Security‎ > ‎

Virtual Machine STIG.

posted Mar 30, 2015, 7:29 AM by Kris Knight   [ updated Jun 14, 2016, 11:42 AM ]
When working with DoD STIGs the following can be run to set the Stig for all VMs in a Datacenter. There are STIGs than cannot be set without a restart of a VM such as the removal of FloppyDrives. Those reboot required STIGs are not covered in this script. Updated for latest STIG release. 
 
#####################################################################
# Set-VMstig.ps1
#
# This will configure VM properties per ESXi5 VM STIG - 7DEC2015
#
# This does not include required device removal or requirements for environments with vShield and/or VMsafe in production.This script also assumes VM log file rotation is not degrading system performance and the VM requires logging to be enabled for troubleshooting.
#
# USE EXAMPLE:
# .\Set-VMstig.ps1 NameOfVM
# .\Set-VMstig.ps1 *
#
# Removing the Parameter and the $VMname will result in the configuration of all VMs in the connected vCenter.
#
# NOTE: This Stig Should be applied to all Templates this will require you to convert existing Templates to a VM then apply the STIG. Applying the STIG after a VM is created from a Template is not sufficient to comply with the STIG.
#
# v1.2 JAN 2014
# Author: KnightUSN #####################################################################
param(
 [parameter(Mandatory = $true)]
 [string[]]$VMname
 )
 $VMs = Get-VM $VMname
 
 $spec = New-Object VMware.Vim.VirtualMachineConfigSpec
 $spec.tools = New-Object VMware.Vim.ToolsConfigInfo
 #ESXi5-VM-000002 - ESXi5-201
 $extra1 = New-Object VMware.Vim.OptionValue
 $extra1.Key = "isolation.tools.autoInstall.disable"
 $extra1.Value = "true"
 $spec.ExtraConfig += $extra1
 
 #ESXi5-VM-000003 - ESXi5-202
 $extra2 = New-Object VMware.Vim.OptionValue
 $extra2.Key = "isolation.tools.copy.disable"
 $extra2.Value = "true"
 $spec.ExtraConfig += $extra2
 
 #ESXi5-VM-000004 - ESXi5-203
 $extra3 = New-Object VMware.Vim.OptionValue
 $extra3.Key = "isolation.tools.dnd.disable"
 $extra3.Value = "true"
 $spec.ExtraConfig += $extra3
 
 #ESXi5-VM-000005 - ESXi5-204
 $extra4 = New-Object VMware.Vim.OptionValue
 $extra4.Key = "isolation.tools.setGUIOptions.enable"
 $extra4.Value = "false"
 $spec.ExtraConfig += $extra4
 
 #ESXi5-VM-000006 - ESXi5-205
 $extra5 = New-Object VMware.Vim.OptionValue
 $extra5.Key = "isolation.tools.paste.disable"
 $extra5.Value = "true"
 $spec.ExtraConfig += $extra5
 
 #ESXi5-VM-000007 - ESXi5-206
 $extra6 = New-Object VMware.Vim.OptionValue
 $extra6.Key = "isolation.tools.diskShrink.disable"
 $extra6.Value = "true"
 $spec.ExtraConfig += $extra6
 
 #ESXi5-VM-000008 - ESXi5-207
 $extra7 = New-Object VMware.Vim.OptionValue
 $extra7.Key = "isolation.tools.diskWiper.disable"
 $extra7.Value = "true"
 $spec.ExtraConfig += $extra7
 
 #ESXi5-VM-000009 - ESXi5-208
 $extra8 = New-Object VMware.Vim.OptionValue
 $extra8.Key = "isolation.tools.hgfsServerSet.disable"
 $extra8.Value = "true"
 $spec.ExtraConfig += $extra8
 
 #ESXi5-VM-000011 - ESXi5-210
 $extra10 = New-Object VMware.Vim.OptionValue
 $extra10.Key = "vmci0.unrestricted"
 $extra10.Value = "false"
 $spec.ExtraConfig += $extra10
 
 #ESXi5-VM-000013 - ESXi5-212
 $extra12 = New-Object VMware.Vim.OptionValue
 $extra12.Key = "isolation.monitor.control.disable"
 $extra12.Value = "true"
 $spec.ExtraConfig += $extra12
 
 #ESXi5-VM-000014 - ESXi5-213
 $extra13 = New-Object VMware.Vim.OptionValue
 $extra13.Key = "isolation.tools.ghi.autologon.disable"
 $extra13.Value = "true"
 $spec.ExtraConfig += $extra13
 
 #ESXi5-VM-000015 - ESXi5-214
 $extra14 = New-Object VMware.Vim.OptionValue
 $extra14.Key = "isolation.bios.bbs.disable"
 $extra14.Value = "true"
 $spec.ExtraConfig += $extra14
 
 #ESXi5-VM-000016 - ESXi5-215
 $extra15 = New-Object VMware.Vim.OptionValue
 $extra15.Key = "isolation.tools.getCreds.disable"
 $extra15.Value = "true"
 $spec.ExtraConfig += $extra15
 
 #ESXi5-VM-000017 - ESXi5-216
 $extra16 = New-Object VMware.Vim.OptionValue
 $extra16.Key = "isolation.tools.ghi.launchmenu.change"
 $extra16.Value = "true"
 $spec.ExtraConfig += $extra16
 
 #ESXi5-VM-000018 - ESXi5-217
 $extra17 = New-Object VMware.Vim.OptionValue
 $extra17.Key = "isolation.tools.memSchedFakeSampleStats.disable"
 $extra17.Value = "true"
 $spec.ExtraConfig += $extra17
 
 #ESXi5-VM-000019 - ESXi5-218
 $extra18 = New-Object VMware.Vim.OptionValue
 $extra18.Key = "isolation.tools.ghi.protocolhandler.info.disable"
 $extra18.Value = "true"
 $spec.ExtraConfig += $extra18
 
 #ESXi5-VM-000020 - ESXi5-219
 $extra19 = New-Object VMware.Vim.OptionValue
 $extra19.Key = "isolation.ghi.host.shellAction.disable"
 $extra19.Value = "true"
 $spec.ExtraConfig += $extra19
 
 #ESXi5-VM-000021 - ESXi5-220
 $extra20 = New-Object VMware.Vim.OptionValue
 $extra20.Key = "isolation.tools.dispTopoRequest.disable"
 $extra20.Value = "true"
 $spec.ExtraConfig += $extra20
 
 #ESXi5-VM-000022 - ESXi5-221
 $extra21 = New-Object VMware.Vim.OptionValue
 $extra21.Key = "isolation.tools.trashFolderState.disable"
 $extra21.Value = "true"
 $spec.ExtraConfig += $extra21
 
 #ESXi5-VM-000023 - ESXi5-222
 $extra22 = New-Object VMware.Vim.OptionValue
 $extra22.Key = "isolation.tools.ghi.trayicon.disable"
 $extra22.Value = "true"
 $spec.ExtraConfig += $extra22
 
 #ESXi5-VM-000024 - ESXi5-223
 $extra23 = New-Object VMware.Vim.OptionValue
 $extra23.Key = "isolation.tools.unity.disable"
 $extra23.Value = "true"
 $spec.ExtraConfig += $extra23
 
 #ESXi5-VM-000025 - ESXi5-224
 $extra24 = New-Object VMware.Vim.OptionValue
 $extra24.Key = "isolation.tools.unityInterlockOperation.disable"
 $extra24.Value = "true"
 $spec.ExtraConfig += $extra24
 
 #ESXi5-VM-000026 - ESXi5-225
 $extra25 = New-Object VMware.Vim.OptionValue
 $extra25.Key = "isolation.tools.unity.push.update.disable"
 $extra25.Value = "true"
 $spec.ExtraConfig += $extra25
 
 #ESXi5-VM-000027 - ESXi5-226
 $extra26 = New-Object VMware.Vim.OptionValue
 $extra26.Key = "isolation.tools.unity.taskbar.disable"
 $extra26.Value = "true"
 $spec.ExtraConfig += $extra26
 
 #ESXi5-VM-000028 - ESXi5-227
 $extra27 = New-Object VMware.Vim.OptionValue
 $extra27.Key = "isolation.tools.unityActive.disable"
 $extra27.Value = "true"
 $spec.ExtraConfig += $extra27
 
 #ESXi5-VM-000029 - ESXi5-228
 $extra28 = New-Object VMware.Vim.OptionValue
 $extra28.Key = "isolation.tools.unity.windowContents.disable"
 $extra28.Value = "true"
 $spec.ExtraConfig += $extra28
 
 #ESXi5-VM-000030 - ESXi5-229
 $extra29 = New-Object VMware.Vim.OptionValue
 $extra29.Key = "isolation.tools.vmxDnDVersionGet.disable"
 $extra29.Value = "true"
 $spec.ExtraConfig += $extra29
 
 #ESXi5-VM-000031 - ESXi5-230
 $extra30 = New-Object VMware.Vim.OptionValue
 $extra30.Key = "isolation.tools.guestDnDVersionSet.disable"
 $extra30.Value = "true"
 $spec.ExtraConfig += $extra30
 
 #ESXi5-VM-000033 - ESXi5-232
 $extra32 = New-Object VMware.Vim.OptionValue
 $extra32.Key = "isolation.tools.vixMessage.disable"
 $extra32.Value = "true"
 $spec.ExtraConfig += $extra32
 
 #ESXi5-VM-000039 - ESXi5-238
 $extra38 = New-Object VMware.Vim.OptionValue
 $extra38.Key = "RemoteDisplay.maxConnections"
 $extra38.Value = "1"
 $spec.ExtraConfig += $extra38
 
 #ESXi5-VM-000041 - ESXi5-240
 $extra40 = New-Object VMware.Vim.OptionValue
 $extra40.Key = "log.keepOld"
 $extra40.Value = "10"
 $spec.ExtraConfig += $extra40
 
 #ESXi5-VM-000042 - ESXi5-241
 $extra41 = New-Object VMware.Vim.OptionValue
 $extra41.Key = "log.rotateSize"
 $extra41.Value = "100000"
 $spec.ExtraConfig += $extra41
 
 #ESXi5-VM-000043 - ESXi5-242
 $extra42 = New-Object VMware.Vim.OptionValue
 $extra42.Key = "tools.setinfo.sizeLimit"
 $extra42.Value = "1048576"
 $spec.ExtraConfig += $extra42
 
 #ESXi5-VM-000045 - ESXi5-244
 $extra44 = New-Object VMware.Vim.OptionValue
 $extra44.Key = "isolation.device.connectable.disable"
 $extra44.Value = "true"
 $spec.ExtraConfig += $extra44
 
 #ESXi5-VM-000046 - ESXi5-245
 $extra45 = New-Object VMware.Vim.OptionValue
 $extra45.Key = "isolation.device.edit.disable"
 $extra45.Value = "true"
 $spec.ExtraConfig += $extra45
 
 #ESXi5-VM-000047 - ESXi5-246
 $extra46 = New-Object VMware.Vim.OptionValue
 $extra46.Key = "tools.guestlib.enableHostInfo"
 $extra46.Value = "false"
 $spec.ExtraConfig += $extra46
 
ForEach($VM in $VMs){
 $vm.ExtensionData.ReconfigVM($spec)
}
Comments