WilliamLam.com

ESXi Advanced & Kernel Settings Reference

by // 3 Comments

Every time I need to recall or reference a specific ESXi Advanced or Kernel Setting for a customer or field inquiry, I typically need to look at a live ESXi host to see whether a given setting is defined for that version of ESXi and also how to access and/or update the settings. Depending on the interface (vSphere API, vSphere UI, ESXCLI, etc.) that you are using, you may only be able to see a subset of these properties.

For example, some ESXi Advanced Settings are only available using the vSphere API/UI while others are available in both the vSphere API/UI and ESXCLI, with the latter being a common utility for customers to view or update these settings. Similarly, for ESXi Kernel Settings, not only are there new options that are introduced with each ESXi release, but being able to easily check the default values and minimums and maximums can also be useful. I should also mention using the vSphere API/UI, you can also accessed the ESXi Kernel Settings which are prefixed with VMkernel.

As a huge VMware Automation person, I was surprised that I had not thought about creating a reference for the ESXi Advanced and Kernel Settings for recent ESXi releases? I figure this would benefit more than just myself and I have put together the following Github repo: https://github.com/lamw/esxi-advanced-and-kernel-settings where you can see all the default ESXi Advanced and Kernel Settings for ESXi releases across 6.0, 6.5, 7.0 and 8.0.


For those interested, this was generated using some PowerCLI automation and below are the two snippets for pulling the ESXi Advanced Settings (supported and runtime values) using the vSphere API and the ESXi Kernel Settings, which I used the ESXCLI interface that is exposed through the PowerCLI Get-EsxCli cmdlet.

[Read more...]

Automatically retrieve CVE CVSS score for all ESXi security bulletins 

by // 10 Comments

I always enjoying learning new things, especially when it is outside of my immediate domain expertise and if I can thrown in some Automation to help solve a solution, it is a win for everyone. I bring this up because, yesterday I had noticed an interesting question from one of our field folks where their customer is looking to implement a process for applying ESXi security patches to help determine compliance timeline (e.g. when a specific security update will be applied to infrastructure).

To do this, the customer would like to use the Common Vulnerability Scoring System (CVSS) score which ranges from 0-10, 0 being low and 10 being high. The CVSS score is part of the Common Vulnerabilities and Exposures (CVE) which is also referenced for every ESXi security patch (bulletin) that is published by VMware. The question that came up was how easily it would be to determine the CVSS score for a given ESXi security patch. First, I will outline the "manual" process and once that is understood, I will demonstrate an automated solution which customers can take advantage of to easily retrieve this information for all ESXi security patches.

[Read more...]

Auditing & Automating Disabled Protocols (TLS/SSLv3) for ESXi 6.0u3 & 6.5 using PowerCLI

by // 32 Comments

A couple of weeks back, I had received a question from one of our TAMs in regards to automating the disablement of specific TLS/SSL protocols for their ESXi 6.0 Update 3 hosts. As of vSphere 6.0 Update 3 and vSphere 6.5, customers now have the ability to completely disable TLS 1.0, TLS 1.1 and SSLv3 using the new TLS Reconfiguration Tool. Mike Foley did a nice write up here if you are interested in more details.

The TLS Reconfiguration Tool works well if you have the same version of vSphere for both your vCenter Server and ESXi host, but has challenges when you are in a mixed environment like this particular customer. In their environment, they are running vCenter Server 6.5 and ESXi 6.5 Update 3 which prevented them from using the TLS Reconfiguration Tool as this is a limitation with the tool today.

UPDATE (05/11/17) - Added support for ESXi 6.5 hosts as well

Given the TLS Reconfiguration Tool was written in Python, I was able to take a closer look at its implementation and I found that the settings that controlled the disabled protocols were just merely a few ESXi Advanced Settings which meant that this could be automated using standard vSphere Automation Tools that our customers were already familiar with. As part of this exercise, I also discovered the tool currently does NOT support disabling TLS/SSLv3 protocols for the Small Footprint CIM Broker (SFCB) service which is also required if you want to be in full compliance for a particular TLS protocol. Although there is not a direct SFCB API that allows you to manage the sfcb.cfg configuration file, there is still a way we can automate this without requiring SSH to the ESXi host which would technically be the alternative. Lastly, I was a bit surprised to see the TLS Reconfiguration Tool did not have a "query" option for listing the current disabled protocols for all ESXi hosts, but they do have it for vCenter Server itself.

To help this particular customer and others who may have specific TLS compliance requirements, I have created the following PowerCLI script called ESXiDisableProtocolConfiguration.ps1 which includes the following two functions:

  • Get-ESXiDPC - Retrieve the current disabled protocols for all ESXi hosts within a vSphere Cluster
  • Set-ESXiDPC - Configure the specific disabled protocols for all ESXi hosts within a vSphere Cluster

[Read more...]