先日の Japan VMUG vExpert が語る会 #30 にて、「今だからこそ vSphere Security Configuration and Hardening Guide」 というお題にて久々に登壇してきました。
発表資料
アーカイブ動画
準備中…
その中で
vSphere 8 の Security Configuration and Hardening Guide にて監査してくれる PowerCLI スクリプトが同梱されたが、環境ないので誰か試してーという話をしましたが、せっかくブログに書けそうなネタなので、誰かに消費されてしまう前に試してみる。
監査対象
vCenter はとりあえずデプロイしただけのデフォルト環境でデータセンタ/クラスタを作成、nested の 8.0U2 ホストを登録。
ESXi もデフォルトですが、いつものクセで SSH だけ有効にした状態。
vSphere 8 SCG の監査スクリプト
vSphere 8 の SCG zip ファイルを解凍後の tools にディレクトリに ps1 のスクリプトが並んでいます。
この中で vCenter/ESXi/VM 全監査であろう ”audit-all.ps1"を動かしてみる。
実行してみる
PS D:\vmware-vsphere-security-configuration-guide-802-20231005-01\Tools> .\audit-all.ps1 cmdlet audit-all.ps1 at command pipeline position 1 Supply values for the following parameters: Directory: result #結果の保存先ディレクトリを指定 [INFO] VMware vSphere Security Configuration & Hardening Guide 802-20230930-01 [INFO] vSphere Security Settings Audit Utility [INFO] [ERROR] Please connect to a single vCenter Server (use Connect-VIServer, Connect-CisServer, and Connect-SsoAdminServer) prior to running this script. Thank you.
ありゃ…事前にコネクションを取得必要があるらしい。
PS D:\vmware-vsphere-security-configuration-guide-802-20231005-01\Tools> Connect-VIServer 192.168.100.104 -Force Specify Credential Please specify server credential User: administrator@vsphere.local Password for user administrator@vsphere.local: ************* Name Port User ---- ---- ---- 192.168.100.104 443 VSPHERE.LOCAL\Administrato
再挑戦。
PS D:\vmware-vsphere-security-configuration-guide-802-20231005-01\Tools> .\audit-all.ps1
cmdlet audit-all.ps1 at command pipeline position 1
Supply values for the following parameters:
Directory: result
[INFO] VMware vSphere Security Configuration & Hardening Guide 802-20230930-01
[INFO] vSphere Security Settings Audit Utility
[INFO]
vCLS-d50ef15f-7df6-4e94-8809-7afd00541836: [INFO] Audit of vCLS-d50ef15f-7df6-4e94-8809-7afd00541836 started at 2023-10-30 20:04:39 from HAKUTAKA by mirie
vCLS-d50ef15f-7df6-4e94-8809-7afd00541836: [INFO]
vCLS-d50ef15f-7df6-4e94-8809-7afd00541836: [ERROR] VM may be a vSphere appliance. Altering VMware virtual appliances is not supported.
192.168.100.45: [INFO] Audit of 192.168.100.45 started at 2023-10-30 20:04:39 from HAKUTAKA by mirie
192.168.100.45: [INFO]
192.168.100.45: [FAIL] Net.BMCNetworkEnable not configured correctly (1)
192.168.100.45: [PASS] UserVars.SuppressHyperthreadWarning configured correctly (0)
192.168.100.45: [PASS] UserVars.ESXiVPsDisabledProtocols configured correctly (sslv3,tlsv1,tlsv1.1)
192.168.100.45: [FAIL] Syslog.global.logLevel not configured correctly (error)
192.168.100.45: [PASS] Security.AccountLockFailures configured correctly (5)
192.168.100.45: [FAIL] VMkernel.Boot.execInstalledOnly not configured correctly (False)
192.168.100.45: [FAIL] UserVars.ESXiShellTimeOut not configured correctly (0)
192.168.100.45: [PASS] Net.BlockGuestBPDU configured correctly (1)
192.168.100.45: [PASS] Config.HostAgent.vmacore.soap.sessionTimeout configured correctly (30)
192.168.100.45: [PASS] Security.AccountUnlockTime configured correctly (900)
192.168.100.45: [FAIL] Security.PasswordQualityControl not configured correctly (retry=3 min=disabled,disabled,disabled,7,7)
192.168.100.45: [PASS] Security.PasswordHistory configured correctly (5)
192.168.100.45: [PASS] UserVars.SuppressShellWarning configured correctly (0)
192.168.100.45: [PASS] Syslog.global.certificate.checkSSLCerts configured correctly (True)
192.168.100.45: [FAIL] Syslog.global.auditRecord.remoteEnable not configured correctly (False)
192.168.100.45: [PASS] UserVars.DcuiTimeOut configured correctly (600)
192.168.100.45: [PASS] Config.HostAgent.plugins.solo.enableMob configured correctly (False)
192.168.100.45: [FAIL] Syslog.global.auditRecord.storageCapacity not configured correctly (4)
192.168.100.45: [FAIL] Syslog.global.auditRecord.storageEnable not configured correctly (False)
192.168.100.45: [PASS] Security.PasswordMaxDays configured correctly (99999)
192.168.100.45: [FAIL] Mem.MemEagerZero not configured correctly (0)
192.168.100.45: [FAIL] UserVars.ESXiShellInteractiveTimeOut not configured correctly (0)
192.168.100.45: [PASS] Mem.ShareForceSalting configured correctly (2)
192.168.100.45: [PASS] Syslog.global.logFiltersEnable configured correctly (False)
192.168.100.45: [PASS] UserVars.HostClientSessionTimeout configured correctly (900)
192.168.100.45: [FAIL] Syslog.global.certificate.strictX509Compliance not configured correctly (False)
192.168.100.45: [PASS] DCUI.Access configured correctly (root)
192.168.100.45: [PASS] Config.HostAgent.log.level configured correctly (info)
192.168.100.45: [PASS] Net.DVFilterBindIpAddress configured correctly ()
192.168.100.45: [FAIL] Syslog.global.auditRecord.storageDirectory not configured correctly ([] /scratch/auditLog)
192.168.100.45: [FAIL] Syslog.global.logDir not configured correctly ([] /scratch/log)
192.168.100.45: [FAIL] Syslog.global.logHost not configured correctly ()
192.168.100.45: [FAIL] Annotations.WelcomeMessage not configured correctly ()
192.168.100.45: [FAIL] Config.Etc.Issue not configured correctly ()
192.168.100.45: [FAIL] DCUI user has shell access enabled (true)
192.168.100.45: [PASS] Entropy sources configured correctly (FALSE, 0)
192.168.100.45: [FAIL] Secure Boot enforcement is not enabled (false)
192.168.100.45: [FAIL] TPM configuration encryption is not enabled (NONE)
192.168.100.45: [PASS] Host Image Profile Acceptance Level is configured correctly (PartnerSupported)
192.168.100.45: [PASS] Active Directory integration is configured correctly ()
192.168.100.45: [PASS] SSH has FIPS mode enabled (true)
192.168.100.45: [PASS] SSH ciphers configured correctly (aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr)
192.168.100.45: [PASS] SSH gatewayports configured correctly (no)
192.168.100.45: [PASS] SSH hostbasedauthentication configured correctly (no)
192.168.100.45: [PASS] SSH clientalivecountmax configured correctly (3)
192.168.100.45: [PASS] SSH clientaliveinterval configured correctly (200)
192.168.100.45: [PASS] SSH banner configured correctly (/etc/issue)
192.168.100.45: [PASS] SSH ignorerhosts configured correctly (yes)
192.168.100.45: [PASS] SSH allowstreamlocalforwarding configured correctly (no)
192.168.100.45: [PASS] SSH allowtcpforwarding configured correctly (no)
192.168.100.45: [PASS] SSH permittunnel configured correctly (no)
192.168.100.45: [PASS] SSH permituserenvironment configured correctly (no)
192.168.100.45: [PASS] sfcbd-watchdog is not running (False)
192.168.100.45: [FAIL] sfcbd-watchdog is configured to start (on)
192.168.100.45: [FAIL] TSM is running (True)
192.168.100.45: [FAIL] TSM is configured to start (on)
192.168.100.45: [PASS] slpd is not running (False)
192.168.100.45: [PASS] slpd is not configured to start (off)
192.168.100.45: [PASS] snmpd is not running (False)
192.168.100.45: [FAIL] snmpd is configured to start (on)
192.168.100.45: [FAIL] TSM-SSH is running (True)
192.168.100.45: [FAIL] TSM-SSH is configured to start (on)
192.168.100.45: [FAIL] ntpd is running (False)
192.168.100.45: [FAIL] ntpd is configured to start (off)
192.168.100.45: [FAIL] NTP client not configured ()
192.168.100.45: [FAIL] Lockdown Mode exception users not configured correctly ()
192.168.100.45: [FAIL] Lockdown Mode is not configured correctly (lockdownDisabled)
192.168.100.45: [PASS] Standard switch 'vSwitch0' is not configured to allow promiscuous mode (False)
192.168.100.45: [PASS] Standard switch 'vSwitch0' is not configured to allow MAC address changes (False)
192.168.100.45: [PASS] Standard switch 'vSwitch0' is not configured to allow forged transmits (False)
192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow promiscuous mode (False)
192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow MAC address changes (False)
192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow forged transmits (False)
192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow VLAN 4095 (0)
192.168.100.45: [PASS] Standard portgroup 'Management Network' does not appear to be configured to use a default VLAN (0)
192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow promiscuous mode (False)
192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow MAC address changes (False)
192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow forged transmits (False)
192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow VLAN 4095 (0)
192.168.100.45: [PASS] Standard portgroup 'VM Network' does not appear to be configured to use a default VLAN (0)
192.168.100.45: [PASS] VMkernel NIC 'vmk0' has only management configured (ManagementTrafficEnabled: True, VMotionEnabled: False, FaultToleranceLoggingEnabled: False, VsanTrafficEnabled: False, ProvisioningEnabled: False, VSphereReplicationEnabled: False, VSphereReplicationNFCEnabled: False, VSphereBackupNFCEnabled: False)
192.168.100.104: [INFO] Audit of 192.168.100.104 started at 2023-10-30 20:04:46 from HAKUTAKA by mirie
192.168.100.104: [INFO]
192.168.100.104: [PASS] config.log.level configured correctly (info)
192.168.100.104: [PASS] vpxd.event.syslog.enabled configured correctly (True)
192.168.100.104: [PASS] VirtualCenter.VimPasswordExpirationInDays configured correctly (30)
192.168.100.104: [PASS] etc.issue configured correctly ( VMware vCenter Server Appliance 8.0.2.00000 )
Get-SsoLockoutPolicy: D:\vmware-vsphere-security-configuration-guide-802-20231005-01\Tools\audit-vcenter-8.ps1:127
Line |
127 | $value = Get-SsoLockoutPolicy
| ~~~~~~~~~~~~~~~~~~~~
| The term 'Get-SsoLockoutPolicy' is not recognized as a name of a cmdlet, function, script file, or executable
| program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
| again.
192.168.100.104: [FAIL] SSO AutoUnlockIntervalSec not configured correctly ()
192.168.100.104: [FAIL] SSO FailedAttemptIntervalSec not configured correctly ()
192.168.100.104: [FAIL] SSO MaxFailedAttempts not configured correctly ()
Get-SsoPasswordPolicy: D:\vmware-vsphere-security-configuration-guide-802-20231005-01\Tools\audit-vcenter-8.ps1:148
Line |
148 | $value = Get-SsoPasswordPolicy
| ~~~~~~~~~~~~~~~~~~~~~
| The term 'Get-SsoPasswordPolicy' is not recognized as a name of a cmdlet, function, script file, or executable
| program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
| again.
192.168.100.104: [FAIL] SSO PasswordLifetimeDays not configured correctly ()
192.168.100.104: [FAIL] SSO ProhibitedPreviousPasswordsCount not configured correctly ()
192.168.100.104: [FAIL] SSO MinLength not configured correctly ()
192.168.100.104: [FAIL] SSO MaxLength not configured correctly ()
192.168.100.104: [FAIL] SSO MinNumericCount not configured correctly ()
192.168.100.104: [FAIL] SSO MinSpecialCharCount not configured correctly ()
192.168.100.104: [FAIL] SSO MaxIdenticalAdjacentCharacters not configured correctly ()
192.168.100.104: [FAIL] SSO MinAlphabeticCount not configured correctly ()
192.168.100.104: [FAIL] SSO MinUppercaseCount not configured correctly ()
192.168.100.104: [FAIL] SSO MinLowercaseCount not configured correctly ()
んー…なんか対応していない cmdlet があるな…?
と調べてみるとどうも標準で入っていないモジュールがあるっぽい。
PowerShell Gallery からインストール。
PS D:\vmware-vsphere-security-configuration-guide-802-20231005-01\Tools> Install-Module -Name VMware.vSphere.SsoAdmin Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y
再々挑戦
PS D:\vmware-vsphere-security-configuration-guide-802-20231005-01\Tools> .\audit-all.ps1 cmdlet audit-all.ps1 at command pipeline position 1 Supply values for the following parameters: Directory: result [INFO] VMware vSphere Security Configuration & Hardening Guide 802-20230930-01 [INFO] vSphere Security Settings Audit Utility [INFO] vCLS-d50ef15f-7df6-4e94-8809-7afd00541836: [INFO] Audit of vCLS-d50ef15f-7df6-4e94-8809-7afd00541836 started at 2023-10-30 20:11:36 from HAKUTAKA by mirie vCLS-d50ef15f-7df6-4e94-8809-7afd00541836: [INFO] vCLS-d50ef15f-7df6-4e94-8809-7afd00541836: [ERROR] VM may be a vSphere appliance. Altering VMware virtual appliances is not supported. 192.168.100.45: [INFO] Audit of 192.168.100.45 started at 2023-10-30 20:11:36 from HAKUTAKA by mirie 192.168.100.45: [INFO] 192.168.100.45: [FAIL] Net.BMCNetworkEnable not configured correctly (1) 192.168.100.45: [PASS] UserVars.SuppressHyperthreadWarning configured correctly (0) 192.168.100.45: [PASS] UserVars.ESXiVPsDisabledProtocols configured correctly (sslv3,tlsv1,tlsv1.1) 192.168.100.45: [FAIL] Syslog.global.logLevel not configured correctly (error) 192.168.100.45: [PASS] Security.AccountLockFailures configured correctly (5) 192.168.100.45: [FAIL] VMkernel.Boot.execInstalledOnly not configured correctly (False) 192.168.100.45: [FAIL] UserVars.ESXiShellTimeOut not configured correctly (0) 192.168.100.45: [PASS] Net.BlockGuestBPDU configured correctly (1) 192.168.100.45: [PASS] Config.HostAgent.vmacore.soap.sessionTimeout configured correctly (30) 192.168.100.45: [PASS] Security.AccountUnlockTime configured correctly (900) 192.168.100.45: [FAIL] Security.PasswordQualityControl not configured correctly (retry=3 min=disabled,disabled,disabled,7,7) 192.168.100.45: [PASS] Security.PasswordHistory configured correctly (5) 192.168.100.45: [PASS] UserVars.SuppressShellWarning configured correctly (0) 192.168.100.45: [PASS] Syslog.global.certificate.checkSSLCerts configured correctly (True) 192.168.100.45: [FAIL] Syslog.global.auditRecord.remoteEnable not configured correctly (False) 192.168.100.45: [PASS] UserVars.DcuiTimeOut configured correctly (600) 192.168.100.45: [PASS] Config.HostAgent.plugins.solo.enableMob configured correctly (False) 192.168.100.45: [FAIL] Syslog.global.auditRecord.storageCapacity not configured correctly (4) 192.168.100.45: [FAIL] Syslog.global.auditRecord.storageEnable not configured correctly (False) 192.168.100.45: [PASS] Security.PasswordMaxDays configured correctly (99999) 192.168.100.45: [FAIL] Mem.MemEagerZero not configured correctly (0) 192.168.100.45: [FAIL] UserVars.ESXiShellInteractiveTimeOut not configured correctly (0) 192.168.100.45: [PASS] Mem.ShareForceSalting configured correctly (2) 192.168.100.45: [PASS] Syslog.global.logFiltersEnable configured correctly (False) 192.168.100.45: [PASS] UserVars.HostClientSessionTimeout configured correctly (900) 192.168.100.45: [FAIL] Syslog.global.certificate.strictX509Compliance not configured correctly (False) 192.168.100.45: [PASS] DCUI.Access configured correctly (root) 192.168.100.45: [PASS] Config.HostAgent.log.level configured correctly (info) 192.168.100.45: [PASS] Net.DVFilterBindIpAddress configured correctly () 192.168.100.45: [FAIL] Syslog.global.auditRecord.storageDirectory not configured correctly ([] /scratch/auditLog) 192.168.100.45: [FAIL] Syslog.global.logDir not configured correctly ([] /scratch/log) 192.168.100.45: [FAIL] Syslog.global.logHost not configured correctly () 192.168.100.45: [FAIL] Annotations.WelcomeMessage not configured correctly () 192.168.100.45: [FAIL] Config.Etc.Issue not configured correctly () 192.168.100.45: [FAIL] DCUI user has shell access enabled (true) 192.168.100.45: [PASS] Entropy sources configured correctly (FALSE, 0) 192.168.100.45: [FAIL] Secure Boot enforcement is not enabled (false) 192.168.100.45: [FAIL] TPM configuration encryption is not enabled (NONE) 192.168.100.45: [PASS] Host Image Profile Acceptance Level is configured correctly (PartnerSupported) 192.168.100.45: [PASS] Active Directory integration is configured correctly () 192.168.100.45: [PASS] SSH has FIPS mode enabled (true) 192.168.100.45: [PASS] SSH ciphers configured correctly (aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr) 192.168.100.45: [PASS] SSH gatewayports configured correctly (no) 192.168.100.45: [PASS] SSH hostbasedauthentication configured correctly (no) 192.168.100.45: [PASS] SSH clientalivecountmax configured correctly (3) 192.168.100.45: [PASS] SSH clientaliveinterval configured correctly (200) 192.168.100.45: [PASS] SSH banner configured correctly (/etc/issue) 192.168.100.45: [PASS] SSH ignorerhosts configured correctly (yes) 192.168.100.45: [PASS] SSH allowstreamlocalforwarding configured correctly (no) 192.168.100.45: [PASS] SSH allowtcpforwarding configured correctly (no) 192.168.100.45: [PASS] SSH permittunnel configured correctly (no) 192.168.100.45: [PASS] SSH permituserenvironment configured correctly (no) 192.168.100.45: [PASS] sfcbd-watchdog is not running (False) 192.168.100.45: [FAIL] sfcbd-watchdog is configured to start (on) 192.168.100.45: [FAIL] TSM is running (True) 192.168.100.45: [FAIL] TSM is configured to start (on) 192.168.100.45: [PASS] slpd is not running (False) 192.168.100.45: [PASS] slpd is not configured to start (off) 192.168.100.45: [PASS] snmpd is not running (False) 192.168.100.45: [FAIL] snmpd is configured to start (on) 192.168.100.45: [FAIL] TSM-SSH is running (True) 192.168.100.45: [FAIL] TSM-SSH is configured to start (on) 192.168.100.45: [FAIL] ntpd is running (False) 192.168.100.45: [FAIL] ntpd is configured to start (off) 192.168.100.45: [FAIL] NTP client not configured () 192.168.100.45: [FAIL] Lockdown Mode exception users not configured correctly () 192.168.100.45: [FAIL] Lockdown Mode is not configured correctly (lockdownDisabled) 192.168.100.45: [PASS] Standard switch 'vSwitch0' is not configured to allow promiscuous mode (False) 192.168.100.45: [PASS] Standard switch 'vSwitch0' is not configured to allow MAC address changes (False) 192.168.100.45: [PASS] Standard switch 'vSwitch0' is not configured to allow forged transmits (False) 192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow promiscuous mode (False) 192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow MAC address changes (False) 192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow forged transmits (False) 192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow VLAN 4095 (0) 192.168.100.45: [PASS] Standard portgroup 'Management Network' does not appear to be configured to use a default VLAN (0) 192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow promiscuous mode (False) 192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow MAC address changes (False) 192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow forged transmits (False) 192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow VLAN 4095 (0) 192.168.100.45: [PASS] Standard portgroup 'VM Network' does not appear to be configured to use a default VLAN (0) 192.168.100.45: [PASS] VMkernel NIC 'vmk0' has only management configured (ManagementTrafficEnabled: True, VMotionEnabled: False, FaultToleranceLoggingEnabled: False, VsanTrafficEnabled: False, ProvisioningEnabled: False, VSphereReplicationEnabled: False, VSphereReplicationNFCEnabled: False, VSphereBackupNFCEnabled: False) 192.168.100.104: [INFO] Audit of 192.168.100.104 started at 2023-10-30 20:11:42 from HAKUTAKA by mirie 192.168.100.104: [INFO] 192.168.100.104: [PASS] config.log.level configured correctly (info) 192.168.100.104: [PASS] vpxd.event.syslog.enabled configured correctly (True) 192.168.100.104: [PASS] VirtualCenter.VimPasswordExpirationInDays configured correctly (30) 192.168.100.104: [PASS] etc.issue configured correctly ( VMware vCenter Server Appliance 8.0.2.00000 ) 192.168.100.104: [FAIL] SSO AutoUnlockIntervalSec not configured correctly () 192.168.100.104: [FAIL] SSO FailedAttemptIntervalSec not configured correctly () 192.168.100.104: [FAIL] SSO MaxFailedAttempts not configured correctly () 192.168.100.104: [FAIL] SSO PasswordLifetimeDays not configured correctly () 192.168.100.104: [FAIL] SSO ProhibitedPreviousPasswordsCount not configured correctly () 192.168.100.104: [FAIL] SSO MinLength not configured correctly () 192.168.100.104: [FAIL] SSO MaxLength not configured correctly () 192.168.100.104: [FAIL] SSO MinNumericCount not configured correctly () 192.168.100.104: [FAIL] SSO MinSpecialCharCount not configured correctly () 192.168.100.104: [FAIL] SSO MaxIdenticalAdjacentCharacters not configured correctly () 192.168.100.104: [FAIL] SSO MinAlphabeticCount not configured correctly () 192.168.100.104: [FAIL] SSO MinUppercaseCount not configured correctly () 192.168.100.104: [FAIL] SSO MinLowercaseCount not configured correctly () PS D:\vmware-vsphere-security-configuration-guide-802-20231005-01\Tools>
スクリプト自体は完走したっぽい?
(発表中だと vSphere 7 だと動かないみたいな話をしたけど、モジュールが不足していただけ?)
結果を見てみる
vCenter / ESXi / VM 毎に結果がテキストで吐かれているが、さきほどのコンソール出力がインベントリ毎にテキストに保存されただけっぽいな…
192.168.100.104.txt
192.168.100.104: [INFO] Audit of 192.168.100.104 started at 2023-10-30 20:11:42 from HAKUTAKA by mirie 192.168.100.104: [INFO] 192.168.100.104: [PASS] config.log.level configured correctly (info) 192.168.100.104: [PASS] vpxd.event.syslog.enabled configured correctly (True) 192.168.100.104: [PASS] VirtualCenter.VimPasswordExpirationInDays configured correctly (30) 192.168.100.104: [PASS] etc.issue configured correctly ( VMware vCenter Server Appliance 8.0.2.00000 ) 192.168.100.104: [FAIL] SSO AutoUnlockIntervalSec not configured correctly () 192.168.100.104: [FAIL] SSO FailedAttemptIntervalSec not configured correctly () 192.168.100.104: [FAIL] SSO MaxFailedAttempts not configured correctly () 192.168.100.104: [FAIL] SSO PasswordLifetimeDays not configured correctly () 192.168.100.104: [FAIL] SSO ProhibitedPreviousPasswordsCount not configured correctly () 192.168.100.104: [FAIL] SSO MinLength not configured correctly () 192.168.100.104: [FAIL] SSO MaxLength not configured correctly () 192.168.100.104: [FAIL] SSO MinNumericCount not configured correctly () 192.168.100.104: [FAIL] SSO MinSpecialCharCount not configured correctly () 192.168.100.104: [FAIL] SSO MaxIdenticalAdjacentCharacters not configured correctly () 192.168.100.104: [FAIL] SSO MinAlphabeticCount not configured correctly () 192.168.100.104: [FAIL] SSO MinUppercaseCount not configured correctly () 192.168.100.104: [FAIL] SSO MinLowercaseCount not configured correctly ()
192.168.100.45.txt
192.168.100.45: [INFO] Audit of 192.168.100.45 started at 2023-10-30 20:11:36 from HAKUTAKA by mirie 192.168.100.45: [INFO] 192.168.100.45: [FAIL] Net.BMCNetworkEnable not configured correctly (1) 192.168.100.45: [PASS] UserVars.SuppressHyperthreadWarning configured correctly (0) 192.168.100.45: [PASS] UserVars.ESXiVPsDisabledProtocols configured correctly (sslv3,tlsv1,tlsv1.1) 192.168.100.45: [FAIL] Syslog.global.logLevel not configured correctly (error) 192.168.100.45: [PASS] Security.AccountLockFailures configured correctly (5) 192.168.100.45: [FAIL] VMkernel.Boot.execInstalledOnly not configured correctly (False) 192.168.100.45: [FAIL] UserVars.ESXiShellTimeOut not configured correctly (0) 192.168.100.45: [PASS] Net.BlockGuestBPDU configured correctly (1) 192.168.100.45: [PASS] Config.HostAgent.vmacore.soap.sessionTimeout configured correctly (30) 192.168.100.45: [PASS] Security.AccountUnlockTime configured correctly (900) 192.168.100.45: [FAIL] Security.PasswordQualityControl not configured correctly (retry=3 min=disabled,disabled,disabled,7,7) 192.168.100.45: [PASS] Security.PasswordHistory configured correctly (5) 192.168.100.45: [PASS] UserVars.SuppressShellWarning configured correctly (0) 192.168.100.45: [PASS] Syslog.global.certificate.checkSSLCerts configured correctly (True) 192.168.100.45: [FAIL] Syslog.global.auditRecord.remoteEnable not configured correctly (False) 192.168.100.45: [PASS] UserVars.DcuiTimeOut configured correctly (600) 192.168.100.45: [PASS] Config.HostAgent.plugins.solo.enableMob configured correctly (False) 192.168.100.45: [FAIL] Syslog.global.auditRecord.storageCapacity not configured correctly (4) 192.168.100.45: [FAIL] Syslog.global.auditRecord.storageEnable not configured correctly (False) 192.168.100.45: [PASS] Security.PasswordMaxDays configured correctly (99999) 192.168.100.45: [FAIL] Mem.MemEagerZero not configured correctly (0) 192.168.100.45: [FAIL] UserVars.ESXiShellInteractiveTimeOut not configured correctly (0) 192.168.100.45: [PASS] Mem.ShareForceSalting configured correctly (2) 192.168.100.45: [PASS] Syslog.global.logFiltersEnable configured correctly (False) 192.168.100.45: [PASS] UserVars.HostClientSessionTimeout configured correctly (900) 192.168.100.45: [FAIL] Syslog.global.certificate.strictX509Compliance not configured correctly (False) 192.168.100.45: [PASS] DCUI.Access configured correctly (root) 192.168.100.45: [PASS] Config.HostAgent.log.level configured correctly (info) 192.168.100.45: [PASS] Net.DVFilterBindIpAddress configured correctly () 192.168.100.45: [FAIL] Syslog.global.auditRecord.storageDirectory not configured correctly ([] /scratch/auditLog) 192.168.100.45: [FAIL] Syslog.global.logDir not configured correctly ([] /scratch/log) 192.168.100.45: [FAIL] Syslog.global.logHost not configured correctly () 192.168.100.45: [FAIL] Annotations.WelcomeMessage not configured correctly () 192.168.100.45: [FAIL] Config.Etc.Issue not configured correctly () 192.168.100.45: [FAIL] DCUI user has shell access enabled (true) 192.168.100.45: [PASS] Entropy sources configured correctly (FALSE, 0) 192.168.100.45: [FAIL] Secure Boot enforcement is not enabled (false) 192.168.100.45: [FAIL] TPM configuration encryption is not enabled (NONE) 192.168.100.45: [PASS] Host Image Profile Acceptance Level is configured correctly (PartnerSupported) 192.168.100.45: [PASS] Active Directory integration is configured correctly () 192.168.100.45: [PASS] SSH has FIPS mode enabled (true) 192.168.100.45: [PASS] SSH ciphers configured correctly (aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr) 192.168.100.45: [PASS] SSH gatewayports configured correctly (no) 192.168.100.45: [PASS] SSH hostbasedauthentication configured correctly (no) 192.168.100.45: [PASS] SSH clientalivecountmax configured correctly (3) 192.168.100.45: [PASS] SSH clientaliveinterval configured correctly (200) 192.168.100.45: [PASS] SSH banner configured correctly (/etc/issue) 192.168.100.45: [PASS] SSH ignorerhosts configured correctly (yes) 192.168.100.45: [PASS] SSH allowstreamlocalforwarding configured correctly (no) 192.168.100.45: [PASS] SSH allowtcpforwarding configured correctly (no) 192.168.100.45: [PASS] SSH permittunnel configured correctly (no) 192.168.100.45: [PASS] SSH permituserenvironment configured correctly (no) 192.168.100.45: [PASS] sfcbd-watchdog is not running (False) 192.168.100.45: [FAIL] sfcbd-watchdog is configured to start (on) 192.168.100.45: [FAIL] TSM is running (True) 192.168.100.45: [FAIL] TSM is configured to start (on) 192.168.100.45: [PASS] slpd is not running (False) 192.168.100.45: [PASS] slpd is not configured to start (off) 192.168.100.45: [PASS] snmpd is not running (False) 192.168.100.45: [FAIL] snmpd is configured to start (on) 192.168.100.45: [FAIL] TSM-SSH is running (True) 192.168.100.45: [FAIL] TSM-SSH is configured to start (on) 192.168.100.45: [FAIL] ntpd is running (False) 192.168.100.45: [FAIL] ntpd is configured to start (off) 192.168.100.45: [FAIL] NTP client not configured () 192.168.100.45: [FAIL] Lockdown Mode exception users not configured correctly () 192.168.100.45: [FAIL] Lockdown Mode is not configured correctly (lockdownDisabled) 192.168.100.45: [PASS] Standard switch 'vSwitch0' is not configured to allow promiscuous mode (False) 192.168.100.45: [PASS] Standard switch 'vSwitch0' is not configured to allow MAC address changes (False) 192.168.100.45: [PASS] Standard switch 'vSwitch0' is not configured to allow forged transmits (False) 192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow promiscuous mode (False) 192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow MAC address changes (False) 192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow forged transmits (False) 192.168.100.45: [PASS] Standard portgroup 'Management Network' is not configured to allow VLAN 4095 (0) 192.168.100.45: [PASS] Standard portgroup 'Management Network' does not appear to be configured to use a default VLAN (0) 192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow promiscuous mode (False) 192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow MAC address changes (False) 192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow forged transmits (False) 192.168.100.45: [PASS] Standard portgroup 'VM Network' is not configured to allow VLAN 4095 (0) 192.168.100.45: [PASS] Standard portgroup 'VM Network' does not appear to be configured to use a default VLAN (0) 192.168.100.45: [PASS] VMkernel NIC 'vmk0' has only management configured (ManagementTrafficEnabled: True, VMotionEnabled: False, FaultToleranceLoggingEnabled: False, VsanTrafficEnabled: False, ProvisioningEnabled: False, VSphereReplicationEnabled: False, VSphereReplicationNFCEnabled: False, VSphereBackupNFCEnabled: False)
vCLS-d50ef15f-7df6-4e94-8809-7afd00541836.txt
アプライアンス系は対象外みたいですね…(これは vCLS)
vCLS-d50ef15f-7df6-4e94-8809-7afd00541836: [INFO] Audit of vCLS-d50ef15f-7df6-4e94-8809-7afd00541836 started at 2023-10-30 20:11:36 from HAKUTAKA by mirie vCLS-d50ef15f-7df6-4e94-8809-7afd00541836: [INFO] vCLS-d50ef15f-7df6-4e94-8809-7afd00541836: [ERROR] VM may be a vSphere appliance. Altering VMware virtual appliances is not supported.
あまり細かくは見てないですが、ざっと見、チェック項目に対し PASS/FAIL でチェック結果を出力しているっぽい。
ただ、如何せん SCG の Excel シートとの紐づけられる情報が無いので網羅的にできてるのか/どれをチェックしたのか分かりにくい…
とりあえずチェックはできそうなので、見やすさは個々で工夫が必要。
今後の改善に期待したい。
