If you read the vSphere 6.7 Update 1 Security Configuration Guide you will agree that the security configuration of VMware ESXi hosts is mostly about managing services, advanced options, firewall rules, and lockdown mode. The Ansible Community has created all the modules required to do the VMware ESXi Security Configuration with Ansible.
This blog post is based on the environment created within a prior article: My Ansible Development Setup
ESXi Security Configuration Tasks
I have chosen most of the ESXi configuration options from the vSphere 6.7 Update 1 Security Configuration Guide and created a Playbook to enforce the VMware ESXi Security Configuration with Ansible.
Set Advanced Options
VMware ESXi advanced options can be modified with the Ansible vmware_host_config_manager module.
Warning:
Please be aware of this GitHub Issue: Inconsistent results with vmware_host_config_manager
The solution is also described later in this article.
| Option | Value |
| UserVars.ESXiShellInteractiveTimeOut | 900 |
| UserVars.ESXiShellTimeOut | 900 |
| UserVars.DcuiTimeOut | 600 |
| UserVars.SuppressShellWarning | 0 |
| Security.AccountLockFailures | 3 |
| Security.AccountUnlockTime | 900 |
| Security.PasswordQualityControl | similar=deny retry=3 min=disabled,disabled,disabled,disabled,15 |
| DCUI.Access | root |
| Net.BlockGuestBPDU | 1 |
| Config.HostAgent.plugins.solo.enableMob | false |
Ansible Code Snippet:
- name: Set Advanced Options
vmware_host_config_manager:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
options:
"UserVars.ESXiShellInteractiveTimeOut": 900
"UserVars.ESXiShellTimeOut": 900
"UserVars.DcuiTimeOut": 600
"UserVars.SuppressShellWarning": 0
"Security.AccountLockFailures": 3
"Security.AccountUnlockTime": 900
"Security.PasswordQualityControl": "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
"DCUI.Access": "root"
"Net.BlockGuestBPDU": 1
"Config.HostAgent.plugins.solo.enableMob": false
Manage Services
The vmware_host_service_manager module can be used to manage (start, stop, restart) services on VMware ESXi hosts.
| Service | State |
| NTPD | On |
| TSM-SSH | Off |
| TSM | Off |
Ansible Code Snippet:
- name: Set NTP Service
vmware_host_service_manager:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
service_name: ntpd
state: present
service_policy: on
Enable Lockdown Mode
The vmware_host_lockdown module can be used to manage administrator permission for the local
Ansible Code Snippet:
- name: Enable Lockdown Mode
vmware_host_lockdown:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
state: present
Manage Firewall Rules
The firewall configuration of a VMware ESXi host can be managed by the vmware_host_firewall_manager Ansible module.
| Rule | State |
| DHCP | Disabled |
| DHCPv6 | Disabled |
| SNMP | Disabled |
| iSCSI | Disabled |
Ansible Code Snippet:
- name: Manage Firewall Rules
vmware_host_firewall_manager:
hostname: '{{ vcenter_hostname }}'
username: '{{ vcenter_username }}'
password: '{{ vcenter_password }}'
cluster_name: "{{ cluster_name }}"
validate_certs: no
rules:
- name: dhcp
enabled: False
- name: DHCPv6
enabled: False
- name: iSCSI
enabled: False
- name: snmp
enabled: False
Ansible Playbook
All the above snippets together form my Playbook to enforce the VMware ESXi Security Configuration with Ansible. The Playbook has three debug tasks to identify the required service names, firewall rule names and advanced option keys. The debug tasks can be excluded with the ansible-playbook option –skip-tags debug. If you just want to run the debug tasks without enforcing the security configuration, the ansible-playbook option –tags debug can be used.
If you additionally add the debug option -vvv, all the debug details (service names, firewall rule names and advanced option keys) will be returned for all hosts in the cluster.
ansible-playbook vmware_harden_esx.yml --tags debug --vault-password-file ~/.vault_pass.txt -vvv
Playbook for ESXi Security Configuration with Ansible
- name: Harden ESXi Host
gather_facts: no
hosts: localhost
strategy: free
vars:
cluster_name: "cluster01"
tasks:
- name: Get Services
vmware_host_service_facts:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
tags: debug
- name: Get Advanced Options
vmware_host_config_facts:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
tags: debug
- name: Get Firewall Rules
vmware_host_firewall_facts:
hostname: '{{ vcenter_hostname }}'
username: '{{ vcenter_username }}'
password: '{{ vcenter_password }}'
cluster_name: "{{ cluster_name }}"
validate_certs: no
tags: debug
- name: Set Advanced Options
vmware_host_config_manager:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
options:
"UserVars.ESXiShellInteractiveTimeOut": 900
"UserVars.ESXiShellTimeOut": 900
"UserVars.DcuiTimeOut": 600
"UserVars.SuppressShellWarning": 0
"Security.AccountLockFailures": 3
"Security.AccountUnlockTime": 900
"Security.PasswordQualityControl": "similar=deny retry=3 min=disabled,disabled,disabled,disabled,15"
"DCUI.Access": "root"
"Net.BlockGuestBPDU": 1
"Config.HostAgent.plugins.solo.enableMob": false
- name: Set NTP Service
vmware_host_service_manager:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
service_name: ntpd
state: present
service_policy: on
- name: Set SSH Service
vmware_host_service_manager:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
service_name: TSM-SSH
state: absent
service_policy: off
- name: Set Shell Service
vmware_host_service_manager:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
service_name: TSM
state: absent
service_policy: off
- name: Enable Lockdown Mode
vmware_host_lockdown:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
cluster_name: "{{ cluster_name }}"
validate_certs: no
state: present
- name: Manage Firewall Rules
vmware_host_firewall_manager:
hostname: '{{ vcenter_hostname }}'
username: '{{ vcenter_username }}'
password: '{{ vcenter_password }}'
cluster_name: "{{ cluster_name }}"
validate_certs: no
rules:
- name: dhcp
enabled: False
- name: DHCPv6
enabled: False
- name: iSCSI
enabled: False
- name: snmp
enabled: False
With Ansible version 2.7.8 the vmware_host_config_manager module is not stable. Under certain conditions, an error occurs:
The error was: KeyError: 'Vpx.Vpxa.config.log.level'
The solution is to use the latest vmware_host_config_manager.py from the Ansible Dev Branch. Related GitHub Issue: Inconsistent results with vmware_host_config_manager
The fix and my whole Ansible Project (in progress) is also available as GitHub repositoy:
We started to use Ansible for the configuration management of our vSphere environment last year and I really like it. We also do security configuration stuff and it’s pretty cool! (Btw: The KeyError problem in vmware_host_config_manager ist fixed in 2.7.9.)
In 2.8, there will also be a module to join ESXi hosts to Active Directory. Looks very promising.
Since you’re interested in ansible + VMware, we also started to tune our Dell servers for ESXi: https://github.com/mariolenz/ansible-playbooks/tree/master/dell_bios_tuning (Mostly from the book „Host Resources Deep Dive“.)
Thanks for your feedback and the update to the KeyError problem.
The hardware configuration module is a great idea. Thanks for sharing!
Ansible 2.7.9 is already available and fixes „Inconsistent results with vmware_host_config_manager“ – https://github.com/ansible/ansible/pull/53076
Thanks for the update.
Hi Markus,
Were you able to set the vSwitch and Portgroup Policy settings via Ansible?
I’m currently trying to parse the JSON which contains all vSwitches and Portgroups, but I am not able to loop through them yet.
Thanks,
Wessel
Hi Wessel,
Haven’t tried it yet. But I will have a look at it as soon as possible. I like the idea.
Best regards
Markus
Dear , thank you very much
but i was wondering how to apply this script on the whole vcenter ! or at least on the while Datacenter !?
Hi,
you can also use “cluster_name” instead of “esxi_hostname”. Another option is using “with_items” with a list of hosts or clusters. Example:
https://github.com/vMarkusK/Ansible-Playground/blob/master/vmware_create_multiple_vm.yml
Dear , i mean i have many clusters and many datacenters in my vcetner so iam looking for way i can apply hardening script on datacenter one by one
If Ansible is the only option, feel free to contribute to the community collection and extend the module.
Otherwise a list of clusters and the with_items operator is also an option.
Independent from ansible other tools, like PowerCLI or vRealize Orchestrator might be an option.
Can this hardening be done by the new vmware_rest modules?
Do you mean they collection vmware.vmware_rest https://github.com/ansible-collections/vmware.vmware_rest ?
I have not used this collection so far. But the current documentation does not show any host configuration options.
Yes. Apparently VMware is suggesting in their recent blogs to use the rest modules over the SSH ones.
That sounds strange. Which blog post are you referencing?
All modules of the community.vmware collection I am aware of uses the “vSphere Automation SDK for Python”, “Pyvmomi” or “vSAN Management SDK for Python”. These SDKs do use SOAO or Rest API Endpoints and no SSH connection.