9 Replies Latest reply on Apr 24, 2015 2:43 PM by Mike Reider

    ESXi compliance template

    Mike Reider

      Hello all, Im building a compliance template for ESXi based on CIS standards


      as part of each rule, i have a powercli scritp that I run to return values and do compliance against these values, ie,


      Connect-VIServer -Server localhost -WarningAction SilentlyContinue -Protocol https -User $user -Password $pw


      # List the Software AcceptanceLevel for each host

      Foreach ($VMHost in Get-VMHost -State Connected ) {

      $ESXCli = Get-EsxCli -VMHost $VMHost

      $VMHost | Select Name, @{N="AcceptanceLevel";E={$ESXCli.software.acceptance.get()}} | Format-Table -HideTableHeaders



      This works well but the problem is that every single rule needs a Connect-VI server which creates a connection. This is extremely time consuming. A typical compliance run for 1 vcenter takes over 40 min because of the amount of Connects that it needs to establish


      Im trying to come up w a way to minimize the connect stateements, I cant use the VICredentialStoreItem to generate a login file, since blade runs these commands as local admin (users.local file mapping), and not as a vCenter admin.


      There doesnt seem to be a way to open up and maintain a session with vcenter w/o doing Connect each time. Trying to come up with some ideas on how to fix this. Thanks.

        • 1. Re: ESXi compliance template
          Bill Robinson

          ?why don't you do a single run of all the things you need, output in a csv or other grammar friendly output and then process that result ?

          • 2. Re: ESXi compliance template
            Mike Reider

            Hi Bill, I thought of that but the customer doesnt want to generate any txt files on their vcenters. They are insisting that the compliance be run directly from blade and results outputed to blade console w/o generating external files (theyre worried about disk space, security, etc).


            We are forced to reconnect to vcenter on each template rule, I dont think theres a way to maintain persistent powercli-vcenter connection. This is more of a vmware issue than blade.

            • 3. Re: ESXi compliance template
              Rajeev Gupta

              try to fetch the file locally on BSA server, then query on that.

              • 4. Re: ESXi compliance template
                Bill Robinson

                that's not what i'm talking about.


                - create a script that runs all the stuff you need

                - define that as an EO

                - include the EO as a local part in the template

                - for your rules, process the relevant section in the EO return.


                the eo only runs once and gathers all of the information needed.

                • 5. Re: ESXi compliance template
                  Yanick Girouard

                  You can still do what Bill suggested without using any text file. All you need to do is make sure that each of the commands return a standard format that can be presented with the same column layout, each row with a distinct key so the compliance grammar engine can treat the records separately.


                  For example, if you use a CSV format, you need to have something generic like this for every query in the script:




                  Each query would simply append to this table using the same column layout, so in the end you'd have one giant part that returns all the information you need. That\s what Bill meant. Then if the keys are named properly, you can easily go through them with different compliance rules selecting what you need.


                  Unfortunately, if you only need one connection, there's no other way. You'll get a monster script, but in the end, it's a good thing since you'd be able to have a sysadmin run it entirely locally to produce the output manually (as a backup plan in case BSA doesn't work one day).

                  • 6. Re: ESXi compliance template
                    Mike Reider

                    Hi Yanick, I have a very large ps script that does all my rule checks. I then use a local Ext Obj "psHelper.nsh" script to run this giant ps script and output all results in standard csv output that I can parse w my grammar.
                    (I'm using this psHelper script > "PS-Helper" to execute Power-Shell script as part of an Extended-Object including Server_Info.ps1 example script)

                    this is what output looks like, very easy to parse, Name= Rule #  with all my rule results in 1 giant output




                    Unfortunately it doesnt work the way you describe it. Each of my Compliance rules will execute this giant script over and over, it doesnt just execute it once for all rules and then each rule just parses the results, every rule in my comp.template will call this Ext Object that calls the giant ps script, so every rule forces an execution and subsequent Connect-VI call.


                    for example, im running these 2 rules,


                    each rule looks like this



                    each rule will re-execute the giant PS script (Ext Object). Is there a way I can make my rules parse just the 1 single output w/o re-running ext.obj every time?

                    • 7. Re: ESXi compliance template
                      Bill Robinson

                      it should run the script once for each target.  it should not run it once for each rule.  you only have one instance of this EO defined in the template and it's added as one part ?

                      • 8. Re: ESXi compliance template
                        Yanick Girouard

                        I was about to post the same thing. The script will only be called for as many times that the EO is defined as a part in the template. For example, if you have more than one part pointing to the same script (with a parameter to tell it to return a subset of the results), then it will call it more than once, but this is not what you should have.


                        The output you showed may not be suited for this however. The Name column value needs to always be unique for each row.

                        • 9. Re: ESXi compliance template
                          Mike Reider

                          Hi Bill yes you are correct, I ran a comp.templ with 8 rules, all parsing same Ext Obj, and vcenter RSCD logs show it as running the PS only once. I think this will work. Thanks everyone.