VMware ESXi Security Configuration with Ansible

If you read the vSphere 6.7 Update 1 Security Configuration Guide you will agree that the security configuration of VMware ESXi hosts is mostly about managing services, advanced options, firewall rules, and lockdown mode. The Ansible Community has created all the modules required to do the VMware ESXi Security Configuration with Ansible.

This blog post is based on the environment created within a prior article: My Ansible Development Setup

ESXi Security Configuration Tasks

I have chosen most of the ESXi configuration options from the vSphere 6.7 Update 1 Security Configuration Guide and created a Playbook to enforce the VMware ESXi Security Configuration with Ansible.

Set Advanced Options

VMware ESXi advanced options can be modified with the Ansible vmware_host_config_manager module.

Warning:

Please be aware of this GitHub Issue: Inconsistent results with vmware_host_config_manager

The solution is also described later in this article.

OptionValue
UserVars.ESXiShellInteractiveTimeOut 900
UserVars.ESXiShellTimeOut 900
UserVars.DcuiTimeOut 600
UserVars.SuppressShellWarning 0
Security.AccountLockFailures 3
Security.AccountUnlockTime 900
Security.PasswordQualityControl similar=deny retry=3 min=disabled,disabled,disabled,disabled,15
DCUI.Access root
Net.BlockGuestBPDU 1
Config.HostAgent.plugins.solo.enableMob false

Ansible Code Snippet:

- name: Set Advanced Options
  vmware_host_config_manager:
    hostname: "{{ vcenter_hostname }}"
    username: "{{ vcenter_username }}"
    password: "{{ vcenter_password }}"
    cluster_name: "{{ cluster_name }}"
    validate_certs: no
    options:
        "UserVars.ESXiShellInteractiveTimeOut": 900
        "UserVars.ESXiShellTimeOut": 900
        "UserVars.DcuiTimeOut": 600
        "UserVars.SuppressShellWarning": 0
        "Security.AccountLockFailures": 3
        "Security.AccountUnlockTime": 900
        "Security.PasswordQualityControl": "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
        "DCUI.Access": "root"
        "Net.BlockGuestBPDU": 1
        "Config.HostAgent.plugins.solo.enableMob": false

Manage Services

The vmware_host_service_manager module can be used to manage (start, stop, restart) services on VMware ESXi hosts.

ServiceState
NTPDOn
TSM-SSHOff
TSMOff

Ansible Code Snippet:

- name: Set NTP Service
  vmware_host_service_manager:
    hostname: "{{ vcenter_hostname }}"
    username: "{{ vcenter_username }}"
    password: "{{ vcenter_password }}"
    cluster_name: "{{ cluster_name }}"
    validate_certs: no
    service_name: ntpd
    state: present
    service_policy: on  

Enable Lockdown Mode

The vmware_host_lockdown module can be used to manage administrator permission for the local administrative account when the VMware ESXi host is managed by a vCenter Server.

Ansible Code Snippet:

- name: Enable Lockdown Mode
  vmware_host_lockdown:
    hostname: "{{ vcenter_hostname }}"
    username: "{{ vcenter_username }}"
    password: "{{ vcenter_password }}"
    cluster_name: "{{ cluster_name }}"
    validate_certs: no
    state: present  

Manage Firewall Rules

The firewall configuration of a VMware ESXi host can be managed by the vmware_host_firewall_manager Ansible module.

RuleState
DHCPDisabled
DHCPv6Disabled
SNMPDisabled
iSCSIDisabled

Ansible Code Snippet:

- name: Manage Firewall Rules
  vmware_host_firewall_manager:
    hostname: '{{ vcenter_hostname }}'
    username: '{{ vcenter_username }}'
    password: '{{ vcenter_password }}'
    cluster_name: "{{ cluster_name }}"  
    validate_certs: no      
    rules:
      - name: dhcp 
        enabled: False
      - name: DHCPv6
        enabled: False
      - name: iSCSI
        enabled: False
      - name: snmp 
        enabled: False

Ansible Playbook

All the above snippets together form my Playbook to enforce the VMware ESXi Security Configuration with Ansible. The Playbook has three debug tasks to identify the required service names, firewall rule names and advanced option keys. The debug tasks can be excluded with the ansible-playbook option –skip-tags debug. If you just want to run the debug tasks without enforcing the security configuration, the ansible-playbook option –tags debug can be used.

VMware ESXi Security Configuration with Ansible - Debug Tasks

If you additionally add the debug option -vvv, all the debug details (service names, firewall rule names and advanced option keys) will be returned for all hosts in the cluster.

ansible-playbook vmware_harden_esx.yml --tags debug --vault-password-file ~/.vault_pass.txt -vvv
VMware ESXi Security Configuration with Ansible - Full Debug

Playbook for ESXi Security Configuration with Ansible

- name: Harden ESXi Host
  gather_facts: no
  hosts: localhost
  strategy: free
  vars:
    cluster_name: "cluster01" 
  tasks:
    - name: Get Services
      vmware_host_service_facts:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        cluster_name: "{{ cluster_name }}" 
        validate_certs: no
      tags: debug
    - name: Get Advanced Options
      vmware_host_config_facts:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        cluster_name: "{{ cluster_name }}" 
        validate_certs: no
      tags: debug
    - name: Get Firewall Rules
      vmware_host_firewall_facts:
        hostname: '{{ vcenter_hostname }}'
        username: '{{ vcenter_username }}'
        password: '{{ vcenter_password }}'
        cluster_name: "{{ cluster_name }}" 
        validate_certs: no
      tags: debug
    - name: Set Advanced Options
      vmware_host_config_manager:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        cluster_name: "{{ cluster_name }}" 
        validate_certs: no
        options:
            "UserVars.ESXiShellInteractiveTimeOut": 900
            "UserVars.ESXiShellTimeOut": 900
            "UserVars.DcuiTimeOut": 600
            "UserVars.SuppressShellWarning": 0
            "Security.AccountLockFailures": 3
            "Security.AccountUnlockTime": 900
            "Security.PasswordQualityControl": "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
            "DCUI.Access": "root"
            "Net.BlockGuestBPDU": 1
            "Config.HostAgent.plugins.solo.enableMob": false
    - name: Set NTP Service
      vmware_host_service_manager:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        cluster_name: "{{ cluster_name }}" 
        validate_certs: no
        service_name: ntpd
        state: present
        service_policy: on   
    - name: Set SSH Service
      vmware_host_service_manager:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        cluster_name: "{{ cluster_name }}" 
        validate_certs: no
        service_name: TSM-SSH
        state: absent
        service_policy: off  
    - name: Set Shell Service
      vmware_host_service_manager:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        cluster_name: "{{ cluster_name }}" 
        validate_certs: no
        service_name: TSM
        state: absent
        service_policy: off    
    - name: Enable Lockdown Mode
      vmware_host_lockdown:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        cluster_name: "{{ cluster_name }}" 
        validate_certs: no
        state: present  
    - name: Manage Firewall Rules
      vmware_host_firewall_manager:
        hostname: '{{ vcenter_hostname }}'
        username: '{{ vcenter_username }}'
        password: '{{ vcenter_password }}'
        cluster_name: "{{ cluster_name }}"   
        validate_certs: no      
        rules:
          - name: dhcp 
            enabled: False
          - name: DHCPv6
            enabled: False
          - name: iSCSI
            enabled: False
          - name: snmp 
            enabled: False

With Ansible version 2.7.8 the vmware_host_config_manager module is not stable. Under certain conditions, an error occurs:

The error was: KeyError: 'Vpx.Vpxa.config.log.level'
VMware ESXi Hardening with Ansible - Error

The solution is to use the latest vmware_host_config_manager.py from the Ansible Dev Branch. Related GitHub Issue: Inconsistent results with vmware_host_config_manager

VMware ESXi Hardening with Ansible - Enforce

The fix and my whole Ansible Project (in progress) is also available as GitHub repositoy:

Share with:

4 Comments

  1. Mario Lenz 9. April 2019
    • Markus Kraus 9. April 2019
  2. Abhijeet Kasurde 6. May 2019

Leave a Reply