Конфигурация хоста VMware ESXi с PowerCLI (best practice)

Конфигурация хоста VMware ESXi с PowerCLI (best practice)

В данной статье рассмотрим как конфигурировать VMware ESXi с PowerCLI для усиления безопасности.

Имейте в виду, что это не рецепт, который защитит вас от взлома, а скорее улучшение вашего уровня безопасности, специфичного для vSphere.

vSphere  Security Configuration Guide (SCG) 7  — это базовый уровень для усиления безопасности самой VMware vSphere и ядро ​​лучших практик безопасности VMware. VMware vSphere Security Hardening Guide дает рекомендуемые указания для администраторов vSphere, желающих защитить свою инфраструктуру.

Настройка в соответствии с best practice по безопасности – PowerCLI

СЛУЖБЫ УПРАВЛЕНИЯ ESXi

#====================================================================================================================
    Connect-VIServer -Server $_.mgmtip -User $hostuser -Password $hostpass

Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'sfcbd-watchdog'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'sfcbd-watchdog'} | Stop-VMHostService -Confirm:$false
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'slpd'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'slpd'} | Stop-VMHostService -Confirm:$false
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'snmpd'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'snmpd'} | Stop-VMHostService -Confirm:$false
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'TSM'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'TSM'} | Stop-VMHostService -Confirm:$false
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'TSM-SSH'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false

Задачи конфигурации системного журнала ESXi Scratch

# Scratch Settings
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name ScratchConfig.ConfiguredScratchLocation | Set-AdvancedSetting -Value '/vmfs/volumes/logs/$_.hostname' -Confirm:$false

Задачи настройки ESXi DNS / NTP

 # AD Domain Settings
Get-VMHostAuthentication | Set-VMHostAuthentication -Domain $_.domain -User $_.aduser -Password $_.adpass -JoinDomain
Get-VMHostNetwork -VMHost $_.mgmtip | Set-VMHostNetwork -DomainName $_.domain -SearchDomain $_.domain -DnsAddress $_.dns1,$_.dns2
    Add-VmHostNtpServer -NtpServer $_.ntp1
    Add-VmHostNtpServer -NtpServer $_.ntp2
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq "ntpd"} | Set-VMHostService -Policy On
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq "ntpd"} | Restart-VMHostService -Confirm:$false

Задачи настройки безопасности ESXi

# Advanced Settings
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value info -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value False -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 5 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Security.PasswordHistory | Set-AdvancedSetting -Value 5 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Security.PasswordQulityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 900 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 900 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.ESXiVPsDisabledProtocols | Set-AdvancedSetting -Value "sslv3,tlsv1,tlsv1.1" -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 1 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name VMkernel.Boot.execInstalledOnly | Set-AdvancedSetting -Value True -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 0 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Misc.BlueScreenTimeout | Set-AdvancedSetting -Value 60 -Confirm:$false

Комбинированный скрипт PowerShell

Все вышеприведенные фрагменты вместе образуют скрипт PowerSell, помогающий обеспечить конфигурацию безопасности VMware ESXi, укрепление и другие общие конфигурации. Я включу файл Excel CSV, который я раскрою в другой записи блога.

#========================================================================================================================
#
# Specify host credentials
#
#========================================================================================================================
$hostuser = 'root'
$hostpass = 'Explore2022!'
$vmhosts = Import-CSV -Path path_to_file_with_variables.csv
Get-Variable -Name $_.mgmtip
$vmhosts| ForEach {$vmhosts.hostname} {
    #====================================================================================================================
	#
	# Connect to each host
	#
	#====================================================================================================================
    Connect-VIServer -Server $_.mgmtip -User $hostuser -Password $hostpass
	
	#====================================================================================================================
	#
	# vSphere Security Best Practices
	#
	#====================================================================================================================
Write-host Configuring vSphere Security Best Practices -ForegroundColor Yellow

# AD Domain Settings
Get-VMHostAuthentication | Set-VMHostAuthentication -Domain $_.domain -User $_.aduser -Password $_.adpass -JoinDomain
Get-VMHostNetwork -VMHost $_.mgmtip | Set-VMHostNetwork -DomainName $_.domain -SearchDomain $_.domain -DnsAddress $_.dns1,$_.dns2
    Add-VmHostNtpServer -NtpServer $_.ntp1
    Add-VmHostNtpServer -NtpServer $_.ntp2
    
# Advanced Settings
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Config.HostAgent.log.level | Set-AdvancedSetting -Value info -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value False -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 5 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Security.AccountUnlockTime | Set-AdvancedSetting -Value 900 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Security.PasswordHistory | Set-AdvancedSetting -Value 5 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Security.PasswordQulityControl | Set-AdvancedSetting -Value "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15" -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 900 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 900 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.ESXiVPsDisabledProtocols | Set-AdvancedSetting -Value "sslv3,tlsv1,tlsv1.1" -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 1 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name VMkernel.Boot.execInstalledOnly | Set-AdvancedSetting -Value True -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 0 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Misc.BlueScreenTimeout | Set-AdvancedSetting -Value 60 -Confirm:$false

# Network Settings
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Net.BlockGuestBPDU | Set-AdvancedSetting -Value 1 -Confirm:$false
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name Net.DVFilterBindIpAddress | Set-AdvancedSetting -Value "" -Confirm:$false
Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmits $false 
Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -ForgedTransmitsInherited $true
Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -MacChanges $false
Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -MacChangesInherited $true
Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false
Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true

# Scratch Settings
Get-AdvancedSetting -Entity (Get-VMHost -Name $_.mgmtip) -Name ScratchConfig.ConfiguredScratchLocation | Set-AdvancedSetting -Value '/vmfs/volumes/logs/$_.hostname' -Confirm:$false

# Service Settings
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq "ntpd"} | Set-VMHostService -Policy On
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq "ntpd"} | Restart-VMHostService -Confirm:$false
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'sfcbd-watchdog'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'sfcbd-watchdog'} | Stop-VMHostService -Confirm:$false
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'slpd'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'slpd'} | Stop-VMHostService -Confirm:$false
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'snmpd'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'snmpd'} | Stop-VMHostService -Confirm:$false
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'TSM'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'TSM'} | Stop-VMHostService -Confirm:$false
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'TSM-SSH'} | Set-VMHostService -Policy Off
Get-VMHostService -Server $_.mgmtip | ?{$_.Key -eq 'TSM-SSH'} | Stop-VMHostService -Confirm:$false
            
    #====================================================================================================================
	#
	# Disconnect from each host
	#
	#====================================================================================================================
	Disconnect-VIServer $_.mgmtip -Confirm:$false
}

Источник


Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.

Unlix.ru © Все права защищены 2015 - 2024

Копирование материалов с сайта Unlix.ru без указания полной ссылки на источник ЗАПРЕЩЕНО!