Monday, July 20, 2015

Audit your guest VM's to check for unused Advanced VM Settings

I'm a big fan of using PowerShell in VMware systems management. Whenever I have a long repetitive task I look for a way to script it so I can speed up the process.

I was working on some security auditing tasks and one of the requirements in the VMware hardening guide is to make sure that none of your VM Guests have any advanced settings that may be left over from VMware Workstation or VMware Fusion. VMware actually says that security conscience organizations should explicitly disable these settings.

See VMware hardening recommendation here.
http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-60E83710-8295-41A2-9C9D-83DEBB6872C2.html

In any environment it would take a long time to check every VM one at a time and look for all of these settings.

I did some research and put together a few script that can check every guest VM and look for all of these settings and export the findings into a single .csv file to sort. This is a great tool to help you audit your enviroment, and provide proof to your security team.

Disclaimer, I'm not an expert PowerShell coder. I'm sure there are more efficient ways to do this. Feel free to drop a comment on how to make this code better.
All code is downloaded and used at your own risk. Be sure to understand what the code is doing.

Below is the PowerShell script needed to run this audit.

 
# Change as needed to connnect to a different Virtual Center
Connect-VIserver yourvcentername

#Define Which Cluster to scan
$Cluster = yourclustername

#define the Settings you want to look for in each VMX file
$AdvSettings = "tools.guestlib.enableHostInfo","isolation.tools.ghi.autologon.disable","isolation.bios.bbs.disable","isolation.tools.getCreds.disable","isolation.tools.ghi.launchmenu.change","isolation.tools.memSchedFakeSampleStats.disable","isolation.tools.ghi.protocolhandler.info.disable",
"isolation.ghi.host.shellAction.disable","isolation.tools.dispTopoRequest.disable","isolation.tools.trashFolderState.disable","isolation.tools.ghi.trayicon.disable","isolation.tools.unity.disable","isolation.tools.unity.disable","isolation.tools.unityInterlockOperation.disable",
"isolation.tools.unity.push.update.disable","isolation.tools.unity.taskbar.disable","isolation.tools.unityActive.disable","isolation.tools.unity.windowContents.disable","isolation.tools.vmxDnDVersionGet.disable","isolation.tools.guestDnDVersionSet.disable"

#Create the Column Header
$CreateColumnHeader ="Name", "Key", "Setting"
$psObject = $null

$psObject = New-Object psobject

foreach($o in $CreateColumnHeader)

{
Add-Member -InputObject $psobject -MemberType noteproperty -Name $o -Value $Null
}

$psObject|Export-Csv  .\Output.csv -NoTypeInformation


#read each VMX file,and export results to csv file
Foreach ($AdvSetting in $AdvSettings)
{
Get-Cluster $Cluster | Get-VM  |Select Name, @{N="Key";E={$AdvSetting}}, @{N="Setting";E={($_ | Get-AdvancedSetting -Name $AdvSetting).Value }} | ConvertTo-Csv | Select-Object -Skip 2 | Out-file -Append -FilePath .\Output.csv -Encoding ASCII
}


No comments:

Post a Comment

Safety First!

Today started out crazy, My wife is a runner and goes on a run almost every morning. I decided to join her for part of it and take a morni...