Automate the Hardening of Your Virtual Machine VMX Configurations

By William Lam, Sr. Technical Marketing Engineer

As you probably have heard, VMware has just released the official vSphere 5.0 Security Hardening Guide<http://blogs.vmware.com/security/2012/06/vsphere-50-security-hardening-guide-released.html>. In addition to providing the latest guidelines for the vSphere 5.0 platform, the new hardening guide also includes several enhancements, one of which are the CLI (ESXi Shell, vCLI or PowerCLI) commands for assessment and/or remediation for a given guideline. One particular section of the hardening guide that has been quite popular over the years is securing the Virtual Machine's VMX configuration file. You might ask, how would you go about automating these change across all your virtual machines?

I had written an article called Accessing Virtual Machine Settings<http://blogs.vmware.com/vsphere/2012/03/acessing-virtual-machine-advanced-settings.html> not too long ago which shows shows you how to modify/add a single advanced setting to a virtual machine. You can easily modify those scripts to operate on more than one advanced setting. In this article, we will demonstrate these modified scripts which allows you to specify multiple advanced settings to be applied for a given virtual machine to help harden their configurations.

Disclaimer: These script are provided for informational/educational purposes only. It should be thoroughly tested before attempting to use in a production environment.

Below are examples of both a PowerCLI and vSphere SDK for Perl script which both accepts a file that contains a list of key/value pair advanced settings (separated by a comma) that you wish to add/modify for a virtual machine.

Here is an example of a file containing a few of the vSphere 5 Security Hardening advanced settings I wish to add to a virtual machine:

isolation.bios.bbs.disable,TRUE
isolation.device.connectable.disable,TRUE
isolation.monitor.control.disable,TRUE
isolation.tools.diskShrink.disable,TRUE
isolation.tools.diskWiper.disable,TRUE
log.keepOld,10
log.rotateSize,10000
RemoteDisplay.maxConnections,2
tools.guestlib.enableHostInfo,FALSE
tools.setInfo.sizeLimit,1048576
vmci0.unrestricted,FALSE

Note: You can apply the advanced settings while the virtual machine is running, but the changes will NOT go into effect until the virtual machine has been completely powered off and then powered back on. A guestOS reboot will not be sufficient as the VMX configurations are only read during the initial power on.
PowerCLI

Download script: http://communities.vmware.com/docs/DOC-18653
<http://communities.vmware.com/docs/DOC-19253>
Usage: To run this script you will need the latest version of PowerCLI installed and PowerShell v2, paste the script into your editor or Powercli window once connected to the vCenter server using the Connect-VIServer cmdlet.

Here is an example of updating a virtual machine with the list of advanced settings:

[http://blogs.vmware.com/.a/6a00d8341c328153ef0163063a1f15970d-500wi]<http://blogs.vmware.com/.a/6a00d8341c328153ef0163063a1f15970d-pi>

Here is an example where we update all VMs in a particular cluster:

[http://blogs.vmware.com/.a/6a00d8341c328153ef0167672dab02970b-500wi]<http://blogs.vmware.com/.a/6a00d8341c328153ef0167672dab02970b-pi>

Here is an example of listing the advanced settings for the virtual machine:

[http://blogs.vmware.com/.a/6a00d8341c328153ef0167672dab83970b-500wi]<http://blogs.vmware.com/.a/6a00d8341c328153ef0167672dab83970b-pi>


vSphere SDK for Perl

Download script: http://communities.vmware.com/docs/DOC-18654

Usage: To run the script you will need to have VMware vCLI<http://www.vmware.com/support/developer/vcli/> installed on either a Windows/Linux system or you can use the VMware vMA<http://www.vmware.com/support/developer/vima/> appliance.

The script now includes a new option called --optionlist which accepts the file containing the list of advanced settings.

Here is an example of updating a virtual machine with the list of advanced settings:

[http://blogs.vmware.com/.a/6a00d8341c328153ef017615235c43970c-500wi]<http://blogs.vmware.com/.a/6a00d8341c328153ef017615235c43970c-pi>

Here is an example of listing the advanced settings for the virtual machine:

[http://blogs.vmware.com/.a/6a00d8341c328153ef0167672dada3970b-500wi]<http://blogs.vmware.com/.a/6a00d8341c328153ef0167672dada3970b-pi>

As you can see with these two scripts, administrators can easily and quickly secure all their virtual machines based on the latest recommendations from the vSphere 5.0 Security Hardening Guide<http://blogs.vmware.com/security/2012/06/vsphere-50-security-hardening-guide-released.html> as well as from previous hardening guides.

Additional Resources:
If you are looking for additional automation of the vSphere 5 Security Hardening Guide, be sure to check out this script<http://www.virtuallyghetto.com/2012/04/vsphere-security-hardening-report.html> which generates a report based on the vSphere Security Hardening Guide which supports the new vSphere 5 guide as well as the 4.1 and 4.0 guide.

Original Post:
http://blogs.vmware.com/vsphere/2012/06/automate-the-hardening-of-your-virtual-machine-vmx-configurations.html