zmeier/Backup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Zack Meier
2026-04-30 14:11:17 -05:00
parent d06584bcd0
commit c1179ba11c
6 changed files with 202 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Disable-ITDVMwareVMHostLockdownVantisScan.ps1
+41
View File
@@ -0,0 +1,41 @@
[CmdletBinding()]
param (
)
begin {
}
process {
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcauto
$VMHosts = Get-Datacenter -Name "Grand Forks Vantis" | Get-VMHost
ForEach ($VMHost in $VMHosts) {
Write-Verbose -Message ("Start: " + $VMHost.Name) -Verbose
$VMHostStatus = Get-ITDVMwareVMHostStatus -Name $VMHost.Name
# if accurate, enable lockdown
If ($VMHostStatus.LockdownMode -eq 'lockdowndisabled') {
Write-Verbose -Message ("Lockdown is already disabled on " + $VMHost.Name + ", no change") -Verbose
$NoChange = $true
}
Else {
Write-Verbose -Message ("Lockdown is enabled on " + $VMHost.Name + ", disabling now") -Verbose
Disable-ITDVMwareVMHostFeature -Name $VMHost.Name -LockdownMode
}
Start-Sleep -Seconds 5
# confirm lockdown is enabled
$VMHostStatusCheck = Get-ITDVMwareVMHostStatus -Name $VMHost.Name
}
Disconnect-ITDvCenter
}
end {
}
_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Enable-ITDVMwareVMHostLockdownViaTicket.ps1
+86
View File
@@ -0,0 +1,86 @@
[CmdletBinding()]
param (
[switch]
$IncludeInProgress
)
begin {
}
process {
New-ITDServiceNowSession -Credential $Secret:snow_vmcred -Environment Production
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcauto
If($PSBoundParameters.ContainsKey("IncludeInProgress")){
$Filter = 'short_descriptionSTARTSWITHLockdown mode is disabled on VMware host^state=1^ORstate=2'
} Else {
$Filter = 'state=1^short_descriptionSTARTSWITHLockdown Mode is disabled on VMware host'
}
$Incidents = Get-ITDServiceNowRecord -ItemType Incident -Filter $Filter | Sort-Object {$_.number.value}
ForEach ($Incident in $Incidents) {
# reset variables for each loop
$VMHostName = $null
$VMHostStatus = $null
$VMHostStatusCheck = $null
$NoChange = $null
$VMHostName = $Incident.short_description.display_value.split(' ')[-1]
Write-Verbose -Message ("Start " + $Incident.number.display_value + " for host " + $VMHostName) -Verbose
# confirm ticket is accurate, that host has lockdown mode disabled
$VMHostStatus = Get-ITDVMwareVMHostStatus -Name $VMHostName
# if accurate, enable lockdown
If ($VMHostStatus.LockdownMode -eq 'lockdowndisabled') {
Write-Verbose -Message ("Lockdown is still disabled on " + $VMHostName + ", enabling lockdown mode") -Verbose
Enable-ITDVMwareVMHostFeature -Name $VMHostName -LockdownMode
}
Else {
Write-Verbose -Message ("Lockdown is already enabled on " + $VMHostName + ", no change") -Verbose
$NoChange = $true
}
Start-Sleep -Seconds 5
# confirm lockdown is enabled
$VMHostStatusCheck = Get-ITDVMwareVMHostStatus -Name $VMHostName
# update ticket with current status
If ($VMHostStatusCheck.LockdownMode -eq 'lockdowndisabled') {
# update work notes if disabled
Write-Verbose -Message ("Lockdown is still disabled on " + $VMHostName + ", update incident work notes") -Verbose
$WorkNotesMsg = ("Lockdown is still disabled on " + $VMHostName + " after attempted remediation, manual review required.")
Update-ITDServiceNowRecord -ItemType Incident -Number $Incident.number.display_value -Values @{
work_notes = $WorkNotesMsg
state = 'On Hold'
}
}
Else {
# close if enabled
If ($NoChange) {
Write-Verbose -Message ("Lockdown was already enabled on " + $VMHostName + ", closing incident") -Verbose
$close_notes = ("Lockdown was already enabled on " + $VMHostName + " when checked, closing incident")
}
Else {
Write-Verbose -Message ("Lockdown successfully enabled on " + $VMHostName + ", closing incident") -Verbose
$close_notes = ("Lockdown successfully auto-enabled on " + $VMHostName);
}
Write-Verbose -Message ("Lockdown successfully enabled on " + $VMHostName + ", closing incident") -Verbose
Update-ITDServiceNowRecord -ItemType Incident -Number $Incident.number.display_value -Values @{
close_code = 'Solved (Permanently)'
close_notes = $close_notes
u_underlying_cause = 'Configuration';
state = 'Closed'
}
}
}
Disconnect-ITDvCenter
}
end {
}
_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/New-ITDVMwareVMHostLockdownTicket.ps1
+59
View File
@@ -0,0 +1,59 @@
<#
.SYNOPSIS
Checks VMware host lockdown mode status and creates incidents for disabled hosts.
.DESCRIPTION
Recurring PSU schedule task, ~8am.
This script connects to the ITD vCenter, retrieves all VMware hosts, and checks their lockdown mode status.
If lockdown mode is disabled on any hosts, it creates a ServiceNow incident for review.
.EXAMPLE
.\VMware-LockdownTickets.ps1
.NOTES
Requires VMware PowerCLI and ITD ServiceNow modules.
Service account credentials must be available via $PrvCred and $Secret:ndgov_svcitdvmvcro.
#>
[CmdletBinding()]
param (
)
begin {
}
process {
New-ITDServiceNowSession -Credential $Secret:snow_vmcred -Environment Production
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro
$AllVMHosts = Get-VMHost
$CurrentState = Get-ITDVMwareVMHostStatus -Name $AllVMHosts
$LockdownDisabled = $CurrentState | where-object lockdownmode -eq lockdowndisabled
If ($LockdownDisabled) {
ForEach ($VMHost in $LockdownDisabled) {
Write-Verbose -Message "Start $($VMHost.Name) incident creation"
$NewIncidentParams = @{
CallerUsername = 'svcvmwareadm';
ShortDescription = ("Lockdown Mode is disabled on VMware host " + $VMHost.Name);
Description = ("Lockdown Mode is disabled on VMware host " + $VMHost.Name + ". Lockdown mode is required for CIS hardening compliance 3.20 (L1)");
Impact = 3;
Urgency = 1;
Category = 'Cloud Platforms'
Subcategory = 'Virtualization'
AssignmentGroup = 'NDIT-Cloud Platforms'
}
New-ITDServiceNowIncident @NewIncidentParams
}
}
Disconnect-ITDvCenter
}
end {
}
_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Sync-ITDVMwareVMMetadataToSql.ps1
+7 -4
View File
@@ -71,14 +71,14 @@
param(
)
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro
#region --- Setup ---------------------------------------------------------------
[string] $OutputPath = 'C:\temp\VM_Trends\'
[string] $ServerInstance = 'itdintsql22p1.nd.gov\INTSQL22P1'
[string] $Database = 'ITD-Systems-Automation'
[string] $Table = 'VMware_Trends_VM'
[System.Management.Automation.PSCredential] $SqlCredential = $Secret:sql_itdpsu1
Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro
$RunDate = Get-Date
$DateStamp = $RunDate.ToString('yyyyMMdd')
@@ -126,7 +126,7 @@ $AllVMs = Get-VM | Where-Object { $_.Name -notlike 'vCLS*' }
Write-Verbose 'Pre-fetching VM tag assignments...'
$TagLookup = @{}
Get-TagAssignment -Entity $AllVMs | ForEach-Object {
$VMId = $_.Entity.Id
$VMId = $_.Entity.Uid
$Cat = $_.Tag.Category.Name
$TagName = $_.Tag.Name
if (-not $TagLookup.ContainsKey($VMId)) { $TagLookup[$VMId] = @{} }
@@ -140,6 +140,9 @@ Get-TagAssignment -Entity $AllVMs | ForEach-Object {
Write-Verbose "Processing $($AllVMs.Count) VMs..."
$Results = foreach ($VM in $AllVMs) {
Write-Verbose -Message ("Start " + $VM.Name) -Verbose
$StoragePlatforms = $null
$StoragePlatform = $null
$Ext = $VM.ExtensionData # single API object -- reuse for all fields
@@ -151,7 +154,7 @@ $Results = foreach ($VM in $AllVMs) {
$DatacenterName = $HostDatacenterMap[$VM.VMHost.Name]
#--- Tag assignments (pre-fetched; null when category not assigned to this VM)
$VMTags = if ($TagLookup.ContainsKey($VM.Id)) { $TagLookup[$VM.Id] } else { @{} }
$VMTags = if ($TagLookup.ContainsKey($VM.Uid)) { $TagLookup[$VM.Uid] } else { @{} }
#--- Storage platform parsed from datastore name convention: VMCLUSTER_LUN_PLATFORM_Desc
# Segment 2 = storage platform identifier (e.g. FS92, A9K).