Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
ESXi prerequisites
Make sure you have performed the following prerequisites before you use audit features with ESXi servers.
- ESXi prerequisites
- ESXi prerequisites
- ESXi prerequisites
- ESXi prerequisites
- ESXi prerequisites
- ESXi prerequisites
- ESXi prerequisites
- ESXi prerequisites
- ESXi prerequisites
- ESXi prerequisites
VMware ESXi hardening guides
The basis for the SA ESXi compliance check library is the set of VMware ESXi Hardening Guides, located at: http://www.vmware.com/security/hardening-guides. These guides explain how to deploy and operate VMware products securely. They also include script examples for enabling security automation.
Managing the vCenter
All vSphere ESXi servers are managed through a Windows-based vCenter Server. ESXi servers do not have their own SA agents. The vCenter Server must have an SA agent installed. The vCenter Server must also be integrated with SA Virtualization. To check if your vCenter Server is integrated, make sure it is visible in the server window when you select the Virtualization tab in the SA Client. For more information on virtualization integration, see "Virtualization management" in the SA 10.51
Downloading powerCLI installer
The PowerCLI Installer is available at the VMware Download site. Download the version that matches your vCenter Server.
Installing or upgrading your PowerShell version
PowerCLI requires PowerShell 2.0 and above to run. If you do not have PowerShell installed, first install PowerShell 1.0, then upgrade to PowerShell 2.0 or higher.
To install PowerShell 1.0 on a vCenter server computer:
- In a vCenter Server Computer, launch the Server Manager component.
- Select Add Feature.
- In the Select Features panel, select Windows PowerShell 1.0.
- Click Install.
To upgrade PowerShell 1.0 to PowerShell 2.0 or higher:
-
Use the following command to verify the installed PowerShell version:
PS > $PSVersionTable.PSVersionThe version number will be in the Major column of the screen display.
- Use Windows Update Manager to download and install PowerShell 2.0.
Once you download it, the PowerShell2.0 Installer can be seen in the Windows Update application. - To check if it is installed, click Install Updates.
Downloading and installing the Windows Manager Framework
To use PowerShell 3.0, you can use Windows Manager Framework (WMF) 2.0, 3.0. or higher to download the PowerShell 3.0 Installer package.
To download and install Windows Manager Framework:
- Uninstall pre-release versions of WMF 3.0, if any.
- Close all PowerShell windows.
- Download the correct WMF 3.0 package for your operating system and architecture from the Microsoft Download site.
Setting up the PowerShell execution policy
PowerShell scripts can only run if the PowerShell Execution Policy is set in accordance with your company security policy (either RemoteSigned or Unrestricted).
To set the PowerShell execution policy:
- As Windows administrator, log in to the vCenter Server.
- Open the PowerShell console.
- Run the command.
-
For example, to set the policy to Unrestricted, use the following command:
PS > Set-ExecutionPolicy Unrestricted
Setting up the configuration value for InvalidCertificateAction
By default, the InvalidCertificateAction configuration item value is set to Warn. If the certificates are invalid, a message will be written to the script output, which will cause some compliance code to fail. To address this, fix the certificate issue in accordance with your company's security policy or set the configuration to ignore the invalid certificate.
If you choose to ignore the certificate, execute the following command from each vCenter:
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Scope AllUsers
For more information, see VMware documentation.
Setting up the configuration value for WebOperationTimeout
By default, the WebOperationTimeout configuration item value is set to 300 (seconds). Some PowerCLI commands may take longer than this to run, depending on the network and server load. The recommendation is to set this value to -1 (infinite). If that value is not feasible, test and adjust as needed.
Set-PowerCLIConfiguration -WebOperationTimeout -1 -Scope AllUsers
For more information on this configuration item, see VMware documentation.
Running the XML Serializers script
Another preparatory step to run audits on ESXi servers is to execute the XML Serializers script.
To execute the script:
- Log in to the SA Client.
- In the Library tab, choose to select By Type.
- Expand the Scripts node.
- Select Windows.
- From the list of Windows scripts:
- Select the install-powercli-xmlserializers.ps1 script.
- Right-click the script and choose Run with PowerShell.
- In the Run Server Script window, select all vCenter servers (or add the servers, then select them).
- Click Start Job to execute the script on all vCenter servers.
Note To back out the change (that is, to reverse the changes that occurred when you ran the script), run the following script: uninstall-powercli-xmlserializers.ps1.
Disabling the check for CertificateRevocation
Each ESXi check (script) runs in its own PowerShell process. We enable PowerCLI by using the Add-PSSnapin command in the scripts. There is a delay, however, of 7 to 9 seconds every time the process is launched, because PowerShell tries to download the Certificate Revocation List from the Internet and verify the digital signatures. To avoid this delay, change the following two registry entries to the indicated values.
| Registry Keys | Values |
|---|---|
| HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation | dword:00000001 |
| HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ WinTrust\Trust Providers\Software Publishing\State | dword:00023c00 |
Note The keys or the path to this registry might change in future versions of Windows.
Tip After setting this up on one vCenter, use SA to take a snapshot (Snapshot Specification), then audit and remediate the change to other vCenters.
When users run commands against ESXi servers in the SA Client, the client searches the ESXi server device records, and routes an appropriate command to the SA Agent on the vCenter that manages that ESXi server. The SA Agent routes the command to the PowerCLI plugin on the PowerShell. The PowerCLI plugin then executes the command on the ESXi server.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to hpe_sa_docs@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: