From d62bd73bf5cbd1750c8cee14d81a08df4b6ce224 Mon Sep 17 00:00:00 2001 From: haberstrohr Date: Fri, 13 Oct 2017 16:48:18 -0500 Subject: [PATCH] Add recommendations to host tests. --- Vester/Tests/Host/Account-Lockout.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/Account-UnlockTime.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/BDPU-Filter.Vester.ps1 | 12 ++++++++---- Vester/Tests/Host/DCUI-Access.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/DCUI-Timeout.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/Password-Policy.Vester.ps1 | 12 ++++++++---- Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/SSH-Timeout.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/Syslog-Server.Vester.ps1 | 5 +++++ Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 | 12 ++++++++---- 10 files changed, 83 insertions(+), 36 deletions(-) diff --git a/Vester/Tests/Host/Account-Lockout.Vester.ps1 b/Vester/Tests/Host/Account-Lockout.Vester.ps1 index 66c6d60..3e95f2e 100644 --- a/Vester/Tests/Host/Account-Lockout.Vester.ps1 +++ b/Vester/Tests/Host/Account-Lockout.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-account-lockout # Test title, e.g. 'DNS Servers' $Title = 'Account Lock Failures' @@ -7,6 +8,10 @@ $Title = 'Account Lock Failures' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (off) or maximum number of failed logon attempts before the account is locked out' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 3 + # The config entry stating the desired values $Desired = $cfg.host.accountlockfailures @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.AccountLockFailures' - }).Value + $_.Name -eq 'Security.AccountLockFailures' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.AccountLockFailures' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Security.AccountLockFailures' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/Account-UnlockTime.Vester.ps1 b/Vester/Tests/Host/Account-UnlockTime.Vester.ps1 index 47814ea..c6235ed 100644 --- a/Vester/Tests/Host/Account-UnlockTime.Vester.ps1 +++ b/Vester/Tests/Host/Account-UnlockTime.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-account-auto-unlock-time # Test title, e.g. 'DNS Servers' $Title = 'Account Unlock Time' @@ -7,6 +8,10 @@ $Title = 'Account Unlock Time' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (off) or number of seconds that an account is locked out' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 900 + # The config entry stating the desired values $Desired = $cfg.host.accountunlocktime @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.AccountUnlockTime' - }).Value + $_.Name -eq 'Security.AccountUnlockTime' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.AccountUnlockTime' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Security.AccountUnlockTime' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/BDPU-Filter.Vester.ps1 b/Vester/Tests/Host/BDPU-Filter.Vester.ps1 index 39c65ff..8c7747f 100644 --- a/Vester/Tests/Host/BDPU-Filter.Vester.ps1 +++ b/Vester/Tests/Host/BDPU-Filter.Vester.ps1 @@ -8,6 +8,10 @@ $Title = 'Network BDPU Filter' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (disable) or 1 (enable) to control the BDPU filter on the ESXi host' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 1 + # The config entry stating the desired values $Desired = $cfg.host.networkbdpufilter @@ -18,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Net.BlockGuestBPDU' - }).Value + $_.Name -eq 'Net.BlockGuestBPDU' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Net.BlockGuestBPDU' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Net.BlockGuestBPDU' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/DCUI-Access.Vester.ps1 b/Vester/Tests/Host/DCUI-Access.Vester.ps1 index f41d1f7..8b71575 100644 --- a/Vester/Tests/Host/DCUI-Access.Vester.ps1 +++ b/Vester/Tests/Host/DCUI-Access.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-dcui-access # Test title, e.g. 'DNS Servers' $Title = 'DCUI Access' @@ -7,6 +8,10 @@ $Title = 'DCUI Access' # Test description: How New-VesterConfig explains this value to the user $Description = 'Comma separated list of users with DCUI access' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 'List of authorized users' + # The config entry stating the desired values $Desired = $cfg.host.dcuiaccess @@ -17,14 +22,14 @@ $Type = 'string[]' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'DCUI.Access' - }).Value + $_.Name -eq 'DCUI.Access' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'DCUI.Access' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'DCUI.Access' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/DCUI-Timeout.Vester.ps1 b/Vester/Tests/Host/DCUI-Timeout.Vester.ps1 index aa5a721..97d9dab 100644 --- a/Vester/Tests/Host/DCUI-Timeout.Vester.ps1 +++ b/Vester/Tests/Host/DCUI-Timeout.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-dcui-timeout # Test title, e.g. 'DNS Servers' $Title = 'DCUI Timeout' @@ -7,6 +8,10 @@ $Title = 'DCUI Timeout' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (off) number of seconds before the DCUI timeout occurs' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 600 + # The config entry stating the desired values $Desired = $cfg.host.dcuitimeout @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.DcuiTimeOut' - }).Value + $_.Name -eq 'UserVars.DcuiTimeOut' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.DcuiTimeOut' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'UserVars.DcuiTimeOut' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/Password-Policy.Vester.ps1 b/Vester/Tests/Host/Password-Policy.Vester.ps1 index cc4c423..c4dfc49 100644 --- a/Vester/Tests/Host/Password-Policy.Vester.ps1 +++ b/Vester/Tests/Host/Password-Policy.Vester.ps1 @@ -8,6 +8,10 @@ $Title = 'Password Policy' # Test description: How New-VesterConfig explains this value to the user $Description = 'pam_passwdqc Password Policy. Default = retry=3 min=disabled,disabled,disabled,7,7' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 'Site Specific' + # The config entry stating the desired values $Desired = $cfg.host.passwordpolicy @@ -18,14 +22,14 @@ $Type = 'string' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.PasswordQualityControl' - }).Value + $_.Name -eq 'Security.PasswordQualityControl' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.PasswordQualityControl' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Security.PasswordQualityControl' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 b/Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 index ce0bbb5..b2112d3 100644 --- a/Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 +++ b/Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-shell-interactive-timeout # Test title, e.g. 'DNS Servers' $Title = 'SSH Interactive Timeout' @@ -7,6 +8,10 @@ $Title = 'SSH Interactive Timeout' # Test description: How New-VesterConfig explains this value to the user $Description = 'Maximum idle time permitted in an SSH session' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 900 + # The config entry stating the desired values $Desired = $cfg.host.sshinteractivetimeout @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.ESXIShellInteractiveTimeout' - }).Value + $_.Name -eq 'UserVars.ESXIShellInteractiveTimeout' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.ESXIShellInteractiveTimeout' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'UserVars.ESXIShellInteractiveTimeout' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/SSH-Timeout.Vester.ps1 b/Vester/Tests/Host/SSH-Timeout.Vester.ps1 index 34fba2d..40cafe7 100644 --- a/Vester/Tests/Host/SSH-Timeout.Vester.ps1 +++ b/Vester/Tests/Host/SSH-Timeout.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-shell-timeout # Test title, e.g. 'DNS Servers' $Title = 'SSH Timeout' @@ -7,6 +8,10 @@ $Title = 'SSH Timeout' # Test description: How New-VesterConfig explains this value to the user $Description = 'After being enabled, SSH access disables again after this long' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 900 + # The config entry stating the desired values $Desired = $cfg.host.sshtimeout @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.ESXIShellTimeout' - }).Value + $_.Name -eq 'UserVars.ESXIShellTimeout' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.ESXIShellTimeout' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'UserVars.ESXIShellTimeout' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/Syslog-Server.Vester.ps1 b/Vester/Tests/Host/Syslog-Server.Vester.ps1 index 1edad63..19d66ae 100644 --- a/Vester/Tests/Host/Syslog-Server.Vester.ps1 +++ b/Vester/Tests/Host/Syslog-Server.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.enable-remote-syslog # Test title, e.g. 'DNS Servers' $Title = 'Syslog Server' @@ -7,6 +8,10 @@ $Title = 'Syslog Server' # Test description: How New-VesterConfig explains this value to the user $Description = 'Syslog server(s) to send log data to' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 'Site Specific' + # The config entry stating the desired values $Desired = $cfg.host.esxsyslog diff --git a/Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 b/Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 index ecb2ff7..ed232a4 100644 --- a/Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 +++ b/Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 @@ -8,6 +8,10 @@ $Title = 'Transparent Page Share Force Salting' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (TPS enabled) 1 (TPS enabled for VMs with same salt) 2 (No inter-VM TPS)' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 2 + # The config entry stating the desired values $Desired = $cfg.host.tpsforcesalting @@ -18,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Mem.ShareForceSalting' - }).Value + $_.Name -eq 'Mem.ShareForceSalting' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Mem.ShareForceSalting' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Mem.ShareForceSalting' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop }