08 Aug Health and Security Toolkit Security Assessment: A Complete How-To Guide

Learn how to conduct a Security Assessment with the new VMware Health and Security Toolkit (HST) from Broadcom in this detailed walkthrough. In my last walkthrough, VMware Retires vHA: Introducing The New Health And Security Toolkit (HST), I talked about the new Health and Security Toolkit (HST) from Broadcom. That post covered getting the appliance installed via OVA or running the Java version locally and how to complete a Health Assessment. I mentioned the Security Assessment warranted its own walkthrough so as promised here it is.

Prerequisites

There are a few things that need to be setup before you can run the Security Assessment. First you’ll need accounts with admin privileges for everything you plan on scanning (vCenter, NSX, SDDC, etc.). You’ll also need PowerShell v7.4 or higher and the required modules shown below. This walkthrough is intended for PC users. If you are using a MAC or Linux refer to the official HST documentation for the exact steps.

Start by checking your current version of PowerShell. In a Terminal window type:

pwsh

pwsh

Then check the version by running:

$PSVersionTable

$PSVersionTable

If you are at v7.4 or higher you’re good, if you need to update PowerShell run:

winget install --id Microsoft.PowerShell --source winget

winget install --id Microsoft.PowerShell --source winget

Next we need to install PowerCLI. The official documentation says the required version is 13.3.0.24145081 but I’m running version 13.3.0.24145083 without any issues, so I would assume that is a minimum version. You or your customer may already have this installed but it’s not a bad idea to update it.

To install it for the first time:

Install-Module VMware.PowerCLI -Scope CurrentUser

Install-Module VMware.PowerCLI -Scope CurrentUser

To upgrade your current version to the latest:

Update-Module VMware.PowerCLI -Scope CurrentUser

Update-Module VMware.PowerCLI -Scope CurrentUser

Now that we have PowerCLI installed or updated install SsoAdmin.

Install-Module -Name VMware.vSphere.SsoAdmin -Scope CurrentUser

Install-Module -Name VMware.vSphere.SsoAdmin -Scope CurrentUser

If you or your customer want to participate in VMware’s customer experience improvement program, run this command:

Set-PowerCLIConfiguration -ParticipateInCEIP $true -Scope User

Set-PowerCLIConfiguration -ParticipateInCEIP $true -Scope User

If not, run this command:

Set-PowerCLIConfiguration -ParticipateInCEIP $false -Scope User

Set-PowerCLIConfiguration -ParticipateInCEIP $false -Scope User

Last thing we need to do is run a command to Ignore invalid certificate actions.

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Scope User

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Scope User

Setting up the Scan

With the prerequistes all taken care of, now we can login to HST. If you are a customer or a TAM, you won’t have access to the Security assesment. This is because Broadcom wants a consultant working with the customer to do this. With that said you will need to login with either SSO or Offline Login.

Once you are logged in, you may need to create a new folder if one hasn’t been created yet. If so, click the plus icon next to Project Explorer then click on Create New Folder. Once that’s done click the three vertical dots next to your folder and Create New Project.

Give the project a Name, a description if you want, then check the box for Security Assessment (SA).

After you click the SA box everything under this section will light up and you’ll be able to select what you want to scan. First you’ll need to select a version and at this point 8.X is the only option. Then select which controls you want to run and click Next.

On the next page, add the required information for vCenter. If you’ve done a Health Assessment before then this will all be familiar to this point. What you’ll notice with a Security Assessment is now you have additional tabs at the top for NSX Vip and SDDC Manager. Click each tab and supply the required info for each one. Then click Validate All to check that HST can reach the required appliances. Once successful click Next.

The next page is just a summary of the project. Confirm everything looks good and click Submit.

Reviewing the Scans in HST

Once the scan completes you can click on the Security Assessment tab to view the findings. You can change the appliance in the drop down to view specific details for each scan. You’ll see a Summary of the scan resluts on the Summary tab and can change tabs to view specific scans and the results.

When you click on the other tabs, VC in this case, you’ll see all the controls and the results of the scan.

If you click on a control you’ll find three more tabs that give you more info on the test results and how to fix any issues found.

Exporting the Results

You can also export out the results of the SA for your customer. There is an Executive Report and an Administrative Report. From the Summary tab click on the Report dropdown and select the report you want.

The Executive report is a PDF document with the same information you see on the Summary tab. Not much to it other than a high-level overview.

The Administrative report is an HTML file that has all the same info you see in the HST tool. The customer can expand each section and then expand each control under the section to see the results and what the fix is if the control failed.

Of course you can export out the project if you need to so it can be loaded into another instance of HST.

If you’re familiar with STIGs then this will all be very familiar to you as the information for the SA is very similar to the information in STIG checks.

Well, that’s about it for the SA. Leave a comment with any questions.