The Center for Internet Security (CIS) recently released their Security Configuration Benchmark for ESXi 5.1 available here:

• Download link:
  https://benchmarks.cisecurity.org/tools2/vm/CIS_VMware_ESXi_5.1_Benchmark_v1.0.0.pdf
• Length: 132 pages
• Release date: 10 June 2014
• Cost: Free
• Includes the following items for over 100 checks needed to harden an ESXi machine:
  • Rationale for each item
  • Audit steps with PowerCLI example
  • Remediation steps with PowerCLI example
  • Impact statement
  • Default Value settings
  • References to on line documentation for more info

In this post we will show how to get setup with a Windows based Graphical User Interface (GUI) for running PowerShell scripts to manage your VMware vSphere ESXi based environment. As virtualization is being used as an infrastructure platform for more security sensitive workloads in many enterprises it’s important to have an automated and repeatable set of tools to both audit and configure your environment.

Traditionally changes and audits have been made manually.  With only a few systems to manage this might be doable on an occasional basis where changes are infrequent.  But, as tech refresh cycles shorten and demand for new services increases automation becomes more necessary.

Specifically, when setting up or making changes to an ESXi host there are a few methods to connect to it for administration purposes:

1. DCUI: Direct Console User Interface – plugging in a Keyboard and Display to the machine running ESXi. Using arrow keys and Function commands to authenticate and move around a very simple menu system with limited options.
2. Local Shell: Typing commands to the DCUI allows more sophisticated control but no Clipboard so no copy and paste thus no ability to repeat commands. No automation capabilities. Subject to human error. LImited to VGA 640×480 resolution.
3. Remote Shell: Using Secure Shell (SSH) over the network to the ESXi host. This is the most familiar interface to many UNIX administrators. Scripts are typically stored in a repo where Clipboard copy and paste operations can be leveraged.  Sessions can be logged to provide an audit trail and sent off to assist with troubleshooting. Terminal screen size can be expanded giving you multiple windows and lots of text real estate to work with.
4. vMA: The vSphere Management Assistant is a Linux-based virtual machine that is pre-installed with a command-line interface and select third-party agents needed to manage your vSphere infrastructure. vMA includes the vSphere SDK for Perl and the vSphere Command-Line Interface (vSphere CLI).
5. vSphere Client: The vSphere Client is a Windows program used to configure an ESXi host and to operate its virtual machines. You can download vSphere Client from any host or vCenter Server. vCenter Server is used to manage multiple hosts and provides advanced management options, such as resource sharing, High Availability, and vMotion.
6. vSphere Web Client: The vSphere Web Client enables you to connect to a vCenter Server system to manage an ESXi host through a browser.
7. PowerCLI: VMware PowerCLI is a “snapin” for the Windows PowerShell interface for command-line interface (CLI) access to administration tasks or for creating executable scripts. Windows 7 and 8 both come with the PowerShell task-based command-line shell and scripting language built-in and ready to go.
8. PowerGUI: The Quest Software PowerGUI tool for Windows users provides a Graphical User Interface (GUI) script editor and debugger for PowerShell.

Getting Started with PowerCLI

This post will cover the powershell method to manage Virtual Machines hosted on a VMware vSphere environment. Using these tools will provide a repeatable scalable method to audit and harden the ESXi hosts for security sensitive organizations. Scripts can be developed for various applications with customized configurations checked into a Software Configuration Management (SCM) tool such as GIT, SVN, Perforce, CVS, or ClearCase. Output from these scripts can be fed into a Governance, Risk management, and Compliance (GRC) tool such as RSA Archer, TraceSecurity TraceCSO, Virma Aruvio, MetricStream GRC Cloud, ControlCase GRC, LockPath Cloud GRC, or the Cloud Security Alliance (CSA) GRC Stack.

What you need:

• Admin workstation: a laptop or desktop system with Microsoft Windows 7 or 8
• PowerShell will be pre-installed with the latest versions of windows
• PowerCLI – download from https://www.vmware.com/support/developer/PowerCLI/
• PowerGUI – download from http://en.community.dell.com/techcenter/powergui/m/bits/
• VMware vSphere Hypervisor – you will need an ESXi machine to test your scripts on
• VMware vSphere vCenter Server – optional – used to manage one or more ESXi hypervisor hosts
• VMware vSphere Virtual Machine – optional – used for testing your scripts

Setup Steps:

Once all the prerequisites are installed and running it’s time to run a test script to make sure everything’s working.

1. Open the PowerGUI Script Editor application
2. Run the following commands to connect to the vSphere environment being worked on:
   NOTE: Change the IP Address, User, and Password as needed.

   Set-ExecutionPolicy RemoteSigned 
   Add-PSSnapin VMware.VimAutomation.Core 
   Get-PowerCLIVersion 
   Connect-VIServer -server 192.168.1.55 -user root -Password P@ssw0rd
   Get-VM

3. The output might take a few seconds to process and should look something like this:

   Name            PowerState Num CPUs MemoryGB 
   ----            ---------- -------- -------- 
   w7e64-template  PoweredOff 1        1.000 
   w2k8r2-template PoweredOff 1        1.000

Operational Security Audit and Remediation

Now that the setup is complete try running some of the PowerCLI commands from the CIS Benchmark.

1. Build a generic script to perform Audits and Remediations. Save it and check it in to the SCM tool.
2. Customize and save versions of these scripts for the various environments being hardened. For example:
   1. prod-audit-YYMMDD.ps
   2. prod-remediate-YYMMDD.ps
   3. dev-audit-YYMMDD.ps
   4. dev-remediate-YYMMDD.ps
   5. qa-audit-YYMMDD.ps
   6. qa-remediate-YYMMDD.ps

Follow up todo list:

Exporting the results from these scripts would be very handy.

How to schedule these reports.

Running scripts like this against other cloud and virtual compute environments like Amazon Web Services (AWS) or Microsoft Azure.

Using GITHUB, Assembla, or Bitbucket as a source code repo with SourceTree.