Home > Blogs > VMware vSphere Blog


Automate the Hardening of Your Virtual Machine VMX Configurations

By William Lam, Sr. Technical Marketing Engineer

As you probably have heard, VMware has just released the official vSphere 5.0 Security Hardening Guide. In addition to providing the latest guidelines for the vSphere 5.0 platform, the new hardening guide also includes several enhancements, one of which are the CLI (ESXi Shell, vCLI or PowerCLI) commands for assessment and/or remediation for a given guideline. One particular section of the hardening guide that has been quite popular over the years is securing the Virtual Machine’s VMX configuration file. You might ask, how would you go about automating these change across all your virtual machines?

I had written an article called Accessing Virtual Machine Settings not too long ago which shows shows you how to modify/add a single advanced setting to a virtual machine. You can easily modify those scripts to operate on more than one advanced setting. In this article, we will demonstrate these modified scripts which allows you to specify multiple advanced settings to be applied for a given virtual machine to help harden their configurations.

Disclaimer: These script are provided for informational/educational purposes only. It should be thoroughly tested before attempting to use in a production environment.

Below are examples of both a PowerCLI and vSphere SDK for Perl script which both accepts a file that contains a list of key/value pair advanced settings (separated by a comma) that you wish to add/modify for a virtual machine.

Here is an example of a file containing a few of the vSphere 5 Security Hardening advanced settings I wish to add to a virtual machine:

isolation.bios.bbs.disable,TRUE
isolation.device.connectable.disable,TRUE
isolation.monitor.control.disable,TRUE
isolation.tools.diskShrink.disable,TRUE
isolation.tools.diskWiper.disable,TRUE
log.keepOld,10
log.rotateSize,100000
RemoteDisplay.maxConnections,2
tools.guestlib.enableHostInfo,FALSE
tools.setInfo.sizeLimit,1048576
vmci0.unrestricted,FALSE

Note: You can apply the advanced settings while the virtual machine is running, but the changes will NOT go into effect until the virtual machine has been completely powered off and then powered back on. A guestOS reboot will not be sufficient as the VMX configurations are only read during the initial power on.

PowerCLI

Download script: http://communities.vmware.com/docs/DOC-18653

Usage: To run this script you will need the latest version of PowerCLI installed and PowerShell v2, paste the script into your editor or Powercli window once connected to the vCenter server using the Connect-VIServer cmdlet.

Here is an example of updating a virtual machine with the list of advanced settings:

Ps-1

Here is an example where we update all VMs in a particular cluster:

Ps-2

Here is an example of listing the advanced settings for the virtual machine:

Ps-3

vSphere SDK for Perl

Download script: http://communities.vmware.com/docs/DOC-18654

Usage: To run the script you will need to have VMware vCLI installed on either a Windows/Linux system or you can use the VMware vMA appliance.

The script now includes a new option called –optionlist which accepts the file containing the list of advanced settings.

Here is an example of updating a virtual machine with the list of advanced settings:

Secure-vmx-1

Here is an example of listing the advanced settings for the virtual machine:

Secure-vmx-2

As you can see with these two scripts, administrators can easily and quickly secure all their virtual machines based on the latest recommendations from the vSphere 5.0 Security Hardening Guide as well as from previous hardening guides.

Additional Resources:
If you are looking for additional automation of the vSphere 5 Security Hardening Guide, be sure to check out this script which generates a report based on the vSphere Security Hardening Guide which supports the new vSphere 5 guide as well as the 4.1 and 4.0 guide.

Get notification of new blog postings and more by following lamw on Twitter:  @lamw

20 thoughts on “Automate the Hardening of Your Virtual Machine VMX Configurations

  1. Tim

    Hello there, I may have not searched hard enough but this is exactly what I have been looking to do. I am in an ESX4i environment and wondering if that is why I do not see the ‘get-vmadvancedconfiguration’ command in my powerCLi? Would you know if that is the case or would you happen to have the command equivolent for this environment to run on ESX4i as I am assuming this documentation was in version 5?

    Reply
  2. Preetam

    Guys, Please read this comment. Very Important.

    log.rotateSize,10000 is missing one zero i.e. it should og.rotateSize,100000. For more information refer : KB:8182749.

    I request William to change this at the earliest or customer might end up configuring size which is not up to recommendation in hardening Guide.

    Thank you,
    Preetam

    Reply
    1. William LamWilliam Lam Post author

      @Preetam,

      Thanks for noticing, the above is just a sample of the various hardening parameters which was used in our script examples. I’ve gone ahead and fixed the extra “0″ but customers should be looking at the vSphere Security Hardening Guide and identify the parameters they wish to apply, we merely showed an example which had a typo.

      Thanks

      Reply
    1. William LamWilliam Lam Post author

      @Tanakow,

      Unfortunately no, the free vSphere Hypervisor only has read-only access to the APIs, you will need to purchase a vSphere license to get both read/write capabilities to the API which is what the scripts are using.

      Reply
  3. Ricky

    Hi William,

    I found I can set these configuration paramters globally by adding them to /etc/vmware/config (ESXi 5). This is handy for applying the settings via kickstarts.

    Reply
    1. William LamWilliam Lam Post author

      Hi Ricky,

      Though you can set the VM parameters in that configuration file, it’s not recommended to use that as it applies them to all VMs (which may or may not be what you want). The other side affect is that you would not be able to query what settings have been applied on a per VM basis which makes auditing quite difficult. If you move a VM from one host to another and the host does not contain the same settings, you could easily be out of compliance without knowing about it. Recommendation is to apply this on a per VM basis that way the settings follows the VM

      Reply
    1. William LamWilliam Lam Post author

      Hi Sazzy,

      The disabling of web services is not exposed in the vSphere API (part of those service include the API, so potentially chicken/egg). If you wish to use PowerCLI, you would need to basically remote using SSH as you would normally and execute those commands

      Reply
  4. Jose Lopez

    Hi William,

    Thank you for making our lives so much easier!

    I am presently trying to run the Security Hardening Report Script for 4.1 and have tried to set it up on a Windows platform as we can’t add anything to our present environment (a vMA) for various reasons.

    I followed Maxim Shulga’s steps to execute on a Windows host but not being great at scripting I am struggling to replace the Linux commands which create the various folders with the Windows equivalent.

    Do you have a Windows-version of this script to use? I have reached out to Maxim, with whom you have a working relationship with but was hoping you may also have something as time is not on my side!

    Thanks again for your support.
    Jose Lopez

    Reply
    1. William LamWilliam Lam Post author

      I don’t have a Windows version of the script at the moment. The reason for vMA is just relying on a few OS level tools which I’m sure are also available on Windows. It’s been on my to-do list to check and see if I can port it over. If I get some down time, I’ll try to take a look.

      Reply
  5. Ronel Li

    Dear William,
    Thanks for your awesome sample scripts, which helped me greatly when building the cloud stack of our own.
    Currently I’m working with something related to this kb. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189
    I need to update the forbid time sync with host in the vmx file of about 200 vms.
    It seems vmAdvSettings.pl can’t really update following parameters to vmx file.
    tools.syncTime = “0″
    time.synchronize.continue = “0″
    time.synchronize.restore = “0″
    time.synchronize.resume.disk = “0″
    time.synchronize.shrink = “0″
    time.synchronize.tools.startup = “0″
    time.synchronize.tools.enable = “0″
    time.synchronize.resume.host = “0″

    I’ll be thrilled if you lend me a hand on that.

    Ronel Li From SMIC Shanghai China.

    Reply
  6. Piotr Mitoraj

    Is there any documentation that would describe in details what is each of these settings does? The excel sheet with the parameters gives cryptic messages for some of them, like ‘Disable certain unexposed features’

    Reply
  7. Totie Bash

    William, I need your help please please please. Doing this on 5.1U1
    I created a file D:\VMWARE STIG\hardening.txt with the following items:

    isolation.bios.bbs.disable,TRUE
    isolation.device.connectable.disable,TRUE
    isolation.monitor.control.disable,TRUE
    isolation.tools.diskShrink.disable,TRUE
    isolation.tools.diskWiper.disable,TRUE
    log.keepOld,10
    log.rotateSize,100000
    RemoteDisplay.maxConnections,1
    tools.guestlib.enableHostInfo,FALSE
    tools.setInfo.sizeLimit,1048576
    vmci0.unrestricted,FALSE
    isolation.tools.hgfsServerSet.disable,TRUE
    isolation.device.edit.disable,TRUE
    isolation.tools.autoInstall.disable,TRUE
    isolation.tools.copy.disable,TRUE
    isolation.tools.dnd.disable,FALSE
    isolation.tools.setGUIOptions.enable,FALSE
    isolation.tools.paste.disable,TRUE
    isolation.tools.ghi.autologon.disable,TRUE
    isolation.bios.bbs.disable,TRUE
    isolation.tools.getCreds.disable,TRUE
    isolation.tools.ghi.launchmenu.change,TRUE
    isolation.tools.memSchedFakeSampleStats.disable,TRUE
    isolation.tools.ghi.protocolhandler.info.disable,TRUE
    isolation.ghi.host.shellAction.disable,TRUE
    isolation.tools.dispTopoRequest.disable,TRUE
    isolation.tools.trashFolderState.disable,TRUE
    isolation.tools.ghi.trayicon.disable,TRUE
    isolation.tools.unity.disable,TRUE
    isolation.tools.unityInterlockOperation.disable,TRUE
    isolation.tools.unity.push.update.disable,TRUE
    isolation.tools.unity.taskbar.disable,TRUE
    isolation.tools.unityActive.disable,TRUE
    isolation.tools.unity.windowContents.disable,TRUE
    isolation.tools.vmxDnDVersionGet.disable,TRUE
    isolation.tools.guestDnDVersionSet.disable,TRUE
    isolation.tools.vixMessage.disable,TRUE
    tools.setinfo.sizeLimit,1048576

    I installed the latest PowerCLI.
    I hop in to Powershell, Connected to VCenter and issue the following:

    Set-ExecutionPolicy RemoteSigned
    Add-PsSnapin VMware.VimAutomation.Core

    PS D:\VMWARE STIG> $file = Import-Csv ‘D:\VMWARE STIG\hardening.txt’ -Header Key,Value
    PS D:\VMWARE STIG> $VM = Get-VM MY_VM1
    PS D:\VMWARE STIG> $VM | New-AdvancedSetting -Name $file

    ” $VM | New-AdvancedSetting -Name $file ” is this right? I don’t think I have the right syntax.. please please please help.

    Reply
  8. Totie Bash

    After banging my head on the table for a day I finally got it. With you and Duncan’s blog along with so many ones I checked. I got the missing piece here:
    http://www.yellow-bricks.com/2009/03/11/powershell-and-importing-csv-files/

    $stig_vm = Import-Csv ‘D:\VMWARE STIG\stig_vm.txt’ -Header Name,Value

    ::APPLY TO JUST MY_VM1
    foreach ($line in $stig_vm) {
    New-AdvancedSetting -Entity MY_VM1 -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value
    }

    ::APPLY TO ALL VM
    foreach ($line in $stig_vm) {
    Get-VM | New-AdvancedSetting -Name ($line.Name) -value ($line.value) -Force -Confirm:$false | Select Entity, Name, Value | Export-Csv $output
    }

    Reply
  9. KenK

    Why do some VMX values not work at all using the SDK? We cannot seem to set these:

    scsiX;Y.mode=”persistent”
    logging=”true”
    usb.present=”true”

    We have been directed to add these to the VMX file so they cannot be overridden by the GUI. Shutting down the VM and manually editing each VMX is not a pleasing thought.

    Reply
  10. sbobet

    Aw, this was an exceptionally good post. Taking
    the time and actual effort to create a top notch article… but
    what can I say… I procrastinate a lot and don’t manage to get nearly anything done.

    Check out my web blog :: sbobet

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>