VMware ESXi Security Configuration with Ansible

If you read the vSphere 6.7 Update 1 Security Configuration Guide you will agree that the security configuration of VMware ESXi hosts is mostly about managing services, advanced options, firewall rules, and lockdown mode. The Ansible Community has created all the modules required to do the VMware ESXi Security Configuration with Ansible.

This blog post is based on the environment created within a prior article: My Ansible Development Setup

ESXi Security Configuration Tasks

I have chosen most of the ESXi configuration options from the vSphere 6.7 Update 1 Security Configuration Guide and created a Playbook to enforce the VMware ESXi Security Configuration with Ansible.

Set Advanced Options

VMware ESXi advanced options can be modified with the Ansible vmware_host_config_manager module.

Warning:

Please be aware of this GitHub Issue: Inconsistent results with vmware_host_config_manager

The solution is also described later in this article.

OptionValue
UserVars.ESXiShellInteractiveTimeOut 900
UserVars.ESXiShellTimeOut 900
UserVars.DcuiTimeOut 600
UserVars.SuppressShellWarning 0
Security.AccountLockFailures 3
Security.AccountUnlockTime 900
Security.PasswordQualityControl similar=deny retry=3 min=disabled,disabled,disabled,disabled,15
DCUI.Access root
Net.BlockGuestBPDU 1
Config.HostAgent.plugins.solo.enableMob false

Ansible Code Snippet:

Manage Services

The vmware_host_service_manager module can be used to manage (start, stop, restart) services on VMware ESXi hosts.

ServiceState
NTPDOn
TSM-SSHOff
TSMOff

Ansible Code Snippet:

Enable Lockdown Mode

The vmware_host_lockdown module can be used to manage administrator permission for the local administrative account when the VMware ESXi host is managed by a vCenter Server.

Ansible Code Snippet:

Manage Firewall Rules

The firewall configuration of a VMware ESXi host can be managed by the vmware_host_firewall_manager Ansible module.

RuleState
DHCPDisabled
DHCPv6Disabled
SNMPDisabled
iSCSIDisabled

Ansible Code Snippet:

Ansible Playbook

All the above snippets together form my Playbook to enforce the VMware ESXi Security Configuration with Ansible. The Playbook has three debug tasks to identify the required service names, firewall rule names and advanced option keys. The debug tasks can be excluded with the ansible-playbook option –skip-tags debug. If you just want to run the debug tasks without enforcing the security configuration, the ansible-playbook option –tags debug can be used.

VMware ESXi Security Configuration with Ansible - Debug Tasks

If you additionally add the debug option -vvv, all the debug details (service names, firewall rule names and advanced option keys) will be returned for all hosts in the cluster.

VMware ESXi Security Configuration with Ansible - Full Debug

Playbook for ESXi Security Configuration with Ansible

With Ansible version 2.7.8 the vmware_host_config_manager module is not stable. Under certain conditions, an error occurs:

VMware ESXi Hardening with Ansible - Error

The solution is to use the latest vmware_host_config_manager.py from the Ansible Dev Branch. Related GitHub Issue: Inconsistent results with vmware_host_config_manager

VMware ESXi Hardening with Ansible - Enforce

The fix and my whole Ansible Project (in progress) is also available as GitHub repositoy:


Share with:

2 Comments

  1. Mario Lenz 9. April 2019
    • Markus Kraus 9. April 2019

Leave a Reply