize Write-Host -ForegroundColor Green 'Para solucionar el problema: Get-VMHost | Get-AdvancedSetting -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value ""' } else{ Write-Host -ForegroundColor Green "Configuracion correcta" $results | %{Write-Host -ForegroundColor Gray $_.Entity.Name $_.Name $_.Value} | Format-Table -AutoSize } } end { } } #End Function Test-SecurityConfiguration |