SkylineAutomationToolkit.psm1
function confirmX { write-host "" write-host "Here are the changes you are about to do:" write-host "" write-host "Management Host: $VCENTER" write-host "Affected Host: $ESX" write-host "KB Reference: $KB" write-host "" $confirmation = Read-Host "Do you want to continue (y/n)" return $confirmation } function tagset { $tagcatinfo = get-tagcategory skyline if ($tagcatinfo.Count -lt 1) { #create everything new-tagcategory skyline -cardinality "multiple" -description "Skyline Automation Toolkit" get-tagcategory skyline | new-tag SATversion -description "1.0.1" new-tagassignment -tag SATversion -entity Datacenters get-tagcategory skyline | new-tag SATusage -description "1" new-tagassignment -tag SATusage -entity Datacenters } else { #dont create $tagversion = get-tag SATversion if ($tagversion.description -ne "1.0.1") { get-tag SATversion | remove-tag -confirm:$false get-tagcategory skyline | new-tag SATversion -description "1.0.1" new-tagassignment -tag SATversion -entity Datacenters } $tagusage = get-tag SATusage $tagusagevalue = $tagusage.description $tagusagenum = [int]$tagusagevalue $tagusagenum2 = $tagusagenum + 1 get-tag SATusage | remove-tag -confirm:$false get-tagcategory skyline | new-tag SATusage -description "$tagusagenum2" new-tagassignment -tag SATusage -entity Datacenters } } function checkfile { $fileuname = '/usr/bin/uname' if (-not(Test-Path -Path $fileuname -PathType Leaf)) { $file = 'c:\skyline\SkylineUtils-config.ps1' } else { $file = './SkylineUtils-config.ps1' } return $file } function cleansnapshots { connect-viserver -server $VCENTER tagset get-vm $ESX | get-snapshot | remove-snapshot -confirm:$false disconnect-viserver -confirm:$false } function getaccesstoken2 { $Header = @{ "Accept" = "application/json" "Content-Type" = "application/x-www-form-urlencoded" } $file = checkfile . $file $Body = @{ refresh_token = "$APITOKEN" } $MYTOKEN = Invoke-RestMethod -method Post -Uri "$APITOKENSERVER" -Headers $Header -Body $Body return $MYTOKEN.access_token } function createsource { $file = checkfile if (-not(Test-Path -Path $file -PathType Leaf)) { try { $null = New-Item -ItemType File -Path $file -Force -ErrorAction Stop } catch { throw $_.Exception.Message } } } function vcenterpatch { plink -ssh root@$VCENTER -no-antispoof 'software-packages stage --iso --acceptEulas' plink -ssh root@$VCENTER -no-antispoof 'software-packages install' #plink -ssh root@$VCENTER -no-antispoof -batch "software-packages stage --iso --acceptEulas ; software-packages install" } function patching { tagset $patches = get-patch $PATCHX $getpatchx = get-patchbaseline $PATCHX if ($getpatchx -lt 1) { new-patchbaseline -name $PATCHX -includepatch $patches -static } get-baseline $PATCHX | attach-baseline -entity $ESX get-inventory $ESX | scan-inventory } #patching function skyline-fixer { [CmdletBinding()] param( [string]$OPTIONX, [string]$CSVFILE, [string]$FIXWORK ) switch ( $OPTIONX ) { "taginfo" { connect-viserver -server $CSVFILE tagset disconnect-viserver -confirm:$false } "kblist" { '' '' write-host "vSphere" write-host "https://kb.vmware.com/s/article/55650" write-host "https://kb.vmware.com/s/article/58715" write-host "https://kb.vmware.com/s/article/58874" write-host "https://kb.vmware.com/s/article/65207" write-host "https://kb.vmware.com/s/article/67129" write-host "https://kb.vmware.com/s/article/67529" write-host "https://kb.vmware.com/s/article/70737" write-host "https://kb.vmware.com/s/article/70813" write-host "https://kb.vmware.com/s/article/76163" write-host "https://kb.vmware.com/s/article/76372" write-host "https://kb.vmware.com/s/article/76613" write-host "https://kb.vmware.com/s/article/76630" write-host "https://kb.vmware.com/s/article/76733" write-host "https://kb.vmware.com/s/article/76745" write-host "https://kb.vmware.com/s/article/76755" write-host "https://kb.vmware.com/s/article/79520" write-host "https://kb.vmware.com/s/article/79694" write-host "https://kb.vmware.com/s/article/80703" write-host "https://kb.vmware.com/s/article/81397" write-host "https://kb.vmware.com/s/article/81576" write-host "https://kb.vmware.com/s/article/82374" write-host "https://kb.vmware.com/s/article/83473" write-host "https://kb.vmware.com/s/article/83829" write-host "https://kb.vmware.com/s/article/1003736" write-host "https://kb.vmware.com/s/article/1025279" write-host "https://kb.vmware.com/s/article/1025757" write-host "https://kb.vmware.com/s/article/2003322" write-host "https://kb.vmware.com/s/article/2136430" write-host "https://kb.vmware.com/s/article/2149237" write-host "https://kb.vmware.com/s/article/2147959" write-host "https://kb.vmware.com/s/article/2150190" write-host "https://kb.vmware.com/s/article/2150794" write-host "https://kb.vmware.com/s/article/2150353" '' write-host "vSAN" write-host "https://kb.vmware.com/s/article/84209" write-host "https://kb.vmware.com/s/article/50121439" '' '' write-host "horizon" write-host "https://kb.vmware.com/s/article/2144475" '' write-host "vra (VMware Automation)" write-host "https://kb.vmware.com/s/article/1025279" '' '' write-host "vrops (VMware Operations Manager)" write-host "https://kb.vmware.com/s/article/53289" write-host "https://kb.vmware.com/s/article/76154" write-host "https://kb.vmware.com/s/article/2145578" '' '' write-host "VMSA" write-host "https://www.vmware.com/security/advisories/VMSA-2019-0022.html" write-host "https://www.vmware.com/security/advisories/VMSA-2020-0002.html" write-host "https://www.vmware.com/security/advisories/VMSA-2020-0015.html" write-host "https://www.vmware.com/security/advisories/VMSA-2021-0013.html" '' '' createsource } #kblist "csv" { createsource import-csv $CSVFILE | foreach-object { $KB = $_."Reference" $KB = $KB.trim() $VCENTER = $_."Source Name" $ESX = $_."Object Name" switch ( $KB ) { "https://kb.vmware.com/s/article/10252799" { $confirmY = confirmX if ($confirmY -eq 'y') { write-host "...start the fix..." } } #10252799 "https://kb.vmware.com/s/article/1025279" { $confirmY = confirmX if ($confirmY -eq 'y') { cleansnapshots } } #1025279 "https://kb.vmware.com/s/article/2149237" { $confirmY = confirmX if ($confirmY -eq 'y') { cleansnapshots } } #2149237 "https://kb.vmware.com/s/article/76372" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER tagset Get-VMHost -name $ESX | Get-VMHostService | Where {$_.Key -eq "sfcbd-watchdog"} | Stop-VMHostService -Confirm:$false Get-VMHost -name $ESX | Get-VMHostService | Where {$_.Key -eq "slpd"} | Stop-VMHostService -Confirm:$false Get-VMHost -name $ESX | Get-VMHostService | Where {$_.Key -eq "sfcbd-watchdog"} | Set-VMHostService -Policy Off -Confirm:$false Get-VMHost -name $ESX | Get-VMHostService | Where {$_.Key -eq "slpd"} | Set-VMHostService -Policy Off -Confirm:$false disconnect-viserver -confirm:$false } } #76372 "https://kb.vmware.com/s/article/50121439" { #NOTE: scp intel-nmve-*.vib into ESX:/tmp $confirmY = confirmX if ($confirmY -eq 'y') { plink root@$ESX 'esxcli softwarre vib install -v /tmp/intel-nvme-*.vib' } } #50121439 "https://kb.vmware.com/s/article/53289" { #NOTE: ESX = VROPS $confirmY = confirmX if ($confirmY -eq 'y') { plink root@$ESX 'service syslog stop' plink root@$ESX 'rm -f /var/log/warn* /var/log/auth.log* /var/log/messages*' plink root@$ESX 'service syslog start' #plink -batch root@$ESX "service syslog stop ; rm -f /var/log/warn* /var/log/auth.log* /var/log/messages* ; service syslog start" } } #53289 "https://kb.vmware.com/s/article/76154" { #NOTE: ESX = VROPS $confirmY = confirmX if ($confirmY -eq 'y') { plink root@$ESX 'service rsyslog restart' } } #76154 "https://kb.vmware.com/s/article/2145578" { #NOTE: ESX = VROPS $confirmY = confirmX if ($confirmY -eq 'y') { plink root@$ESX 'find /storage/log/ -mount -type f -mtime +1 -exec echo {} \; -exec truncate -cs 0 {} \; 2>&1 | tee /tmp/files_truncated.txt' } } #2145578 "https://kb.vmware.com/s/article/76630" { #NOTE: check to make sure ssh has been enabled on ESX #NOTE: create for loop for multiple ESX server $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.5.*" { if ($FIXWORK -eq 'fix') {#NOTE: scp QLC_bootbank_q*.vib into ESX:/tmp plink root@$ESX 'esxcli softwarre vib install -v /tmp/QLC_bootbank_qcnic*.vib' plink root@$ESX 'esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3_*.vib' plink root@$ESX 'esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3f_*.vib' plink root@$ESX 'esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3i_*.vib' #plink -batch root@$ESX "esxcli softwarre vib install -v /tmp/QLC_bootbank_qcnic*.vib ; esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3_*.vib ; esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3f_*.vib ; esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3i_*.vib" } else { #NOTE: workaround plink root@$ESX 'esxcfg-module -d qfle3i' plink root@$ESX 'esxcfg-module -d qfle3f' plink root@$ESX 'esxcfg-module -d qcnic' #plink -batch root@$ESX "esxcfg-module -d qfle3i ; esxcfg-module -d qfle3f ; esxcfg-module -d qcnic" } } #6.5.* "6.7.*" { if ($FIXWORK -eq 'fix') {#NOTE: scp QLC_bootbank_q*.vib into ESX:/tmp plink root@$ESX 'esxcli softwarre vib install -v /tmp/QLC_bootbank_qcnic*.vib' plink root@$ESX 'esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3_*.vib' plink root@$ESX 'esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3f_*.vib' plink root@$ESX 'esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3i_*.vib' #plink -batch root@$ESX "esxcli softwarre vib install -v /tmp/QLC_bootbank_qcnic*.vib ; esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3_*.vib ; esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3f_*.vib ; esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3i_*.vib" } else { #NOTE: workaround plink root@$ESX 'esxcfg-module -d qfle3i' plink root@$ESX 'esxcfg-module -d qfle3f' plink root@$ESX 'esxcfg-module -d qcnic' #plink -batch root@$ESX "esxcli softwarre vib install -v /tmp/QLC_bootbank_qcnic*.vib ; esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3_*.vib ; esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3f_*.vib ; esxcli softwarre vib install -v /tmp/QLC_bootbank_qfle3i_*.vib" } } #6.7.0 } #switch-HOSTX #NOTE: does not support v7.0 disconnect-viserver -confirm:$false } } #76630 "https://kb.vmware.com/s/article/83473" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "7.0.*" { $PATCHX = "ESXi70U2c-18426014" patching } #7.0.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #83473 "https://kb.vmware.com/s/article/81397" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "7.0.*" { $PATCHX = "ESXi70U1c-17325551" patching } #7.0.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #81397 "https://kb.vmware.com/s/article/84209" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "7.0.*" { $PATCHX = "ESXi70U2-17630552" patching } #7.0.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #84209 "https://kb.vmware.com/s/article/79694" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "7.0.*" { $PATCHX = "ESXi70b-16324942" patching } #7.0.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #79694 "https://www.vmware.com/security/advisories/VMSA-2021-0013.html" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $PATCHX = "TOOLS-17901792" patching disconnect-viserver -confirm:$false } } #vmsa-2021-0013 "https://www.vmware.com/security/advisories/VMSA-2020-0002.html" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $PATCHX = "TOOLS-15948996" patching disconnect-viserver -confirm:$false } } #vmsa-2020-0002 "https://kb.vmware.com/s/article/76163" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $PATCHX = "TOOLS-15948996" patching disconnect-viserver -confirm:$false } } #76163 "https://kb.vmware.com/s/article/76733" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.7.*" { $PATCHX = "ESXi670-202004002" patching } #6.7.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #76733 "https://kb.vmware.com/s/article/2150794" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.5.*" { $PATCHX = "ESXi650-201907201-UG" patching } #6.5.0 "6.7.*" { $PATCHX = "ESXi670-201908201-UG" patching } #6.7.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #2150794 "https://kb.vmware.com/s/article/76613" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.0.*" { $PATCHX = "ESXi600-201911001" patching } #6.0.0 "6.5.*" { $PATCHX = "ESXi650-201911001" patching } #6.5.0 "6.7.*" { $PATCHX = "ESXi670-201911001" patching } #6.7.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #76613 "https://kb.vmware.com/s/article/1025757" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.5.*" { $PATCHX = "ESXi650-202107001" patching } #6.5.0 "6.7.*" { $PATCHX = "ESXi670-202103001" patching } #6.7.0 "7.0.*" { $PATCHX = "ESXi70U2-17630552" patching } #7.0.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #1025757 "https://kb.vmware.com/s/article/67129" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.5.*" { $PATCHX = "ESXi650-201907201-UG" patching } #6.5.0 "6.7.*" { $PATCHX = "ESXi670-201908201-UG" patching } #6.7.0 } #switch-HOSTX #NOTE: INCOMPLETE - need v7.0 (ESXi_7.0.0-1.20.16321839) disconnect-viserver -confirm:$false } } #67129 "https://kb.vmware.com/s/article/70737" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.7.*" { $PATCHX = "ESXi670-201908201-UG" patching } #6.7.0 } #switch-HOSTX #NOTE: INCOMPLETE - need v7.0 (ESXi_7.0.0-1.20.16321839) disconnect-viserver -confirm:$false } } #70737 "https://kb.vmware.com/s/article/65207" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.7.*" { $PATCHX = "ESXi670-201908201-UG" patching } #6.7.0 } #switch-HOSTX #NOTE: INCOMPLETE - need v7.0 (ESXi_7.0.0-1.20.16321839) disconnect-viserver -confirm:$false } } #70813 "https://kb.vmware.com/s/article/80703" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "7.0.*" { $PATCHX = "ESXi70U1-16850804" patching } #6.5.* "6.7.*" { $PATCHX = "ESXi670-202103001" patching } #6.7.0 } #switch-HOSTX #NOTE: INCOMPLETE - need v7.0 (ESXi_7.0.0-1.20.16321839) disconnect-viserver -confirm:$false } } #80703 "https://www.vmware.com/security/advisories/VMSA-2019-0022.html" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.0.*" { $PATCHX = "ESXi600-201912001" patching } #6.0.* "6.5.*" { $PATCHX = "ESXi650-201912001" patching } #6.5.* "6.7.*" { $PATCHX = "ESXi670-201912001" patching } #6.7.0 } #switch-HOSTX #NOTE: INCOMPLETE - need DAS fix #NOTE: need Workaround disconnect-viserver -confirm:$false } } #VMSA-2019-0022 "https://www.vmware.com/security/advisories/VMSA-2020-0015.html" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.5.*" { $PATCHX = "ESXi650-202005401-SG" patching } #6.5.* "6.7.*" { $PATCHX = "ESXi670-202004101-SG" patching } #6.7.0 "7.0.*" { $PATCHX = "ESXi70b-16324942" patching } #7.0.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #VMSA-2020-0015 "https://www.vmware.com/security/advisories/VMSA-2020-0023.html" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.5.*" { $PATCHX = "ESXi650-202011001" patching } #6.5.* "6.7.*" { $PATCHX = "ESXi670-202011001" patching } #6.7.0 "7.0.*" { $PATCHX = "ESXi70U1a-17119627" patching } #7.0.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #VMSA-2020-0023 "https://kb.vmware.com/s/article/58715" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.5.*" { $PATCHX = "ESXi650-201810401-BG" patching } #6.5.* "6.7.*" { $PATCHX = "ESXi670-201810401-BG" patching } #6.7.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #58715 "https://kb.vmware.com/s/article/67529" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.5.*" { $PATCHX = "ESXi650-201912002" patching } #6.5.* "6.7.*" { $PATCHX = "ESXi670-202103001" patching } #6.7.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #67529 "https://kb.vmware.com/s/article/81576" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "7.0.*" { $PATCHX = "ESXi70U1c-17325551" patching } #7.0.* "6.7.0" { $PATCHX = "ESXi670-202011002" patching } #6.7.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #81576 "https://kb.vmware.com/s/article/79520" { #NOTE:config configs exist on vcenter $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER tagset get-advancedsetting -entity $ESX -name "config.task.timeout" | set-advancedsetting -value "7200" -confirm:$false get-advancedsetting -entity $ESX -name "config.vmomi.soapStubAdapter.blockingTimeoutSeconds" | set-advancedsetting -value "18000" -confirm:$false disconnect-viserver -confirm:$false } } #79520 "https://kb.vmware.com/s/article/2144475" { #NOTE: ESX is really VM in this context #NOTE: VDI $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER get-advancesetting -entity $ESX -name svga.enableScreenDMA | set-advancesetting -value TRUE -confirm:$false disconnect-viserver -confirm:$false } } #2144475 "https://kb.vmware.com/s/article/2150190" { $confirmY = confirmX if ($confirmY -eq 'y') { vcenterpatch } } #2150190 "https://kb.vmware.com/s/article/76745" { $confirmY = confirmX if ($confirmY -eq 'y') { vcenterpatch } } #76745 "https://kb.vmware.com/s/article/76755" { $confirmY = confirmX if ($confirmY -eq 'y') { vcenterpatch } } #76755 "https://kb.vmware.com/s/article/83829" { $confirmY = confirmX if ($confirmY -eq 'y') { vcenterpatch } } #83829 "https://kb.vmware.com/s/article/83829" {#NOTE: NEED REVIEW $confirmY = confirmX if ($confirmY -eq 'y') { vcenterpatch } } #83829 "https://kb.vmware.com/s/article/82374" {#NOTE: NEED REVIEW 7.x $confirmY = confirmX if ($confirmY -eq 'y') { vcenterpatch } } #82374 "https://kb.vmware.com/s/article/1025279" { $confirmY = confirmX if ($confirmY -eq 'y') { cleansnapshots } } #1025279 "https://kb.vmware.com/s/article/1003736" { $file = checkfile . $file if ($NTPSERVER -eq $null) { $SAMPLENTP = select-string -path $file -pattern NTPSERVER if ($SAMPLENTP.Matches.Count -lt 1) { add-content $file '#NTPSERVER = "NEED-NTP-SERVER"' } write-host '' write-host "ERROR - cannot execute, please update NTPSERVER entry in $file" write-host '' } else { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER tagset add-vmhostntpserver -vmhost $ESX -ntpserver $NTPSERVER get-vmhost -name $ESX | get-vmhostservice | where-object {$_.key -eq "ntpd" } | start-vmhostservice get-vmhost -name $ESX | get-vmhostservice | where-object {$_.key -eq "ntpd" } | set-vmhostservice -policy "automatic" disconnect-viserver -confirm:$false } } } #1003736 "https://kb.vmware.com/s/article/2147959" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $PATCHX = "ESXi600-Update03" patching disconnect-viserver -confirm:$false } } #2147959 "https://kb.vmware.com/s/article/58874" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $PATCHX = "ESXi670-Update02" patching disconnect-viserver -confirm:$false } } #58874 "https://kb.vmware.com/s/article/2150353" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.0.*" { $PATCHX = "ESXi600-201711001" patching } #6.0.0 "6.5.*" { $PATCHX = "ESXi650-201712001" patching } #6.5.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #2150353 "https://kb.vmware.com/s/article/2136430" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "5.5.*" { $PATCHX = "ESXi550-201608001" patching } #5.5.* "6.0.*" { $PATCHX = "ESXi600-201611401-BG" patching } #6.0.* } #switch-HOSTX disconnect-viserver -confirm:$false } } #2136430 "https://kb.vmware.com/s/article/55650" { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER $HOSTX= get-vmhost $ESX switch -wildcard ( $HOSTX.Version ) { "6.7.*" { $PATCHX = "ESXi670-201811401-BG" patching } #6.7.* "6.5.*" { $PATCHX = "ESXi650-201811401-BG" patching } #6.5.0 } #switch-HOSTX disconnect-viserver -confirm:$false } } #55650 "https://kb.vmware.com/s/article/2003322" { $file = checkfile . $file if ($LOGDIR -eq $null) { $SAMPLELOGDIR = select-string -path $file -pattern LOGDIR if ( $SAMPLELOGDIR.Matches.Count -lt 1) { add-content $file '#LOGDIR = "NEED-LOG-DIR"' add-content $file '#LOGHOST = "NEED-LOG-HOST"' } write-host '' write-host "ERROR - cannot execute, please update LOGDIR and LOGHOST entries in $file" write-host '' } else { $confirmY = confirmX if ($confirmY -eq 'y') { connect-viserver -server $VCENTER tagset get-advancedsetting -entity $ESX -name "Syslog.global.logDir" | set-advancedsetting -value "[$LOGDIR] /" -confirm:$false get-advancedsetting -entity $ESX -name "Syslog.global.logDirUnique" | set-advancedsetting -value $true -confirm:$false get-advancedsetting -entity $ESX -name "Syslog.global.logHost" | set-advancedsetting -value "udp://$LOGHOST:514" -confirm:$false disconnect-viserver -confirm:$false } } } #2003322 default { '' 'ERROR - cannot execute, this KB fix has not been implimented yet. Will be added in the near future.' '' } #default-csvfile } #switch-CSVFILE } #import } #csv default { '' 'USAGE: skyline-fixer ARG VARIABLE' ' kblist' ' csv Finding.csv (fix | workaround)' '' createsource } #default } #switch-OPTIONX } #function function skyline-helper { [CmdletBinding()] param( [string]$CHOICE1, [string]$CHOICE2, [string]$CHOICE3, [string]$CHOICE4, [string]$CHOICE5 ) switch ( $CHOICE1 ) { create-role { connect-viserver -server $CHOICE2 tagset new-virole -name $CHOICE3 -privilege (get-viprivilege -id global.diagnostics, global.health, global.licenses, global.settings, system.anonymous, system.view, system.read) disconnect-viserver -confirm:$false } check-role { connect-viserver -server $CHOICE2 tagset get-virole $CHOICE3 | get-viprivilege | select Id disconnect-viserver -confirm:$false } add-2-role { connect-viserver -server $CHOICE2 tagset new-vipermission -entity (get-folder -norecursion) -principal $CHOICE3 -role $CHOICE4 -propagate:$true disconnect-viserver -confirm:$false } check-account { connect-viserver -server $CHOICE2 tagset get-vipermission -principal $CHOICE3 disconnect-viserver -confirm:$false } stop-ssh { connect-viserver -server $CHOICE2 get-vmhost -name $CHOICE3 | get-vmhostservice | Where Key -EQ "TSM-SSH" | stop-vmhostservice -confirm:$false disconnect-viserver -confirm:$false } start-ssh { connect-viserver -server $CHOICE2 get-vmhost -name $CHOICE3 | get-vmhostservice | Where Key -EQ "TSM-SSH" | start-vmhostservice -confirm:$false disconnect-viserver -confirm:$false } skyline-prep { Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) choco install putty choco install curl } check-update {plink -ssh root@$CHOICE2 -no-antispoof "/opt/vmware/bin/vamicli update --check" } install-update {plink -ssh root@$CHOICE2 -no-antispoof "/opt/vmware/bin/vamicli update --install latest --accepteula" } check-version {plink -ssh root@$CHOICE2 -no-antispoof "/opt/vmware/bin/vamicli version --appliance" } nsx-prep { install-module PowerNSX -force} reset-adminpw { plink -ssh root@$CHOICE2 -no-antispoof "cp /usr/local/skyline/ccf/config/generated/credentials.json /usr/local/skyline/ccf/config/generated/credentials.old" write-host '' write-host 'Please reboot skyline appliance now. The admin password is now "default"' write-host '' } check-nsxaccount { connect-nsxserver -vCenterServer $CHOICE2 get-nsxuserrole $CHOICE3 disconnect-nsxserver -confirm:$false } vrops-prep { install-module Vmware.VimAutomation.vROps -force} check-vropsaccount { connect-omserver $CHOICE2 get-omuser $CHOICE3 disconnect-omserver -confirm:$false } skyline-vm-check { connect-viserver -server $CHOICE2 tagset get-vm $CHOICE3 disconnect-viserver -confirm:$false } skyline-vm-turnon { connect-viserver -server $CHOICE2 tagset start-vm $CHOICE3 disconnect-viserver -confirm:$false } powercli-prep { install-module vmware.powercli -force Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $false -confirm:$false Set-PowerCLIConfiguration -InvalidCertificateAction ignore -confirm:$false } ova-prep { $file = checkfile . $file if ($OVAPATH -eq $null) { $SAMPLEOVAPATH = select-string -path $file -pattern OVAPATH if ( $SAMPLEOVAPATH.Matches.Count -lt 1) { add-content $file '#OVAPATH = "NEED-OVA-PATH"' add-content $file '#OVANAME = "NEED-OVA-NAME"' add-content $file '#OVAIP = "NEED-OVA-IP"' add-content $file '#OVANETMASK = "NEED-OVA-NETMASK"' add-content $file '#OVADNS = "NEED-OVA-DNS"' add-content $file '#OVAGW = "NEED-OVA-GATEWAY"' add-content $file '#OVAPASSWD = "NEED-OVA-PASSWORD"' } } } ova-deploy { $file = checkfile . $file if ($OVAPATH -ne $null) { connect-viserver -server $CHOICE2 tagset $ovfConfig = Get-OvfConfiguration $OVAPATH $ovfConfig.NetworkMapping.Network_1.Value = $CHOICE5 $ovfConfig.vami.VMware_Skyline_Appliance.gateway.value = $OVAGW $ovfConfig.vami.VMware_Skyline_Appliance.DNS.value = $OVADNS $ovfConfig.vami.VMware_Skyline_Appliance.ip0.value = $OVAIP $ovfConfig.vami.VMware_Skyline_Appliance.netmask0.value = $OVANETMASK $ovfConfig.Common.varoot_password.Value = $OVAPASSWD Import-VApp -source $OVAPATH -name $OVANAME -OvfConfiguration $ovfConfig -VMHost $CHOICE3 -datastore $CHOICE4 -diskstorageformat thin start-vm -vm $OVANAME -confirm:$false disconnect-viserver -confirm:$false } else { write-host '' write-host "ERROR - cannot execute, please update OVA entries in $file" write-host '' } } enable-start-docker {plink -ssh root@$CHOICE2 -no-antispoof "systemctl enable docker && systemctl start docker" } default { '' 'USAGE: skyline-help.ps1 ARG VARIABLE' ' (client arg): [powercli-prep]' ' (vcenter arg): [create-role | check-role | add-2-role | check-account]' ' (esx arg): [start-ssh | stop-ssh]' ' (skyline arg1): [ova-prep | ova-deploy | skyline-prep]' ' (skyline arg2): [check-update | install-update | check-version]' ' (skyline arg3): [skyline-vm-check | skyline-vm-turnon | reset-adminpw]' ' (nsx arg): [nsx-prep | check-nsxaccount]' ' (vrops arg): [vrops-prep | check-vropsaccount]' ' (docker arg): [enable-start-docker]' '' createsource } } } #skyline-helper function skyline-docker { [CmdletBinding()] param( [string]$CHOICE1, [string]$CHOICE2, [string]$CHOICE3, [string]$CHOICE4, [string]$CHOICE5 ) switch ( $CHOICE1 ) { docker-prep { $file = checkfile . $file if ($DOCKERPATH -eq $null) { $SAMPLEDOCKERPATH = select-string -path $file -pattern DOCKERPATH if ( $SAMPLEDOCKERPATH.Matches.Count -lt 1) { add-content $file '#DOCKERPATH = "NEED-OVA-PATH"' add-content $file '#DOCKERNAME = "NEED-OVA-NAME"' add-content $file '#DOCKERIP = "NEED-OVA-IP"' add-content $file '#DOCKERNETMASK = "NEED-OVA-NETMASK"' add-content $file '#DOCKERDNS = "NEED-OVA-DNS"' add-content $file '#DOCKERGW = "NEED-OVA-GATEWAY"' add-content $file '#DOCKERPASSWD = "NEED-OVA-PASSWORD"' } } } docker-deploy { $file = checkfile . $file if ($DOCKERPATH -ne $null) { connect-viserver -server $CHOICE2 tagset $dovfConfig = Get-OvfConfiguration $DOCKERPATH $dovfConfig.NetworkMapping.Network_1.Value = $CHOICE5 $dovfConfig.vami.VMware_Skyline_Appliance.gateway.value = $DOCKERGW $dovfConfig.vami.VMware_Skyline_Appliance.DNS.value = $DOCKDERDNS $dovfConfig.vami.VMware_Skyline_Appliance.ip0.value = $DOCKERIP $dovfConfig.vami.VMware_Skyline_Appliance.netmask0.value = $DOCKERNETMASK $dovfConfig.Common.varoot_password.Value = $DOCKERPASSWD Import-VApp -source $OVAPATH -name $DOCKERNAME -OvfConfiguration $dovfConfig -VMHost $CHOICE3 -datastore $CHOICE4 -diskstorageformat thin start-vm -vm $DOCKERNAME -confirm:$false disconnect-viserver -confirm:$false } else { write-host '' write-host "ERROR - cannot execute, please update DOCKER entries in $file" write-host '' } } docker-install { #NOTE: fix path plink -ssh root@$CHOICE2 -no-antispoof 'mkdir /skyline' pscp "C:\Program Files\WindowsPowerShell\Modules\SkylineUtils\0.2.1\skylineutils-docker2.sh" root@"$CHOICE2":/skyline plink -ssh root@$CHOICE2 -no-antispoof 'chmod +x /skyline/skylineutils-docker2.sh' plink -ssh root@$CHOICE2 -no-antispoof '/skyline/skylineutils-docker2.sh -install' } docker-salt { plink -ssh root@$CHOICE2 -no-antispoof '/skyline/skylineutils-docker2.sh -install-salt' } docker-sftp { plink -ssh root@$CHOICE2 -no-antispoof '/skyline/skylineutils-docker2.sh -install-sftp' } default { '' 'USAGE: skyline-docker ARG VARIABLE' ' (arg1): [docker-prep | docker-deploy | docker-install]' ' (arg2): [docker-salt | docker-sftp]' '' createsource } } } #skyline-docker function skyline-comm { [CmdletBinding()] param( [string]$CHOICE1, [string]$CHOICE2, [string]$CHOICE3, [string]$CHOICE4, [string]$CHOICE5 ) switch ( $CHOICE1 ) { prep { $file = checkfile . $file if ($OVAPATH -eq $null) { $SAMPLEAPITOKEN = select-string -path $file -pattern APITOKEN if ( $SAMPLEAPITOKEN.Matches.Count -lt 1) { $file2 = "skyline.json" add-content $file '#APITOKEN = "NEED-API-TOKEN"' add-content $file '#APITOKENSERVER = "https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize?grant_type=refresh_token"' add-content $file '#ACCESSSERVER = "https://skyline.vmware.com/public/api/data"' add-content $file2 '{ "query" : "' add-content $file2 '{' add-content $file2 ' activeFindings(limit: 200) {' add-content $file2 ' findings {' add-content $file2 ' findingId' add-content $file2 ' accountId' add-content $file2 ' findingDisplayName' add-content $file2 ' severity' add-content $file2 ' products' add-content $file2 ' findingDescription' add-content $file2 ' findingImpact' add-content $file2 ' recommendations' add-content $file2 ' kbLinkURLs' add-content $file2 ' recommendationsVCF' add-content $file2 ' kbLinkURLsVCF' add-content $file2 ' categoryName' add-content $file2 ' findingTypes' add-content $file2 ' firstObserved' add-content $file2 ' totalAffectedObjectsCount' add-content $file2 ' }' add-content $file2 ' totalRecords' add-content $file2 ' timeTaken' add-content $file2 ' }' add-content $file2 '}' add-content $file2 '"}' } } } get-access-token { $MYTOKEN2 = getaccesstoken2 write-output $MYTOKEN2 } get-findings { switch ($CHOICE2) { list { $file2 = "skyline.json" clear-content $file2 add-content $file2 '{ "query" : "' add-content $file2 '{' add-content $file2 ' activeFindings(limit: 200) {' add-content $file2 ' findings {' add-content $file2 ' findingId' add-content $file2 ' products' add-content $file2 ' totalAffectedObjectsCount' add-content $file2 ' }' add-content $file2 ' }' add-content $file2 '}' add-content $file2 '"}' $file = checkfile . $file $MYTOKEN2 = getaccesstoken2 $FINDINGS = invoke-restmethod -method post -Uri "$ACCESSSERVER" -Headers @{Authorization = "Bearer $MYTOKEN2"} -infile skyline.json -ContentType "application/json" write-output $FINDINGS.data.activeFindings.findings } detail { write-output $CHOICE3 write-output $CHOICE4 $file2 = "skyline.json" clear-content $file2 add-content $file2 '{ "query" : "' add-content $file2 '{' add-content $file2 ' activeFindings(' add-content $file2 ' filter: {' add-content $file2 " findingId: `"$CHOICE3`"," add-content $file2 " product: `"$CHOICE4`"" add-content $file2 ' }' add-content $file2 ' limit: 200) {' add-content $file2 ' findings {' add-content $file2 ' findingId' add-content $file2 ' accountId' add-content $file2 ' findingDisplayName' add-content $file2 ' severity' add-content $file2 ' products' add-content $file2 ' findingDescription' add-content $file2 ' findingImpact' add-content $file2 ' recommendations' add-content $file2 ' kbLinkURLs' add-content $file2 ' recommendationsVCF' add-content $file2 ' kbLinkURLsVCF' add-content $file2 ' categoryName' add-content $file2 ' findingTypes' add-content $file2 ' firstObserved' add-content $file2 ' totalAffectedObjectsCount' add-content $file2 ' affectedObjects(start: 0, limit: 200) {' add-content $file2 ' sourceName' add-content $file2 ' objectName' add-content $file2 ' objectType' add-content $file2 ' version' add-content $file2 ' buildNumber' add-content $file2 ' solutionTags {' add-content $file2 ' type' add-content $file2 ' version' add-content $file2 ' }' add-content $file2 ' firstObserved' add-content $file2 ' }' add-content $file2 ' }' add-content $file2 ' totalRecords' add-content $file2 ' timeTaken' add-content $file2 ' }' add-content $file2 '}' add-content $file2 '"}' $file = checkfile . $file $MYTOKEN2 = getaccesstoken2 $FINDINGS = invoke-restmethod -method post -Uri "$ACCESSSERVER" -Headers @{Authorization = "Bearer $MYTOKEN2"} -infile skyline.json -ContentType "application/json" write-output $FINDINGS.data.activeFindings.findings } category { $file2 = "skyline.json" clear-content $file2 add-content $file2 '{ "query" : "' add-content $file2 '{' add-content $file2 ' activeFindings(' add-content $file2 ' filter: {' add-content $file2 " categoryName: [$CHOICE3]" add-content $file2 ' }' add-content $file2 ' limit: 200)' add-content $file2 '{' add-content $file2 ' findings {' add-content $file2 ' findingId' add-content $file2 ' products' add-content $file2 ' totalAffectedObjectsCount' add-content $file2 ' }' add-content $file2 ' }' add-content $file2 '}' add-content $file2 '"}' $file = checkfile . $file $MYTOKEN2 = getaccesstoken2 $FINDINGS = invoke-restmethod -method post -Uri "$ACCESSSERVER" -Headers @{Authorization = "Bearer $MYTOKEN2"} -infile skyline.json -ContentType "application/json" write-output $FINDINGS.data.activeFindings.findings } type { $file2 = "skyline.json" clear-content $file2 add-content $file2 '{ "query" : "' add-content $file2 '{' add-content $file2 ' activeFindings(' add-content $file2 ' filter: {' add-content $file2 " findingTypes: [$CHOICE3]" add-content $file2 ' }' add-content $file2 ' limit: 200)' add-content $file2 '{' add-content $file2 ' findings {' add-content $file2 ' findingId' add-content $file2 ' products' add-content $file2 ' totalAffectedObjectsCount' add-content $file2 ' }' add-content $file2 ' }' add-content $file2 '}' add-content $file2 '"}' $file = checkfile . $file $MYTOKEN2 = getaccesstoken2 $FINDINGS = invoke-restmethod -method post -Uri "$ACCESSSERVER" -Headers @{Authorization = "Bearer $MYTOKEN2"} -infile skyline.json -ContentType "application/json" write-output $FINDINGS.data.activeFindings.findings } severity { $file2 = "skyline.json" clear-content $file2 add-content $file2 '{ "query" : "' add-content $file2 '{' add-content $file2 ' activeFindings(' add-content $file2 ' filter: {' add-content $file2 " severity: [$CHOICE3]" add-content $file2 ' }' add-content $file2 ' limit: 200)' add-content $file2 '{' add-content $file2 ' findings {' add-content $file2 ' findingId' add-content $file2 ' products' add-content $file2 ' totalAffectedObjectsCount' add-content $file2 ' }' add-content $file2 ' }' add-content $file2 '}' add-content $file2 '"}' $file = checkfile . $file $MYTOKEN2 = getaccesstoken2 $FINDINGS = invoke-restmethod -method post -Uri "$ACCESSSERVER" -Headers @{Authorization = "Bearer $MYTOKEN2"} -infile skyline.json -ContentType "application/json" write-output $FINDINGS.data.activeFindings.findings } custom { $file = checkfile . $file $MYTOKEN2 = getaccesstoken2 $FINDINGS = invoke-restmethod -method post -Uri "$ACCESSSERVER" -Headers @{Authorization = "Bearer $MYTOKEN2"} -infile skyline.json -ContentType "application/json" write-output $FINDINGS.data.activeFindings.findings } } } default { '' 'USAGE: skyline-comm ARG VARIABLE' ' (arg1): [prep]' ' (arg2): [get-access-token]' ' (arg3): [get-findings list]' ' (arg4): [get-findings detail findingid source]' ' (arg5): [get-findings custom]' ' (arg6): [get-findings category SECURITY|NETWORK|COMPUTE|STORAGE]' ' (arg7): [get-findings type CONFIGURATION|UPGRADE]' ' (arg8): [get-findings severity CRITICAL|MODERATE|TRIVIAL]' '' createsource } } } #skyline-comm function skyline-sec { [CmdletBinding()] param( [string]$CHOICE1, [string]$CHOICE2 ) switch ( $CHOICE1 ) { set-ssh { write-output "starting to set SSH settings on $CHOICE2..." $SSHmat = plink root@$CHOICE2 -no-antispoof "grep -c 'MaxAuthTries 2' /etc/ssh/sshd_config" if ( $SSHmat -lt 1) { #V-239165 write-output "...set MaxAuthTries..." plink root@$CHOICE2 -no-antispoof "echo 'MaxAuthTries 2' >> /etc/ssh/sshd_config" } else { write-output "...MaxAuthTries has already been set..." } $SSHiukh = plink root@$CHOICE2 -no-antispoof "grep -c 'IgnoreUserKnownHosts yes' /etc/ssh/sshd_config" if ( $SSHiukh -lt 1) { #V-239164 write-output "...set IgnoreUserKnownHosts..." plink root@$CHOICE2 -no-antispoof "echo 'IgnoreUserKnownHosts yes' >> /etc/ssh/sshd_config" } else { write-output "...IgnoreUserKnownHosts has already been set..." } $SSHcomp = plink root@$CHOICE2 -no-antispoof "grep -c 'Compression no' /etc/ssh/sshd_config" if ( $SSHcomp -lt 1) { #V-239161 write-output "...set Compression..." plink root@$CHOICE2 -no-antispoof "echo 'Compression no' >> /etc/ssh/sshd_config" } else { write-output "...Compression has already been set..." } $SSHpep = plink root@$CHOICE2 -no-antispoof "grep -v '#' /etc/ssh/sshd_config | grep -c 'PermitEmptyPasswords no'" if ( $SSHpep -lt 1) { #V-239160 write-output "...set PermitEmptyPasswords..." plink root@$CHOICE2 -no-antispoof "echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config" } else { write-output "...PermitEmptyPasswords has already been set..." } write-output "...complete set SSH settings on $CHOICE2" } set-passwd { write-output "starting to set password settings on $CHOICE2..." write-output "...set 90 Days Max Lifetime..." plink root@$CHOICE2 -no-antispoof "sed -i s/'PASS_MAX_DAYS 60'/'PASS_MAX_DAYS 90'/g /etc/login.defs" write-output "...set password history..." plink root@$CHOICE2 -no-antispoof "touch /etc/security/opasswd; chown root:root /etc/security/opasswd; chmod 0600 /etc/security/opasswd; echo 'password required pam_pwhistory.so enforce_for_root use_authtok remember=5 retry=3' >> /etc/pam.d/system-password" write-output "...complete set password settings on $CHOICE2" } default { '' 'USAGE: skyline-sec ARG VARIABLE' ' (arg1): [set-ssh]' ' (arg2): [set-passwd]' '' createsource } #set-logging, set-config } } #skyline-sec Export-ModuleMember -Function 'skyline-fixer', 'skyline-helper', 'skyline-docker', 'skyline-comm', 'skyline-sec' |