From d62bd73bf5cbd1750c8cee14d81a08df4b6ce224 Mon Sep 17 00:00:00 2001 From: haberstrohr Date: Fri, 13 Oct 2017 16:48:18 -0500 Subject: [PATCH 1/2] Add recommendations to host tests. --- Vester/Tests/Host/Account-Lockout.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/Account-UnlockTime.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/BDPU-Filter.Vester.ps1 | 12 ++++++++---- Vester/Tests/Host/DCUI-Access.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/DCUI-Timeout.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/Password-Policy.Vester.ps1 | 12 ++++++++---- Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/SSH-Timeout.Vester.ps1 | 13 +++++++++---- Vester/Tests/Host/Syslog-Server.Vester.ps1 | 5 +++++ Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 | 12 ++++++++---- 10 files changed, 83 insertions(+), 36 deletions(-) diff --git a/Vester/Tests/Host/Account-Lockout.Vester.ps1 b/Vester/Tests/Host/Account-Lockout.Vester.ps1 index 66c6d60..3e95f2e 100644 --- a/Vester/Tests/Host/Account-Lockout.Vester.ps1 +++ b/Vester/Tests/Host/Account-Lockout.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-account-lockout # Test title, e.g. 'DNS Servers' $Title = 'Account Lock Failures' @@ -7,6 +8,10 @@ $Title = 'Account Lock Failures' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (off) or maximum number of failed logon attempts before the account is locked out' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 3 + # The config entry stating the desired values $Desired = $cfg.host.accountlockfailures @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.AccountLockFailures' - }).Value + $_.Name -eq 'Security.AccountLockFailures' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.AccountLockFailures' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Security.AccountLockFailures' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/Account-UnlockTime.Vester.ps1 b/Vester/Tests/Host/Account-UnlockTime.Vester.ps1 index 47814ea..c6235ed 100644 --- a/Vester/Tests/Host/Account-UnlockTime.Vester.ps1 +++ b/Vester/Tests/Host/Account-UnlockTime.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-account-auto-unlock-time # Test title, e.g. 'DNS Servers' $Title = 'Account Unlock Time' @@ -7,6 +8,10 @@ $Title = 'Account Unlock Time' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (off) or number of seconds that an account is locked out' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 900 + # The config entry stating the desired values $Desired = $cfg.host.accountunlocktime @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.AccountUnlockTime' - }).Value + $_.Name -eq 'Security.AccountUnlockTime' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.AccountUnlockTime' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Security.AccountUnlockTime' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/BDPU-Filter.Vester.ps1 b/Vester/Tests/Host/BDPU-Filter.Vester.ps1 index 39c65ff..8c7747f 100644 --- a/Vester/Tests/Host/BDPU-Filter.Vester.ps1 +++ b/Vester/Tests/Host/BDPU-Filter.Vester.ps1 @@ -8,6 +8,10 @@ $Title = 'Network BDPU Filter' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (disable) or 1 (enable) to control the BDPU filter on the ESXi host' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 1 + # The config entry stating the desired values $Desired = $cfg.host.networkbdpufilter @@ -18,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Net.BlockGuestBPDU' - }).Value + $_.Name -eq 'Net.BlockGuestBPDU' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Net.BlockGuestBPDU' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Net.BlockGuestBPDU' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/DCUI-Access.Vester.ps1 b/Vester/Tests/Host/DCUI-Access.Vester.ps1 index f41d1f7..8b71575 100644 --- a/Vester/Tests/Host/DCUI-Access.Vester.ps1 +++ b/Vester/Tests/Host/DCUI-Access.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-dcui-access # Test title, e.g. 'DNS Servers' $Title = 'DCUI Access' @@ -7,6 +8,10 @@ $Title = 'DCUI Access' # Test description: How New-VesterConfig explains this value to the user $Description = 'Comma separated list of users with DCUI access' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 'List of authorized users' + # The config entry stating the desired values $Desired = $cfg.host.dcuiaccess @@ -17,14 +22,14 @@ $Type = 'string[]' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'DCUI.Access' - }).Value + $_.Name -eq 'DCUI.Access' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'DCUI.Access' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'DCUI.Access' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/DCUI-Timeout.Vester.ps1 b/Vester/Tests/Host/DCUI-Timeout.Vester.ps1 index aa5a721..97d9dab 100644 --- a/Vester/Tests/Host/DCUI-Timeout.Vester.ps1 +++ b/Vester/Tests/Host/DCUI-Timeout.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-dcui-timeout # Test title, e.g. 'DNS Servers' $Title = 'DCUI Timeout' @@ -7,6 +8,10 @@ $Title = 'DCUI Timeout' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (off) number of seconds before the DCUI timeout occurs' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 600 + # The config entry stating the desired values $Desired = $cfg.host.dcuitimeout @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.DcuiTimeOut' - }).Value + $_.Name -eq 'UserVars.DcuiTimeOut' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.DcuiTimeOut' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'UserVars.DcuiTimeOut' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/Password-Policy.Vester.ps1 b/Vester/Tests/Host/Password-Policy.Vester.ps1 index cc4c423..c4dfc49 100644 --- a/Vester/Tests/Host/Password-Policy.Vester.ps1 +++ b/Vester/Tests/Host/Password-Policy.Vester.ps1 @@ -8,6 +8,10 @@ $Title = 'Password Policy' # Test description: How New-VesterConfig explains this value to the user $Description = 'pam_passwdqc Password Policy. Default = retry=3 min=disabled,disabled,disabled,7,7' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 'Site Specific' + # The config entry stating the desired values $Desired = $cfg.host.passwordpolicy @@ -18,14 +22,14 @@ $Type = 'string' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.PasswordQualityControl' - }).Value + $_.Name -eq 'Security.PasswordQualityControl' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Security.PasswordQualityControl' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Security.PasswordQualityControl' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 b/Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 index ce0bbb5..b2112d3 100644 --- a/Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 +++ b/Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-shell-interactive-timeout # Test title, e.g. 'DNS Servers' $Title = 'SSH Interactive Timeout' @@ -7,6 +8,10 @@ $Title = 'SSH Interactive Timeout' # Test description: How New-VesterConfig explains this value to the user $Description = 'Maximum idle time permitted in an SSH session' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 900 + # The config entry stating the desired values $Desired = $cfg.host.sshinteractivetimeout @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.ESXIShellInteractiveTimeout' - }).Value + $_.Name -eq 'UserVars.ESXIShellInteractiveTimeout' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.ESXIShellInteractiveTimeout' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'UserVars.ESXIShellInteractiveTimeout' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/SSH-Timeout.Vester.ps1 b/Vester/Tests/Host/SSH-Timeout.Vester.ps1 index 34fba2d..40cafe7 100644 --- a/Vester/Tests/Host/SSH-Timeout.Vester.ps1 +++ b/Vester/Tests/Host/SSH-Timeout.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-shell-timeout # Test title, e.g. 'DNS Servers' $Title = 'SSH Timeout' @@ -7,6 +8,10 @@ $Title = 'SSH Timeout' # Test description: How New-VesterConfig explains this value to the user $Description = 'After being enabled, SSH access disables again after this long' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 900 + # The config entry stating the desired values $Desired = $cfg.host.sshtimeout @@ -17,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.ESXIShellTimeout' - }).Value + $_.Name -eq 'UserVars.ESXIShellTimeout' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'UserVars.ESXIShellTimeout' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'UserVars.ESXIShellTimeout' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } diff --git a/Vester/Tests/Host/Syslog-Server.Vester.ps1 b/Vester/Tests/Host/Syslog-Server.Vester.ps1 index 1edad63..19d66ae 100644 --- a/Vester/Tests/Host/Syslog-Server.Vester.ps1 +++ b/Vester/Tests/Host/Syslog-Server.Vester.ps1 @@ -1,5 +1,6 @@ # Test file for the Vester module - https://github.com/WahlNetwork/Vester # Called via Invoke-Pester VesterTemplate.Tests.ps1 +# vSphere 6.0 Hardening Guide Guideline ID - ESXi.enable-remote-syslog # Test title, e.g. 'DNS Servers' $Title = 'Syslog Server' @@ -7,6 +8,10 @@ $Title = 'Syslog Server' # Test description: How New-VesterConfig explains this value to the user $Description = 'Syslog server(s) to send log data to' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 'Site Specific' + # The config entry stating the desired values $Desired = $cfg.host.esxsyslog diff --git a/Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 b/Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 index ecb2ff7..ed232a4 100644 --- a/Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 +++ b/Vester/Tests/Host/TPS-ForceSalting.Vester.ps1 @@ -8,6 +8,10 @@ $Title = 'Transparent Page Share Force Salting' # Test description: How New-VesterConfig explains this value to the user $Description = '0 (TPS enabled) 1 (TPS enabled for VMs with same salt) 2 (No inter-VM TPS)' +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 2 + # The config entry stating the desired values $Desired = $cfg.host.tpsforcesalting @@ -18,14 +22,14 @@ $Type = 'int' # $Object will scope to the folder this test is in (Cluster, Host, etc.) [ScriptBlock]$Actual = { (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Mem.ShareForceSalting' - }).Value + $_.Name -eq 'Mem.ShareForceSalting' + }).Value } # The command(s) to match the environment to the config # Use $Object to help filter, and $Desired to set the correct value [ScriptBlock]$Fix = { Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { - $_.Name -eq 'Mem.ShareForceSalting' - } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop + $_.Name -eq 'Mem.ShareForceSalting' + } | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop } From a8b79877f38fcfc832ece7aca9c02ee6845a653e Mon Sep 17 00:00:00 2001 From: haberstrohr Date: Sat, 27 Jan 2018 14:46:17 -0600 Subject: [PATCH 2/2] Added Time Synchronization settings --- .../VM/Time-synchronize-continue.vester.ps1 | 38 +++++++++++++++++++ .../VM/Time-synchronize-restore.vester.ps1 | 38 +++++++++++++++++++ .../Time-synchronize-resume-disk.vester.ps1 | 38 +++++++++++++++++++ .../Time-synchronize-resume-host.vester.ps1 | 38 +++++++++++++++++++ .../VM/Time-synchronize-shrink.vester.ps1 | 38 +++++++++++++++++++ .../VM/Time-synchronize-startup.vester.ps1 | 38 +++++++++++++++++++ .../Time-synchronize-tools-enable.vester.ps1 | 38 +++++++++++++++++++ 7 files changed, 266 insertions(+) create mode 100644 Vester/Tests/VM/Time-synchronize-continue.vester.ps1 create mode 100644 Vester/Tests/VM/Time-synchronize-restore.vester.ps1 create mode 100644 Vester/Tests/VM/Time-synchronize-resume-disk.vester.ps1 create mode 100644 Vester/Tests/VM/Time-synchronize-resume-host.vester.ps1 create mode 100644 Vester/Tests/VM/Time-synchronize-shrink.vester.ps1 create mode 100644 Vester/Tests/VM/Time-synchronize-startup.vester.ps1 create mode 100644 Vester/Tests/VM/Time-synchronize-tools-enable.vester.ps1 diff --git a/Vester/Tests/VM/Time-synchronize-continue.vester.ps1 b/Vester/Tests/VM/Time-synchronize-continue.vester.ps1 new file mode 100644 index 0000000..98dc186 --- /dev/null +++ b/Vester/Tests/VM/Time-synchronize-continue.vester.ps1 @@ -0,0 +1,38 @@ +# Test file for the Vester module - https://github.com/WahlNetwork/Vester +# Called via Invoke-Pester VesterTemplate.Tests.ps1 +# Disabling Time Synchronization - https://kb.vmware.com/s/article/1189 + +# Test title, e.g. 'DNS Servers' +$Title = 'Time Synchronize Continue' + +# Test description: How New-VesterConfig explains this value to the user +$Description = 'A setting of 0 disables time synchronization with the VM and ESXi host during the specified operation' + +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 0 + +# The config entry stating the desired values +$Desired = $cfg.vm.timesynccontinue + +# The test value's data type, to help with conversion: bool/string/int +$Type = 'string' + +# The command(s) to pull the actual value for comparison +# $Object will scope to the folder this test is in (Cluster, Host, etc.) +[ScriptBlock]$Actual = { + (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.continue'}).Value +} + +# The command(s) to match the environment to the config +# Use $Object to help filter, and $Desired to set the correct value +[ScriptBlock]$Fix = { + if ((Get-AdvancedSetting -Entity $Object -Name 'time.synchronize.continue') -eq $null) { + New-AdvancedSetting -Entity $Object -Name 'time.synchronize.continue' -Value $Desired -Confirm:$false -ErrorAction Stop + } else { + Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.continue' + } | Set-AdvancedSetting -value $Desired -Confirm:$false -ErrorAction Stop + } +} \ No newline at end of file diff --git a/Vester/Tests/VM/Time-synchronize-restore.vester.ps1 b/Vester/Tests/VM/Time-synchronize-restore.vester.ps1 new file mode 100644 index 0000000..9a67050 --- /dev/null +++ b/Vester/Tests/VM/Time-synchronize-restore.vester.ps1 @@ -0,0 +1,38 @@ +# Test file for the Vester module - https://github.com/WahlNetwork/Vester +# Called via Invoke-Pester VesterTemplate.Tests.ps1 +# Disabling Time Synchronization - https://kb.vmware.com/s/article/1189 + +# Test title, e.g. 'DNS Servers' +$Title = 'Time Synchronize Restore' + +# Test description: How New-VesterConfig explains this value to the user +$Description = 'A setting of 0 disables time synchronization with the VM and ESXi host during the specified operation' + +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 0 + +# The config entry stating the desired values +$Desired = $cfg.vm.timesyncrestore + +# The test value's data type, to help with conversion: bool/string/int +$Type = 'string' + +# The command(s) to pull the actual value for comparison +# $Object will scope to the folder this test is in (Cluster, Host, etc.) +[ScriptBlock]$Actual = { + (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.restore'}).Value +} + +# The command(s) to match the environment to the config +# Use $Object to help filter, and $Desired to set the correct value +[ScriptBlock]$Fix = { + if ((Get-AdvancedSetting -Entity $Object -Name 'time.synchronize.restore') -eq $null) { + New-AdvancedSetting -Entity $Object -Name 'time.synchronize.restore' -Value $Desired -Confirm:$false -ErrorAction Stop + } else { + Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.restore' + } | Set-AdvancedSetting -value $Desired -Confirm:$false -ErrorAction Stop + } +} \ No newline at end of file diff --git a/Vester/Tests/VM/Time-synchronize-resume-disk.vester.ps1 b/Vester/Tests/VM/Time-synchronize-resume-disk.vester.ps1 new file mode 100644 index 0000000..3d1516e --- /dev/null +++ b/Vester/Tests/VM/Time-synchronize-resume-disk.vester.ps1 @@ -0,0 +1,38 @@ +# Test file for the Vester module - https://github.com/WahlNetwork/Vester +# Called via Invoke-Pester VesterTemplate.Tests.ps1 +# Disabling Time Synchronization - https://kb.vmware.com/s/article/1189 + +# Test title, e.g. 'DNS Servers' +$Title = 'Time Synchronize Resume Disk' + +# Test description: How New-VesterConfig explains this value to the user +$Description = 'A setting of 0 disables time synchronization with the VM and ESXi host during the specified operation' + +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 0 + +# The config entry stating the desired values +$Desired = $cfg.vm.timesyncresumedisk + +# The test value's data type, to help with conversion: bool/string/int +$Type = 'string' + +# The command(s) to pull the actual value for comparison +# $Object will scope to the folder this test is in (Cluster, Host, etc.) +[ScriptBlock]$Actual = { + (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.resume.disk'}).Value +} + +# The command(s) to match the environment to the config +# Use $Object to help filter, and $Desired to set the correct value +[ScriptBlock]$Fix = { + if ((Get-AdvancedSetting -Entity $Object -Name 'time.synchronize.resume.disk') -eq $null) { + New-AdvancedSetting -Entity $Object -Name 'time.synchronize.resume.disk' -Value $Desired -Confirm:$false -ErrorAction Stop + } else { + Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.resume.disk' + } | Set-AdvancedSetting -value $Desired -Confirm:$false -ErrorAction Stop + } +} \ No newline at end of file diff --git a/Vester/Tests/VM/Time-synchronize-resume-host.vester.ps1 b/Vester/Tests/VM/Time-synchronize-resume-host.vester.ps1 new file mode 100644 index 0000000..5c1c630 --- /dev/null +++ b/Vester/Tests/VM/Time-synchronize-resume-host.vester.ps1 @@ -0,0 +1,38 @@ +# Test file for the Vester module - https://github.com/WahlNetwork/Vester +# Called via Invoke-Pester VesterTemplate.Tests.ps1 +# Disabling Time Synchronization - https://kb.vmware.com/s/article/1189 + +# Test title, e.g. 'DNS Servers' +$Title = 'Time Synchronize Resume Host' + +# Test description: How New-VesterConfig explains this value to the user +$Description = 'A setting of 0 disables time synchronization with the VM and ESXi host during the specified operation' + +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 0 + +# The config entry stating the desired values +$Desired = $cfg.vm.timesyncresumehost + +# The test value's data type, to help with conversion: bool/string/int +$Type = 'string' + +# The command(s) to pull the actual value for comparison +# $Object will scope to the folder this test is in (Cluster, Host, etc.) +[ScriptBlock]$Actual = { + (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.resume.host'}).Value +} + +# The command(s) to match the environment to the config +# Use $Object to help filter, and $Desired to set the correct value +[ScriptBlock]$Fix = { + if ((Get-AdvancedSetting -Entity $Object -Name 'time.synchronize.resume.host') -eq $null) { + New-AdvancedSetting -Entity $Object -Name 'time.synchronize.resume.host' -Value $Desired -Confirm:$false -ErrorAction Stop + } else { + Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.resume.host' + } | Set-AdvancedSetting -value $Desired -Confirm:$false -ErrorAction Stop + } +} \ No newline at end of file diff --git a/Vester/Tests/VM/Time-synchronize-shrink.vester.ps1 b/Vester/Tests/VM/Time-synchronize-shrink.vester.ps1 new file mode 100644 index 0000000..f993759 --- /dev/null +++ b/Vester/Tests/VM/Time-synchronize-shrink.vester.ps1 @@ -0,0 +1,38 @@ +# Test file for the Vester module - https://github.com/WahlNetwork/Vester +# Called via Invoke-Pester VesterTemplate.Tests.ps1 +# Disabling Time Synchronization - https://kb.vmware.com/s/article/1189 + +# Test title, e.g. 'DNS Servers' +$Title = 'Time Synchronize on Disk Shrink' + +# Test description: How New-VesterConfig explains this value to the user +$Description = 'A setting of 0 disables time synchronization with the VM and ESXi host during the specified operation' + +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 0 + +# The config entry stating the desired values +$Desired = $cfg.vm.timesyncshrink + +# The test value's data type, to help with conversion: bool/string/int +$Type = 'string' + +# The command(s) to pull the actual value for comparison +# $Object will scope to the folder this test is in (Cluster, Host, etc.) +[ScriptBlock]$Actual = { + (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.shrink'}).Value +} + +# The command(s) to match the environment to the config +# Use $Object to help filter, and $Desired to set the correct value +[ScriptBlock]$Fix = { + if ((Get-AdvancedSetting -Entity $Object -Name 'time.synchronize.shrink') -eq $null) { + New-AdvancedSetting -Entity $Object -Name 'time.synchronize.shrink' -Value $Desired -Confirm:$false -ErrorAction Stop + } else { + Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.shrink' + } | Set-AdvancedSetting -value $Desired -Confirm:$false -ErrorAction Stop + } +} \ No newline at end of file diff --git a/Vester/Tests/VM/Time-synchronize-startup.vester.ps1 b/Vester/Tests/VM/Time-synchronize-startup.vester.ps1 new file mode 100644 index 0000000..dab674e --- /dev/null +++ b/Vester/Tests/VM/Time-synchronize-startup.vester.ps1 @@ -0,0 +1,38 @@ +# Test file for the Vester module - https://github.com/WahlNetwork/Vester +# Called via Invoke-Pester VesterTemplate.Tests.ps1 +# Disabling Time Synchronization - https://kb.vmware.com/s/article/1189 + +# Test title, e.g. 'DNS Servers' +$Title = 'Time Synchronize on Tools Startup' + +# Test description: How New-VesterConfig explains this value to the user +$Description = 'A setting of 0 disables time synchronization with the VM and ESXi host during the specified operation' + +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 0 + +# The config entry stating the desired values +$Desired = $cfg.vm.timesynctoolsstartup + +# The test value's data type, to help with conversion: bool/string/int +$Type = 'string' + +# The command(s) to pull the actual value for comparison +# $Object will scope to the folder this test is in (Cluster, Host, etc.) +[ScriptBlock]$Actual = { + (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.tools.startup'}).Value +} + +# The command(s) to match the environment to the config +# Use $Object to help filter, and $Desired to set the correct value +[ScriptBlock]$Fix = { + if ((Get-AdvancedSetting -Entity $Object -Name 'time.synchronize.tools.startup') -eq $null) { + New-AdvancedSetting -Entity $Object -Name 'time.synchronize.tools.startup' -Value $Desired -Confirm:$false -ErrorAction Stop + } else { + Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.tools.startup' + } | Set-AdvancedSetting -value $Desired -Confirm:$false -ErrorAction Stop + } +} \ No newline at end of file diff --git a/Vester/Tests/VM/Time-synchronize-tools-enable.vester.ps1 b/Vester/Tests/VM/Time-synchronize-tools-enable.vester.ps1 new file mode 100644 index 0000000..7b22e8d --- /dev/null +++ b/Vester/Tests/VM/Time-synchronize-tools-enable.vester.ps1 @@ -0,0 +1,38 @@ +# Test file for the Vester module - https://github.com/WahlNetwork/Vester +# Called via Invoke-Pester VesterTemplate.Tests.ps1 +# Disabling Time Synchronization - https://kb.vmware.com/s/article/1189 + +# Test title, e.g. 'DNS Servers' +$Title = 'Time Synchronize on Tools Enable' + +# Test description: How New-VesterConfig explains this value to the user +$Description = 'A setting of 0 disables time synchronization with the VM and ESXi host during the specified operation' + +# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values +# Called by Get-VesterTest +$Recommendation = 0 + +# The config entry stating the desired values +$Desired = $cfg.vm.timesynctoolsenable + +# The test value's data type, to help with conversion: bool/string/int +$Type = 'string' + +# The command(s) to pull the actual value for comparison +# $Object will scope to the folder this test is in (Cluster, Host, etc.) +[ScriptBlock]$Actual = { + (Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.tools.enable'}).Value +} + +# The command(s) to match the environment to the config +# Use $Object to help filter, and $Desired to set the correct value +[ScriptBlock]$Fix = { + if ((Get-AdvancedSetting -Entity $Object -Name 'time.synchronize.tools.enable') -eq $null) { + New-AdvancedSetting -Entity $Object -Name 'time.synchronize.tools.enable' -Value $Desired -Confirm:$false -ErrorAction Stop + } else { + Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript { + $_.Name -eq 'time.synchronize.tools.enable' + } | Set-AdvancedSetting -value $Desired -Confirm:$false -ErrorAction Stop + } +} \ No newline at end of file