diff --git a/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/schedules.ps1 b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/schedules.ps1 index 024f1ff..0e47f20 100644 --- a/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/schedules.ps1 +++ b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/schedules.ps1 @@ -24,4 +24,7 @@ New-PSUSchedule -Cron "0 11 * * *" -Script "Infra-Certificate-External.Sectigo\I New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDVMwareVMMetadataToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDVMwareVMMetadataToSql.ps1" New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDVMwareHostMetadataToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDVMwareHostMetadataToSql.ps1" New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDVMwareClusterMetadataToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDVMwareClusterMetadataToSql.ps1" -New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -Name "Sync-ITDOneViewServerInventoryToSql.ps1" \ No newline at end of file +New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDOneViewServerInventoryToSql.ps1" +New-PSUSchedule -Cron "0 7 * * MON-FRI" -Script "Infra-VMware.Administration\New-ITDVMwareVMHostLockdownTicket.ps1" -TimeZone "America/Chicago" -Name "New-ITDVMwareVMHostLockdownTicket.ps1" +New-PSUSchedule -Cron "0 8 * * MON-FRI" -Script "Infra-VMware.Administration\Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -TimeZone "America/Chicago" -Name "Enable-ITDVMwareVMHostLockdownViaTicket.ps1" +New-PSUSchedule -Cron "15 0 1 * *" -Script "Infra-VMware.Administration\Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Name "Disable-ITDVMwareVMHostLockdownVantisScan.ps1" \ No newline at end of file diff --git a/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/scripts.ps1 b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/scripts.ps1 index 6a2ea18..384efa3 100644 --- a/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/scripts.ps1 +++ b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/scripts.ps1 @@ -40,7 +40,7 @@ New-PSUScript -Name "Test-ZMFile.ps1" -Description "Test-ZMFile.ps1" -Tag @('Inf New-PSUScript -Name "Update-ITDVMwareILOSslCertificate.ps1" -Description "Update-ITDVMwareILOSslCertificate.ps1" -TimeOut "300" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Update-ITDVMwareILOSslCertificate.ps1" -Environment "Agent" -Credential "ndgov_svcitdiaasauto" New-PSUScript -Name "Test-ZMVariable.ps1" -Description "Test-ZMVariable.ps1 [[-variable1] ] [[-variable2] ]" -Path "ZM-Test\Test-ZMVariable.ps1" New-PSUScript -Name "Test-ITDScheduleWithCreds.ps1" -Description "Test-ITDScheduleWithCreds.ps1" -Path "ZM-Test\Test-ITDScheduleWithCreds.ps1" -Environment "Agent" -Credential "ndgov_svcitdiaasauto" -New-PSUScript -Name "New-ITDCertificateRequestSectigo.ps1" -Description "New-ITDCertificateRequestSectigo.ps1" -Tag @('Team-Windows_Execute','Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\New-ITDCertificateRequestSectigo.ps1" -Environment "PowerShell 7" +New-PSUScript -Name "New-ITDCertificateRequestSectigo.ps1" -Description "New-ITDCertificateRequestSectigo.ps1" -Tag @('Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\New-ITDCertificateRequestSectigo.ps1" -Environment "PowerShell 7" New-PSUScript -Name "Unregister-CommonName.ps1" -Description "Unregister-CommonName.ps1" -Tag @('Team-Windows_Execute','Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\Unregister-CommonName.ps1" -Environment "PowerShell 7" New-PSUScript -Name "Invoke-CertAutoRenew.ps1" -Description "Invoke-CertAutoRenew.ps1" -Tag @('Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\Invoke-CertAutoRenew.ps1" -Environment "PowerShell 7" New-PSUScript -Name "New-SectigoPfxCertificate.ps1" -Description "New-SectigoPfxCertificate.ps1" -Tag @('Team-Windows_Execute','Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\New-SectigoPfxCertificate.ps1" -Environment "PowerShell 7" @@ -53,4 +53,7 @@ New-PSUScript -Name "Invoke-CertificateDeploy.ps1" -Description "Invoke-Certific New-PSUScript -Name "Sync-ITDVMwareClusterMetadataToSql.ps1" -Description "Sync-ITDVMwareClusterMetadataToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDVMwareClusterMetadataToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro" New-PSUScript -Name "Sync-ITDVMwareHostMetadataToSql.ps1" -Description "Daily VMware Host metadata report for PowerBI trending and hardware capacity planning." -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDVMwareHostMetadataToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro" New-PSUScript -Name "Sync-ITDVMwareVMMetadataToSql.ps1" -Description "Sync-ITDVMwareVMMetadataToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDVMwareVMMetadataToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro" -New-PSUScript -Name "Sync-ITDOneViewServerInventoryToSql.ps1" -Description "Sync-ITDOneViewServerInventoryToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmhpe" \ No newline at end of file +New-PSUScript -Name "Sync-ITDOneViewServerInventoryToSql.ps1" -Description "Sync-ITDOneViewServerInventoryToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmhpe" +New-PSUScript -Name "New-ITDVMwareVMHostLockdownTicket.ps1" -Description "New-ITDVMwareVMHostLockdownTicket.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\New-ITDVMwareVMHostLockdownTicket.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro" +New-PSUScript -Name "Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -Description "Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcauto" +New-PSUScript -Name "Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Description "Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcauto" \ No newline at end of file diff --git a/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Disable-ITDVMwareVMHostLockdownVantisScan.ps1 b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Disable-ITDVMwareVMHostLockdownVantisScan.ps1 new file mode 100644 index 0000000..aa23877 --- /dev/null +++ b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Disable-ITDVMwareVMHostLockdownVantisScan.ps1 @@ -0,0 +1,41 @@ + +[CmdletBinding()] +param ( +) + +begin { + +} + +process { + Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcauto + + $VMHosts = Get-Datacenter -Name "Grand Forks Vantis" | Get-VMHost + + ForEach ($VMHost in $VMHosts) { + Write-Verbose -Message ("Start: " + $VMHost.Name) -Verbose + + $VMHostStatus = Get-ITDVMwareVMHostStatus -Name $VMHost.Name + + # if accurate, enable lockdown + If ($VMHostStatus.LockdownMode -eq 'lockdowndisabled') { + Write-Verbose -Message ("Lockdown is already disabled on " + $VMHost.Name + ", no change") -Verbose + $NoChange = $true + } + Else { + Write-Verbose -Message ("Lockdown is enabled on " + $VMHost.Name + ", disabling now") -Verbose + Disable-ITDVMwareVMHostFeature -Name $VMHost.Name -LockdownMode + + } + Start-Sleep -Seconds 5 + + # confirm lockdown is enabled + $VMHostStatusCheck = Get-ITDVMwareVMHostStatus -Name $VMHost.Name + } + + Disconnect-ITDvCenter +} + +end { + +} diff --git a/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Enable-ITDVMwareVMHostLockdownViaTicket.ps1 b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Enable-ITDVMwareVMHostLockdownViaTicket.ps1 new file mode 100644 index 0000000..e71ea9a --- /dev/null +++ b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Enable-ITDVMwareVMHostLockdownViaTicket.ps1 @@ -0,0 +1,86 @@ + +[CmdletBinding()] +param ( + [switch] + $IncludeInProgress +) + +begin { + +} + +process { + New-ITDServiceNowSession -Credential $Secret:snow_vmcred -Environment Production + Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcauto + + If($PSBoundParameters.ContainsKey("IncludeInProgress")){ + $Filter = 'short_descriptionSTARTSWITHLockdown mode is disabled on VMware host^state=1^ORstate=2' + } Else { + $Filter = 'state=1^short_descriptionSTARTSWITHLockdown Mode is disabled on VMware host' + } + + $Incidents = Get-ITDServiceNowRecord -ItemType Incident -Filter $Filter | Sort-Object {$_.number.value} + + ForEach ($Incident in $Incidents) { + # reset variables for each loop + $VMHostName = $null + $VMHostStatus = $null + $VMHostStatusCheck = $null + $NoChange = $null + + $VMHostName = $Incident.short_description.display_value.split(' ')[-1] + + Write-Verbose -Message ("Start " + $Incident.number.display_value + " for host " + $VMHostName) -Verbose + # confirm ticket is accurate, that host has lockdown mode disabled + $VMHostStatus = Get-ITDVMwareVMHostStatus -Name $VMHostName + + # if accurate, enable lockdown + If ($VMHostStatus.LockdownMode -eq 'lockdowndisabled') { + Write-Verbose -Message ("Lockdown is still disabled on " + $VMHostName + ", enabling lockdown mode") -Verbose + Enable-ITDVMwareVMHostFeature -Name $VMHostName -LockdownMode + } + Else { + Write-Verbose -Message ("Lockdown is already enabled on " + $VMHostName + ", no change") -Verbose + $NoChange = $true + } + Start-Sleep -Seconds 5 + + # confirm lockdown is enabled + $VMHostStatusCheck = Get-ITDVMwareVMHostStatus -Name $VMHostName + + # update ticket with current status + If ($VMHostStatusCheck.LockdownMode -eq 'lockdowndisabled') { + # update work notes if disabled + Write-Verbose -Message ("Lockdown is still disabled on " + $VMHostName + ", update incident work notes") -Verbose + $WorkNotesMsg = ("Lockdown is still disabled on " + $VMHostName + " after attempted remediation, manual review required.") + Update-ITDServiceNowRecord -ItemType Incident -Number $Incident.number.display_value -Values @{ + work_notes = $WorkNotesMsg + state = 'On Hold' + } + } + Else { + # close if enabled + If ($NoChange) { + Write-Verbose -Message ("Lockdown was already enabled on " + $VMHostName + ", closing incident") -Verbose + $close_notes = ("Lockdown was already enabled on " + $VMHostName + " when checked, closing incident") + } + Else { + Write-Verbose -Message ("Lockdown successfully enabled on " + $VMHostName + ", closing incident") -Verbose + $close_notes = ("Lockdown successfully auto-enabled on " + $VMHostName); + } + Write-Verbose -Message ("Lockdown successfully enabled on " + $VMHostName + ", closing incident") -Verbose + Update-ITDServiceNowRecord -ItemType Incident -Number $Incident.number.display_value -Values @{ + close_code = 'Solved (Permanently)' + close_notes = $close_notes + u_underlying_cause = 'Configuration'; + state = 'Closed' + } + } + } + + Disconnect-ITDvCenter +} + +end { + +} diff --git a/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/New-ITDVMwareVMHostLockdownTicket.ps1 b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/New-ITDVMwareVMHostLockdownTicket.ps1 new file mode 100644 index 0000000..834fa1c --- /dev/null +++ b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/New-ITDVMwareVMHostLockdownTicket.ps1 @@ -0,0 +1,59 @@ + +<# +.SYNOPSIS + Checks VMware host lockdown mode status and creates incidents for disabled hosts. + +.DESCRIPTION + Recurring PSU schedule task, ~8am. + + This script connects to the ITD vCenter, retrieves all VMware hosts, and checks their lockdown mode status. + If lockdown mode is disabled on any hosts, it creates a ServiceNow incident for review. + +.EXAMPLE + .\VMware-LockdownTickets.ps1 + +.NOTES + Requires VMware PowerCLI and ITD ServiceNow modules. + Service account credentials must be available via $PrvCred and $Secret:ndgov_svcitdvmvcro. +#> +[CmdletBinding()] +param ( + +) + +begin { + +} + +process { + New-ITDServiceNowSession -Credential $Secret:snow_vmcred -Environment Production + Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro + + $AllVMHosts = Get-VMHost + $CurrentState = Get-ITDVMwareVMHostStatus -Name $AllVMHosts + $LockdownDisabled = $CurrentState | where-object lockdownmode -eq lockdowndisabled + + If ($LockdownDisabled) { + + ForEach ($VMHost in $LockdownDisabled) { + Write-Verbose -Message "Start $($VMHost.Name) incident creation" + $NewIncidentParams = @{ + CallerUsername = 'svcvmwareadm'; + ShortDescription = ("Lockdown Mode is disabled on VMware host " + $VMHost.Name); + Description = ("Lockdown Mode is disabled on VMware host " + $VMHost.Name + ". Lockdown mode is required for CIS hardening compliance 3.20 (L1)"); + Impact = 3; + Urgency = 1; + Category = 'Cloud Platforms' + Subcategory = 'Virtualization' + AssignmentGroup = 'NDIT-Cloud Platforms' + } + New-ITDServiceNowIncident @NewIncidentParams + } + } + + Disconnect-ITDvCenter +} + +end { + +} diff --git a/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Sync-ITDVMwareVMMetadataToSql.ps1 b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Sync-ITDVMwareVMMetadataToSql.ps1 index 8c9ba7c..26eaf47 100644 --- a/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Sync-ITDVMwareVMMetadataToSql.ps1 +++ b/_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Sync-ITDVMwareVMMetadataToSql.ps1 @@ -71,14 +71,14 @@ param( ) -Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro - #region --- Setup --------------------------------------------------------------- [string] $OutputPath = 'C:\temp\VM_Trends\' [string] $ServerInstance = 'itdintsql22p1.nd.gov\INTSQL22P1' [string] $Database = 'ITD-Systems-Automation' [string] $Table = 'VMware_Trends_VM' + [System.Management.Automation.PSCredential] $SqlCredential = $Secret:sql_itdpsu1 +Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro $RunDate = Get-Date $DateStamp = $RunDate.ToString('yyyyMMdd') @@ -126,7 +126,7 @@ $AllVMs = Get-VM | Where-Object { $_.Name -notlike 'vCLS*' } Write-Verbose 'Pre-fetching VM tag assignments...' $TagLookup = @{} Get-TagAssignment -Entity $AllVMs | ForEach-Object { - $VMId = $_.Entity.Id + $VMId = $_.Entity.Uid $Cat = $_.Tag.Category.Name $TagName = $_.Tag.Name if (-not $TagLookup.ContainsKey($VMId)) { $TagLookup[$VMId] = @{} } @@ -140,6 +140,9 @@ Get-TagAssignment -Entity $AllVMs | ForEach-Object { Write-Verbose "Processing $($AllVMs.Count) VMs..." $Results = foreach ($VM in $AllVMs) { + Write-Verbose -Message ("Start " + $VM.Name) -Verbose + $StoragePlatforms = $null + $StoragePlatform = $null $Ext = $VM.ExtensionData # single API object -- reuse for all fields @@ -151,7 +154,7 @@ $Results = foreach ($VM in $AllVMs) { $DatacenterName = $HostDatacenterMap[$VM.VMHost.Name] #--- Tag assignments (pre-fetched; null when category not assigned to this VM) - $VMTags = if ($TagLookup.ContainsKey($VM.Id)) { $TagLookup[$VM.Id] } else { @{} } + $VMTags = if ($TagLookup.ContainsKey($VM.Uid)) { $TagLookup[$VM.Uid] } else { @{} } #--- Storage platform parsed from datastore name convention: VMCLUSTER_LUN_PLATFORM_Desc # Segment 2 = storage platform identifier (e.g. FS92, A9K).