esxi hardening

Muhsin Tawafig answered on July 24, 2022 Popularity 1/10 Helpfulness 1/10

answer esxi hardening

esxi hardening

Comment

--- 
- hosts: localhost 
  name: ESXi Configuration 
  gather_facts: false
  vars:
    esxi_login: &esxi_login
      hostname: '{{ esxi_address }}'  
      username: '{{ esxi_username }}'
      password: '{{ esxi_password }}'   
      validate_certs: no 
    tsm_policy: on
    tsm_state: present
  vars_files: 
    vars.yml
  tasks: 
  - name: Add ESXi host for SSH access
    add_host:
      name: '{{ esxi_address }}'
      group: "esx"
      ansible_user: '{{ esxi_username }}'
      ansible_password: '{{ esxi_password }}'
      ansible_ssh_common_args: '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
  - name: Enable SSH (TSM-SSH)
    community.vmware.vmware_host_service_manager:
      <<: *esxi_login
      esxi_hostname: '{{ esxi_address }}'
      service_name: TSM-SSH
      service_policy: '{{ tsm_policy }}'
      state: '{{ tsm_state }}'
    delegate_to: localhost
  - name: Enable ESX Shell (TSM)
    community.vmware.vmware_host_service_manager:
      <<: *esxi_login
      esxi_hostname: '{{ esxi_address }}'
      service_name: TSM
      service_policy: '{{ tsm_policy }}'
      state: '{{ tsm_state }}'
    delegate_to: localhost
  - name: Set Advanced Options
    community.vmware.vmware_host_config_manager:
      <<: *esxi_login
      esxi_hostname: '{{ esxi_address }}'
      options:
        "UserVars.ESXiShellInteractiveTimeOut": 900
        "UserVars.ESXiShellTimeOut": 900
        "UserVars.DcuiTimeOut": 600
        "Security.AccountLockFailures": 5
        "Security.AccountUnlockTime": 900
        "Security.PasswordQualityControl": "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
        "UserVars.SuppressShellWarning": 1 
        "Mem.ShareForceSalting": 0
        "Misc.BlueScreenTimeout": 60
        "Config.HostAgent.plugins.solo.enableMob": false 
    delegate_to: localhost
  - name: Set Advanced Option NFS NetAPP VSC Values
    community.vmware.vmware_host_config_manager:
      <<: *esxi_login
      esxi_hostname: '{{ esxi_address }}'
      options:
        "Net.TcpipHeapSize": 32
        "Net.TcpipHeapMax": 1536
        "NFS.MaxVolumes": 256
        "NFS41.MaxVolumes": 256
        "NFS.MaxQueueDepth": 128
        "NFS.HeartbeatMaxFailures": 10
        "NFS.HeartbeatFrequency": 12
        "NFS.HeartbeatTimeout": 5
        "Disk.QFullSampleSize": 32
        "Disk.QFullThreshold": 8
    delegate_to: localhost
  - name: Manage Firewall Rules
    community.vmware.vmware_host_firewall_manager:
      <<: *esxi_login
      esxi_hostname: '{{ esxi_address }}'      
      rules:
        - name: remoteSerialPort 
          enabled: true
          allowed_host:
            all_ip: true
    delegate_to: localhost
  - name: Configure ESXi hostname and upstream DNS servers
    community.vmware.vmware_host_dns:
      <<: *esxi_login
      domain: '{{ domain_name }}'
      type: static 
      dns_servers:
      - '{{ upstream_dns1 }}'
      - '{{ upstream_dns2 }}'
    delegate_to: localhost
  - name: Set NTP servers for an ESXi Host # Configure Host NTP Settings 
    community.vmware.vmware_host_ntp:
      <<: *esxi_login
      esxi_hostname: '{{ esxi_hostname }}'
      state: present
      ntp_servers:
        - '{{ upstream_ntp1 }}'
        - '{{ upstream_ntp2 }}'
    delegate_to: localhost
  - name: Start ntpd service setting for all ESXi Host in given Cluster # Enable  NTP Service
    community.vmware.vmware_host_service_manager:
      <<: *esxi_login
      esxi_hostname: '{{ esxi_hostname }}'
      service_name: ntpd
      service_policy: on
      state: present
    delegate_to: localhost
  - name: Copy VAAI vib to esx host
    copy:
      src: '{{ files_path }}/{{ vaai_plugin }}'
      dest: '/vmfs/volumes/{{ esxi_local_datastore }}/NetAppNasPlugin.vib'
    delegate_to: '{{ esxi_address }}'
  - name: Install the VAAI vib 
    shell: 'esxcli software vib install -v /vmfs/volumes/{{ esxi_local_datastore }}/NetAppNasPlugin.vib'
    args:
      creates: /bootbank/netappna.v00
    ignore_errors: yes
    delegate_to: '{{ esxi_address }}'
    register: installvib
  - name: Reboot-Host
    vmware_host_powerstate:
      <<: *esxi_login
      esxi_hostname: '{{ esxi_address }}'   
      state: reboot-host
      force: yes
    delegate_to: localhost
    when: installvib.changed
  - name: Wait for Host Reboot
    wait_for:
      port: 443
      host: '{{ esxi_address }}'
      delay: 120
      timeout: 300
    connection: local
    when: installvib.changed

Popularity 1/10 Helpfulness 1/10 Language whatever

Source: www.hybriddatacenter.net

Tags: esxi hardening whatever

Link to this answer
Share Copy Link

Contributed on Jul 24 2022

Muhsin Tawafig

0 Answers Avg Quality 2/10

esxi hardening

Contents

More Related Answers

esxi hardening

Grepper

Documentation

Social

Legal

Contact

Oops, You will need to install Grepper and log-in to perform this action.