Avoiding the VMware Compliance Checker Headache – PowerCLI to the rescue.

Avoiding the VMware Compliance Checker Headache – PowerCLI to the rescue.

This is a guest post by Andy Grant.

In Vladan's post Free compilance checker for VMware vSphere he introduced one of VMware's free audit and compliance tools.  This can be a great way to kick-start a discussion with your Information Assurance (security) department regarding the virtues of virtual infrastructure security.   Being proactive in managing all aspects of a virtual environment sure beats having your boss walk into your office with an audit report and demand answers for questions not previously asked 🙂

Short of running the VMware HealthAnalyzer, VMCC provides a quick and easy way to better understand the security implications of your system designs.  One of the challenges after running the audit scan is that many changes require configuration at the individual VM level.  In any enterprise environment, if the corrective actions cannot be scripted then you are in for a headache.  Thankfully we have PowerCLI to the rescue.

While I must admit that I have never been very good at coding or scripting, I forced myself to begin learning PowerCLI to manage the ever-growing vSphere environments that I am involved in.  I can whole-heartily recommend the book VMware vSphere PowerCLI Reference written in part by VMware Communities member LucD.

Not wanting to edit the .VMX file of every VM in the environment, I began searching for alternatives to entering configuration parameters.  Cracking open the PowerCLI Reference book to Chapter 12 provided a great code example to use to automate this procedure.  The book provided the example of VMX01 from the Hardening Guide.  I would actually recommend reviewing both Hardening Guides for all VM configuration options that the VMCC covers.

The VMware vSphere 4.0 Security Hardening Guide & the VMware vSphere 4.1 Security Hardening Guide.
Using the example script and the hardening guides I added all the VM options audited by VMCC to come up with the following;

# Connect to vCenter

$vCenter = Read-Host “Enter your vCenter servername”

Connect-VIServer $vCenter -Protocol HTTPS

$targetcluster = Read-Host “Enter the target cluster”

# Set up the VirtualMachineConfigSpec object

$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec

# Add new options as necessary

# —————————–

# VMX01 Prevent virtual disk shrinking

$VMX01a = New-Object VMware.Vim.OptionValue

$VMX01a.Key = “isolation.tools.diskShrink.disable”

$VMX01a.Value = “TRUE”

$vmConfigSpec.ExtraConfig += $VMX01a

$VMX01b = New-Object VMware.Vim.OptionValue

$VMX01b.Key = “isolation.tools.diskWiper.disable”

$VMX01b.Value = “TRUE”

$vmConfigSpec.ExtraConfig += $VMX01b

# VMX02 – Prevent other users from spying on administrator remote consoles

$VMX02 = New-Object VMware.Vim.OptionValue

$VMX02.Key = “RemoteDisplay.maxConnections”

$VMX02.Value = “1”

$vmConfigSpec.ExtraConfig += $VMX02

# VMX03 – Disable copy/paste to remote console

$VMX03a = New-Object VMware.Vim.OptionValue

$VMX03a.Key = “isolation.tools.copy.disable”

$VMX03a.Value = “TRUE”

$vmConfigSpec.ExtraConfig += $VMX03a

$VMX03b = New-Object VMware.Vim.OptionValue

$VMX03b.Key = “isolation.tools.paste.disable”

$VMX03b.Value = “TRUE”

$vmConfigSpec.ExtraConfig += $VMX03b

$VMX03c = New-Object VMware.Vim.OptionValue

$VMX03c.Key = “isolation.tools.dnd.disable”

$VMX03c.Value = “TRUE”

$vmConfigSpec.ExtraConfig += $VMX03c

$VMX03d = New-Object VMware.Vim.OptionValue

$VMX03d.Key = “isolation.tools.setGUIOptions.enable”

$VMX03d.Value = “FALSE”

$vmConfigSpec.ExtraConfig += $VMX03d

# VMX11 – Prevent unauthorized removal, connection and modification of devices.

$VMX11a = New-Object VMware.Vim.OptionValue

$VMX11a.Key = “isolation.device.connectable.disable”

$VMX11a.Value = “TRUE”

$vmConfigSpec.ExtraConfig += $VMX11a

$VMX11b = New-Object VMware.Vim.OptionValue

$VMX11b.Key = “isolation.device.edit.disable”

$VMX11b.Value = “TRUE”

$vmConfigSpec.ExtraConfig += $VMX11b

# VMX12 – Disable VM-to-VM communication through VMCI

$VMX12 = New-Object VMware.Vim.OptionValue

$VMX12.Key = “vmci0.unrestricted”

$VMX12.Value = “FALSE”

$vmConfigSpec.ExtraConfig += $VMX12

# VMX20 – Limit virtual machine log file size and number.

$VMX20a = New-Object VMware.Vim.OptionValue

$VMX20a.Key = “log.rotateSize”

$VMX20a.Value = “1000000”

$vmConfigSpec.ExtraConfig += $VMX20a

$VMX20b = New-Object VMware.Vim.OptionValue

$VMX20b.Key = “log.keepOld”

$VMX20b.Value = “10”

$vmConfigSpec.ExtraConfig += $VMX20b

# VMX21 – Limit informational messages from the virtual machine to the VMX file.

$VMX21 = New-Object VMware.Vim.OptionValue

$VMX21.Key = “tools.setInfo.sizeLimit”

$VMX21.Value = “1048576”

$vmConfigSpec.ExtraConfig += $VMX21

$cluster = Get-Cluster $targetcluster | Get-VM | %{

$_.Extensiondata.ReconfigVM($vmConfigSpec)

}

So there you have it, using PowerCLI we can modify the .VMX parameters of our Virtual Machines to simplify and automate our configuration tasks.