update
This commit is contained in:
Zack Meier
+4
-1
@@ -24,4 +24,7 @@ New-PSUSchedule -Cron "0 11 * * *" -Script "Infra-Certificate-External.Sectigo\I
|
||||
New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDVMwareVMMetadataToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDVMwareVMMetadataToSql.ps1"
|
||||
New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDVMwareHostMetadataToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDVMwareHostMetadataToSql.ps1"
|
||||
New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDVMwareClusterMetadataToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDVMwareClusterMetadataToSql.ps1"
|
||||
New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -Name "Sync-ITDOneViewServerInventoryToSql.ps1"
|
||||
New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDOneViewServerInventoryToSql.ps1"
|
||||
New-PSUSchedule -Cron "0 7 * * MON-FRI" -Script "Infra-VMware.Administration\New-ITDVMwareVMHostLockdownTicket.ps1" -TimeZone "America/Chicago" -Name "New-ITDVMwareVMHostLockdownTicket.ps1"
|
||||
New-PSUSchedule -Cron "0 8 * * MON-FRI" -Script "Infra-VMware.Administration\Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -TimeZone "America/Chicago" -Name "Enable-ITDVMwareVMHostLockdownViaTicket.ps1"
|
||||
New-PSUSchedule -Cron "15 0 1 * *" -Script "Infra-VMware.Administration\Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Name "Disable-ITDVMwareVMHostLockdownVantisScan.ps1"
|
||||
+5
-2
@@ -40,7 +40,7 @@ New-PSUScript -Name "Test-ZMFile.ps1" -Description "Test-ZMFile.ps1" -Tag @('Inf
|
||||
New-PSUScript -Name "Update-ITDVMwareILOSslCertificate.ps1" -Description "Update-ITDVMwareILOSslCertificate.ps1" -TimeOut "300" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Update-ITDVMwareILOSslCertificate.ps1" -Environment "Agent" -Credential "ndgov_svcitdiaasauto"
|
||||
New-PSUScript -Name "Test-ZMVariable.ps1" -Description "Test-ZMVariable.ps1 [[-variable1] <string>] [[-variable2] <string>]" -Path "ZM-Test\Test-ZMVariable.ps1"
|
||||
New-PSUScript -Name "Test-ITDScheduleWithCreds.ps1" -Description "Test-ITDScheduleWithCreds.ps1" -Path "ZM-Test\Test-ITDScheduleWithCreds.ps1" -Environment "Agent" -Credential "ndgov_svcitdiaasauto"
|
||||
New-PSUScript -Name "New-ITDCertificateRequestSectigo.ps1" -Description "New-ITDCertificateRequestSectigo.ps1" -Tag @('Team-Windows_Execute','Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\New-ITDCertificateRequestSectigo.ps1" -Environment "PowerShell 7"
|
||||
New-PSUScript -Name "New-ITDCertificateRequestSectigo.ps1" -Description "New-ITDCertificateRequestSectigo.ps1" -Tag @('Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\New-ITDCertificateRequestSectigo.ps1" -Environment "PowerShell 7"
|
||||
New-PSUScript -Name "Unregister-CommonName.ps1" -Description "Unregister-CommonName.ps1" -Tag @('Team-Windows_Execute','Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\Unregister-CommonName.ps1" -Environment "PowerShell 7"
|
||||
New-PSUScript -Name "Invoke-CertAutoRenew.ps1" -Description "Invoke-CertAutoRenew.ps1" -Tag @('Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\Invoke-CertAutoRenew.ps1" -Environment "PowerShell 7"
|
||||
New-PSUScript -Name "New-SectigoPfxCertificate.ps1" -Description "New-SectigoPfxCertificate.ps1" -Tag @('Team-Windows_Execute','Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\New-SectigoPfxCertificate.ps1" -Environment "PowerShell 7"
|
||||
@@ -53,4 +53,7 @@ New-PSUScript -Name "Invoke-CertificateDeploy.ps1" -Description "Invoke-Certific
|
||||
New-PSUScript -Name "Sync-ITDVMwareClusterMetadataToSql.ps1" -Description "Sync-ITDVMwareClusterMetadataToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDVMwareClusterMetadataToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro"
|
||||
New-PSUScript -Name "Sync-ITDVMwareHostMetadataToSql.ps1" -Description "Daily VMware Host metadata report for PowerBI trending and hardware capacity planning." -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDVMwareHostMetadataToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro"
|
||||
New-PSUScript -Name "Sync-ITDVMwareVMMetadataToSql.ps1" -Description "Sync-ITDVMwareVMMetadataToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDVMwareVMMetadataToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro"
|
||||
New-PSUScript -Name "Sync-ITDOneViewServerInventoryToSql.ps1" -Description "Sync-ITDOneViewServerInventoryToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmhpe"
|
||||
New-PSUScript -Name "Sync-ITDOneViewServerInventoryToSql.ps1" -Description "Sync-ITDOneViewServerInventoryToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmhpe"
|
||||
New-PSUScript -Name "New-ITDVMwareVMHostLockdownTicket.ps1" -Description "New-ITDVMwareVMHostLockdownTicket.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\New-ITDVMwareVMHostLockdownTicket.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro"
|
||||
New-PSUScript -Name "Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -Description "Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcauto"
|
||||
New-PSUScript -Name "Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Description "Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcauto"
|
||||
+41
@@ -0,0 +1,41 @@
|
||||
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
)
|
||||
|
||||
begin {
|
||||
|
||||
}
|
||||
|
||||
process {
|
||||
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcauto
|
||||
|
||||
$VMHosts = Get-Datacenter -Name "Grand Forks Vantis" | Get-VMHost
|
||||
|
||||
ForEach ($VMHost in $VMHosts) {
|
||||
Write-Verbose -Message ("Start: " + $VMHost.Name) -Verbose
|
||||
|
||||
$VMHostStatus = Get-ITDVMwareVMHostStatus -Name $VMHost.Name
|
||||
|
||||
# if accurate, enable lockdown
|
||||
If ($VMHostStatus.LockdownMode -eq 'lockdowndisabled') {
|
||||
Write-Verbose -Message ("Lockdown is already disabled on " + $VMHost.Name + ", no change") -Verbose
|
||||
$NoChange = $true
|
||||
}
|
||||
Else {
|
||||
Write-Verbose -Message ("Lockdown is enabled on " + $VMHost.Name + ", disabling now") -Verbose
|
||||
Disable-ITDVMwareVMHostFeature -Name $VMHost.Name -LockdownMode
|
||||
|
||||
}
|
||||
Start-Sleep -Seconds 5
|
||||
|
||||
# confirm lockdown is enabled
|
||||
$VMHostStatusCheck = Get-ITDVMwareVMHostStatus -Name $VMHost.Name
|
||||
}
|
||||
|
||||
Disconnect-ITDvCenter
|
||||
}
|
||||
|
||||
end {
|
||||
|
||||
}
|
||||
+86
@@ -0,0 +1,86 @@
|
||||
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
[switch]
|
||||
$IncludeInProgress
|
||||
)
|
||||
|
||||
begin {
|
||||
|
||||
}
|
||||
|
||||
process {
|
||||
New-ITDServiceNowSession -Credential $Secret:snow_vmcred -Environment Production
|
||||
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcauto
|
||||
|
||||
If($PSBoundParameters.ContainsKey("IncludeInProgress")){
|
||||
$Filter = 'short_descriptionSTARTSWITHLockdown mode is disabled on VMware host^state=1^ORstate=2'
|
||||
} Else {
|
||||
$Filter = 'state=1^short_descriptionSTARTSWITHLockdown Mode is disabled on VMware host'
|
||||
}
|
||||
|
||||
$Incidents = Get-ITDServiceNowRecord -ItemType Incident -Filter $Filter | Sort-Object {$_.number.value}
|
||||
|
||||
ForEach ($Incident in $Incidents) {
|
||||
# reset variables for each loop
|
||||
$VMHostName = $null
|
||||
$VMHostStatus = $null
|
||||
$VMHostStatusCheck = $null
|
||||
$NoChange = $null
|
||||
|
||||
$VMHostName = $Incident.short_description.display_value.split(' ')[-1]
|
||||
|
||||
Write-Verbose -Message ("Start " + $Incident.number.display_value + " for host " + $VMHostName) -Verbose
|
||||
# confirm ticket is accurate, that host has lockdown mode disabled
|
||||
$VMHostStatus = Get-ITDVMwareVMHostStatus -Name $VMHostName
|
||||
|
||||
# if accurate, enable lockdown
|
||||
If ($VMHostStatus.LockdownMode -eq 'lockdowndisabled') {
|
||||
Write-Verbose -Message ("Lockdown is still disabled on " + $VMHostName + ", enabling lockdown mode") -Verbose
|
||||
Enable-ITDVMwareVMHostFeature -Name $VMHostName -LockdownMode
|
||||
}
|
||||
Else {
|
||||
Write-Verbose -Message ("Lockdown is already enabled on " + $VMHostName + ", no change") -Verbose
|
||||
$NoChange = $true
|
||||
}
|
||||
Start-Sleep -Seconds 5
|
||||
|
||||
# confirm lockdown is enabled
|
||||
$VMHostStatusCheck = Get-ITDVMwareVMHostStatus -Name $VMHostName
|
||||
|
||||
# update ticket with current status
|
||||
If ($VMHostStatusCheck.LockdownMode -eq 'lockdowndisabled') {
|
||||
# update work notes if disabled
|
||||
Write-Verbose -Message ("Lockdown is still disabled on " + $VMHostName + ", update incident work notes") -Verbose
|
||||
$WorkNotesMsg = ("Lockdown is still disabled on " + $VMHostName + " after attempted remediation, manual review required.")
|
||||
Update-ITDServiceNowRecord -ItemType Incident -Number $Incident.number.display_value -Values @{
|
||||
work_notes = $WorkNotesMsg
|
||||
state = 'On Hold'
|
||||
}
|
||||
}
|
||||
Else {
|
||||
# close if enabled
|
||||
If ($NoChange) {
|
||||
Write-Verbose -Message ("Lockdown was already enabled on " + $VMHostName + ", closing incident") -Verbose
|
||||
$close_notes = ("Lockdown was already enabled on " + $VMHostName + " when checked, closing incident")
|
||||
}
|
||||
Else {
|
||||
Write-Verbose -Message ("Lockdown successfully enabled on " + $VMHostName + ", closing incident") -Verbose
|
||||
$close_notes = ("Lockdown successfully auto-enabled on " + $VMHostName);
|
||||
}
|
||||
Write-Verbose -Message ("Lockdown successfully enabled on " + $VMHostName + ", closing incident") -Verbose
|
||||
Update-ITDServiceNowRecord -ItemType Incident -Number $Incident.number.display_value -Values @{
|
||||
close_code = 'Solved (Permanently)'
|
||||
close_notes = $close_notes
|
||||
u_underlying_cause = 'Configuration';
|
||||
state = 'Closed'
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Disconnect-ITDvCenter
|
||||
}
|
||||
|
||||
end {
|
||||
|
||||
}
|
||||
+59
@@ -0,0 +1,59 @@
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Checks VMware host lockdown mode status and creates incidents for disabled hosts.
|
||||
|
||||
.DESCRIPTION
|
||||
Recurring PSU schedule task, ~8am.
|
||||
|
||||
This script connects to the ITD vCenter, retrieves all VMware hosts, and checks their lockdown mode status.
|
||||
If lockdown mode is disabled on any hosts, it creates a ServiceNow incident for review.
|
||||
|
||||
.EXAMPLE
|
||||
.\VMware-LockdownTickets.ps1
|
||||
|
||||
.NOTES
|
||||
Requires VMware PowerCLI and ITD ServiceNow modules.
|
||||
Service account credentials must be available via $PrvCred and $Secret:ndgov_svcitdvmvcro.
|
||||
#>
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
|
||||
)
|
||||
|
||||
begin {
|
||||
|
||||
}
|
||||
|
||||
process {
|
||||
New-ITDServiceNowSession -Credential $Secret:snow_vmcred -Environment Production
|
||||
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro
|
||||
|
||||
$AllVMHosts = Get-VMHost
|
||||
$CurrentState = Get-ITDVMwareVMHostStatus -Name $AllVMHosts
|
||||
$LockdownDisabled = $CurrentState | where-object lockdownmode -eq lockdowndisabled
|
||||
|
||||
If ($LockdownDisabled) {
|
||||
|
||||
ForEach ($VMHost in $LockdownDisabled) {
|
||||
Write-Verbose -Message "Start $($VMHost.Name) incident creation"
|
||||
$NewIncidentParams = @{
|
||||
CallerUsername = 'svcvmwareadm';
|
||||
ShortDescription = ("Lockdown Mode is disabled on VMware host " + $VMHost.Name);
|
||||
Description = ("Lockdown Mode is disabled on VMware host " + $VMHost.Name + ". Lockdown mode is required for CIS hardening compliance 3.20 (L1)");
|
||||
Impact = 3;
|
||||
Urgency = 1;
|
||||
Category = 'Cloud Platforms'
|
||||
Subcategory = 'Virtualization'
|
||||
AssignmentGroup = 'NDIT-Cloud Platforms'
|
||||
}
|
||||
New-ITDServiceNowIncident @NewIncidentParams
|
||||
}
|
||||
}
|
||||
|
||||
Disconnect-ITDvCenter
|
||||
}
|
||||
|
||||
end {
|
||||
|
||||
}
|
||||
+7
-4
@@ -71,14 +71,14 @@
|
||||
param(
|
||||
)
|
||||
|
||||
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro
|
||||
|
||||
#region --- Setup ---------------------------------------------------------------
|
||||
[string] $OutputPath = 'C:\temp\VM_Trends\'
|
||||
[string] $ServerInstance = 'itdintsql22p1.nd.gov\INTSQL22P1'
|
||||
[string] $Database = 'ITD-Systems-Automation'
|
||||
[string] $Table = 'VMware_Trends_VM'
|
||||
|
||||
[System.Management.Automation.PSCredential] $SqlCredential = $Secret:sql_itdpsu1
|
||||
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro
|
||||
|
||||
$RunDate = Get-Date
|
||||
$DateStamp = $RunDate.ToString('yyyyMMdd')
|
||||
@@ -126,7 +126,7 @@ $AllVMs = Get-VM | Where-Object { $_.Name -notlike 'vCLS*' }
|
||||
Write-Verbose 'Pre-fetching VM tag assignments...'
|
||||
$TagLookup = @{}
|
||||
Get-TagAssignment -Entity $AllVMs | ForEach-Object {
|
||||
$VMId = $_.Entity.Id
|
||||
$VMId = $_.Entity.Uid
|
||||
$Cat = $_.Tag.Category.Name
|
||||
$TagName = $_.Tag.Name
|
||||
if (-not $TagLookup.ContainsKey($VMId)) { $TagLookup[$VMId] = @{} }
|
||||
@@ -140,6 +140,9 @@ Get-TagAssignment -Entity $AllVMs | ForEach-Object {
|
||||
Write-Verbose "Processing $($AllVMs.Count) VMs..."
|
||||
|
||||
$Results = foreach ($VM in $AllVMs) {
|
||||
Write-Verbose -Message ("Start " + $VM.Name) -Verbose
|
||||
$StoragePlatforms = $null
|
||||
$StoragePlatform = $null
|
||||
|
||||
$Ext = $VM.ExtensionData # single API object -- reuse for all fields
|
||||
|
||||
@@ -151,7 +154,7 @@ $Results = foreach ($VM in $AllVMs) {
|
||||
$DatacenterName = $HostDatacenterMap[$VM.VMHost.Name]
|
||||
|
||||
#--- Tag assignments (pre-fetched; null when category not assigned to this VM)
|
||||
$VMTags = if ($TagLookup.ContainsKey($VM.Id)) { $TagLookup[$VM.Id] } else { @{} }
|
||||
$VMTags = if ($TagLookup.ContainsKey($VM.Uid)) { $TagLookup[$VM.Uid] } else { @{} }
|
||||
|
||||
#--- Storage platform parsed from datastore name convention: VMCLUSTER_LUN_PLATFORM_Desc
|
||||
# Segment 2 = storage platform identifier (e.g. FS92, A9K).
|
||||
|
||||
Reference in New Issue
Block a user