Skip to content
This repository has been archived by the owner on Sep 4, 2020. It is now read-only.

Disable time sync tests #200

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions Vester/Tests/Host/Account-Lockout.Vester.ps1
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
# Test file for the Vester module - https://github.com/WahlNetwork/Vester
# Called via Invoke-Pester VesterTemplate.Tests.ps1
# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-account-lockout

# Test title, e.g. 'DNS Servers'
$Title = 'Account Lock Failures'

# Test description: How New-VesterConfig explains this value to the user
$Description = '0 (off) or maximum number of failed logon attempts before the account is locked out'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 3

# The config entry stating the desired values
$Desired = $cfg.host.accountlockfailures

Expand All @@ -17,14 +22,14 @@ $Type = 'int'
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Security.AccountLockFailures'
}).Value
$_.Name -eq 'Security.AccountLockFailures'
}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Security.AccountLockFailures'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
$_.Name -eq 'Security.AccountLockFailures'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
}
13 changes: 9 additions & 4 deletions Vester/Tests/Host/Account-UnlockTime.Vester.ps1
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
# Test file for the Vester module - https://github.com/WahlNetwork/Vester
# Called via Invoke-Pester VesterTemplate.Tests.ps1
# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-account-auto-unlock-time

# Test title, e.g. 'DNS Servers'
$Title = 'Account Unlock Time'

# Test description: How New-VesterConfig explains this value to the user
$Description = '0 (off) or number of seconds that an account is locked out'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 900

# The config entry stating the desired values
$Desired = $cfg.host.accountunlocktime

Expand All @@ -17,14 +22,14 @@ $Type = 'int'
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Security.AccountUnlockTime'
}).Value
$_.Name -eq 'Security.AccountUnlockTime'
}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Security.AccountUnlockTime'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
$_.Name -eq 'Security.AccountUnlockTime'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
}
12 changes: 8 additions & 4 deletions Vester/Tests/Host/BDPU-Filter.Vester.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ $Title = 'Network BDPU Filter'
# Test description: How New-VesterConfig explains this value to the user
$Description = '0 (disable) or 1 (enable) to control the BDPU filter on the ESXi host'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 1

# The config entry stating the desired values
$Desired = $cfg.host.networkbdpufilter

Expand All @@ -18,14 +22,14 @@ $Type = 'int'
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Net.BlockGuestBPDU'
}).Value
$_.Name -eq 'Net.BlockGuestBPDU'
}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Net.BlockGuestBPDU'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
$_.Name -eq 'Net.BlockGuestBPDU'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
}
13 changes: 9 additions & 4 deletions Vester/Tests/Host/DCUI-Access.Vester.ps1
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
# Test file for the Vester module - https://github.com/WahlNetwork/Vester
# Called via Invoke-Pester VesterTemplate.Tests.ps1
# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-dcui-access

# Test title, e.g. 'DNS Servers'
$Title = 'DCUI Access'

# Test description: How New-VesterConfig explains this value to the user
$Description = 'Comma separated list of users with DCUI access'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 'List of authorized users'

# The config entry stating the desired values
$Desired = $cfg.host.dcuiaccess

Expand All @@ -17,14 +22,14 @@ $Type = 'string[]'
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'DCUI.Access'
}).Value
$_.Name -eq 'DCUI.Access'
}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'DCUI.Access'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
$_.Name -eq 'DCUI.Access'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
}
13 changes: 9 additions & 4 deletions Vester/Tests/Host/DCUI-Timeout.Vester.ps1
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
# Test file for the Vester module - https://github.com/WahlNetwork/Vester
# Called via Invoke-Pester VesterTemplate.Tests.ps1
# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-dcui-timeout

# Test title, e.g. 'DNS Servers'
$Title = 'DCUI Timeout'

# Test description: How New-VesterConfig explains this value to the user
$Description = '0 (off) number of seconds before the DCUI timeout occurs'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 600

# The config entry stating the desired values
$Desired = $cfg.host.dcuitimeout

Expand All @@ -17,14 +22,14 @@ $Type = 'int'
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'UserVars.DcuiTimeOut'
}).Value
$_.Name -eq 'UserVars.DcuiTimeOut'
}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'UserVars.DcuiTimeOut'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
$_.Name -eq 'UserVars.DcuiTimeOut'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
}
12 changes: 8 additions & 4 deletions Vester/Tests/Host/Password-Policy.Vester.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ $Title = 'Password Policy'
# Test description: How New-VesterConfig explains this value to the user
$Description = 'pam_passwdqc Password Policy. Default = retry=3 min=disabled,disabled,disabled,7,7'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 'Site Specific'

# The config entry stating the desired values
$Desired = $cfg.host.passwordpolicy

Expand All @@ -18,14 +22,14 @@ $Type = 'string'
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Security.PasswordQualityControl'
}).Value
$_.Name -eq 'Security.PasswordQualityControl'
}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Security.PasswordQualityControl'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
$_.Name -eq 'Security.PasswordQualityControl'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
}
13 changes: 9 additions & 4 deletions Vester/Tests/Host/SSH-InteractiveTimeout.Vester.ps1
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
# Test file for the Vester module - https://github.com/WahlNetwork/Vester
# Called via Invoke-Pester VesterTemplate.Tests.ps1
# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-shell-interactive-timeout

# Test title, e.g. 'DNS Servers'
$Title = 'SSH Interactive Timeout'

# Test description: How New-VesterConfig explains this value to the user
$Description = 'Maximum idle time permitted in an SSH session'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 900

# The config entry stating the desired values
$Desired = $cfg.host.sshinteractivetimeout

Expand All @@ -17,14 +22,14 @@ $Type = 'int'
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'UserVars.ESXIShellInteractiveTimeout'
}).Value
$_.Name -eq 'UserVars.ESXIShellInteractiveTimeout'
}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'UserVars.ESXIShellInteractiveTimeout'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
$_.Name -eq 'UserVars.ESXIShellInteractiveTimeout'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
}
13 changes: 9 additions & 4 deletions Vester/Tests/Host/SSH-Timeout.Vester.ps1
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
# Test file for the Vester module - https://github.com/WahlNetwork/Vester
# Called via Invoke-Pester VesterTemplate.Tests.ps1
# vSphere 6.0 Hardening Guide Guideline ID - ESXi.set-shell-timeout

# Test title, e.g. 'DNS Servers'
$Title = 'SSH Timeout'

# Test description: How New-VesterConfig explains this value to the user
$Description = 'After being enabled, SSH access disables again after this long'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 900

# The config entry stating the desired values
$Desired = $cfg.host.sshtimeout

Expand All @@ -17,14 +22,14 @@ $Type = 'int'
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'UserVars.ESXIShellTimeout'
}).Value
$_.Name -eq 'UserVars.ESXIShellTimeout'
}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'UserVars.ESXIShellTimeout'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
$_.Name -eq 'UserVars.ESXIShellTimeout'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
}
5 changes: 5 additions & 0 deletions Vester/Tests/Host/Syslog-Server.Vester.ps1
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
# Test file for the Vester module - https://github.com/WahlNetwork/Vester
# Called via Invoke-Pester VesterTemplate.Tests.ps1
# vSphere 6.0 Hardening Guide Guideline ID - ESXi.enable-remote-syslog

# Test title, e.g. 'DNS Servers'
$Title = 'Syslog Server'

# Test description: How New-VesterConfig explains this value to the user
$Description = 'Syslog server(s) to send log data to'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 'Site Specific'

# The config entry stating the desired values
$Desired = $cfg.host.esxsyslog

Expand Down
12 changes: 8 additions & 4 deletions Vester/Tests/Host/TPS-ForceSalting.Vester.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ $Title = 'Transparent Page Share Force Salting'
# Test description: How New-VesterConfig explains this value to the user
$Description = '0 (TPS enabled) 1 (TPS enabled for VMs with same salt) 2 (No inter-VM TPS)'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 2

# The config entry stating the desired values
$Desired = $cfg.host.tpsforcesalting

Expand All @@ -18,14 +22,14 @@ $Type = 'int'
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Mem.ShareForceSalting'
}).Value
$_.Name -eq 'Mem.ShareForceSalting'
}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'Mem.ShareForceSalting'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
$_.Name -eq 'Mem.ShareForceSalting'
} | Set-AdvancedSetting -Value $Desired -Confirm:$false -ErrorAction Stop
}
38 changes: 38 additions & 0 deletions Vester/Tests/VM/Time-synchronize-continue.vester.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Test file for the Vester module - https://github.com/WahlNetwork/Vester
# Called via Invoke-Pester VesterTemplate.Tests.ps1
# Disabling Time Synchronization - https://kb.vmware.com/s/article/1189

# Test title, e.g. 'DNS Servers'
$Title = 'Time Synchronize Continue'

# Test description: How New-VesterConfig explains this value to the user
$Description = 'A setting of 0 disables time synchronization with the VM and ESXi host during the specified operation'

# Test recommendation: Follows VMware's Best Practices, Hardening Guides where applicable, or Default Values
# Called by Get-VesterTest
$Recommendation = 0

# The config entry stating the desired values
$Desired = $cfg.vm.timesynccontinue

# The test value's data type, to help with conversion: bool/string/int
$Type = 'string'

# The command(s) to pull the actual value for comparison
# $Object will scope to the folder this test is in (Cluster, Host, etc.)
[ScriptBlock]$Actual = {
(Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'time.synchronize.continue'}).Value
}

# The command(s) to match the environment to the config
# Use $Object to help filter, and $Desired to set the correct value
[ScriptBlock]$Fix = {
if ((Get-AdvancedSetting -Entity $Object -Name 'time.synchronize.continue') -eq $null) {
New-AdvancedSetting -Entity $Object -Name 'time.synchronize.continue' -Value $Desired -Confirm:$false -ErrorAction Stop
} else {
Get-AdvancedSetting -Entity $Object | Where-Object -FilterScript {
$_.Name -eq 'time.synchronize.continue'
} | Set-AdvancedSetting -value $Desired -Confirm:$false -ErrorAction Stop
}
}
Loading