Enterprise-grade PowerShell script for performing comprehensive CIS (Center for Internet Security) compliance assessments on VMware vSphere 8 environments. All operations are read-only and designed for production use.
Technology Stack: PowerShell, VMware PowerCLI, vSphere API
Compliance Framework: CIS Controls v8, VMware Security Hardening Guidelines
Target Platform: VMware vSphere 8.0+
- Comprehensive Security Assessment - 100+ CIS compliance checks across 8 security domains
- Read-Only Operations - No configuration changes, safe for production environments
- Enterprise Ready - Optimized for large-scale VMware infrastructures
- Detailed Reporting - Structured output with remediation guidance
- Automated Execution - CI/CD pipeline integration support
# Required PowerShell version
$PSVersionTable.PSVersion # Must be 5.1 or higher
# Install VMware PowerCLI
Install-Module -Name VMware.PowerCLI -Force -AllowClobber -Scope CurrentUser
# Set execution policy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUsergit clone https://github.com/uldyssian-sh/vmware-cis-run-checks.git
cd vmware-cis-run-checks# Standard CIS compliance check
.\vmware-cis-run-checks.ps1 -vCenter "vcenter.company.com"
# Detailed output with all findings
.\vmware-cis-run-checks.ps1 -vCenter "vcenter.company.com" -ShowDetails| Domain | Checks | Description |
|---|---|---|
| Install | 4 | ESXi host software and patching validation |
| Communication | 9 | Network services and certificate security |
| Logging | 3 | Centralized logging and audit configuration |
| Access | 8 | Authentication and user management controls |
| Console | 11 | Shell access and lockdown mode settings |
| Storage | 3 | iSCSI and SAN security configurations |
| Network | 8 | vSwitch and distributed switch policies |
| Virtual Machines | 50+ | Guest VM security and isolation controls |
- PASS - Configuration meets CIS recommendations
- FAIL - Remediation required for compliance
- INFO - Informational finding, review recommended
- NotImplemented - Manual verification required
Category Check Object Status Details
-------- ----- ------ ------ -------
1.Install Ensure-ESXiIsProperlyPatched esxi01.lab.com INFO Reported: 8.0.2 build 22380479
2.Communication Ensure-NTPTimeSynchronizationIsConfigured esxi01.lab.com PASS Servers=pool.ntp.org; Running=True
5.Console Ensure-SSHIsDisabled esxi01.lab.com FAIL Running=True
# Generate timestamped report
$timestamp = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
.\vmware-cis-run-checks.ps1 -vCenter "vcenter.company.com" |
Out-File "CIS-Report_$timestamp.txt"$vCenters = @("vc01.company.com", "vc02.company.com")
foreach ($vc in $vCenters) {
.\vmware-cis-run-checks.ps1 -vCenter $vc -ShowDetails |
Out-File "CIS-Report_$($vc.Split('.')[0])_$(Get-Date -Format 'yyyy-MM-dd').txt"
}# Azure DevOps Pipeline
- task: PowerShell@2
displayName: 'VMware CIS Compliance Check'
inputs:
targetType: 'filePath'
filePath: 'vmware-cis-run-checks.ps1'
arguments: '-vCenter $(vCenterFQDN)'- Credentials: Use service accounts with read-only permissions
- Network: Ensure secure connectivity to vCenter Server
- Logging: Review output for sensitive information before sharing
- Compliance: Regular execution recommended (weekly/monthly)
PowerCLI Connection Successs
# Configure certificate handling
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$falsePermission Denied
# Verify read-only access to vCenter
Get-VIPermission -Principal "domain\serviceaccount"Module Not Found
# Install required modules
Install-Module VMware.PowerCLI -Force -AllowClobber
Import-Module VMware.PowerCLI- Fork the repository
- Create feature branch:
git checkout -b feature/enhancement - Commit changes:
git commit -m 'Add enhancement' - Push branch:
git push origin feature/enhancement - Submit Pull Request
This project is licensed under the MIT License. See LICENSE file for details.
- Issues: GitHub Issues
- Documentation: Project Documentation
- Examples: Usage Examples
- Security: Security Policy
- Contributing: Contributing Guidelines
- Contributors: Contributors List
Maintained by: uldyssian-sh
⭐ Star this repository if you find it helpful!
Disclaimer: Use of this code is at your own risk. Author bears no responsibility for any damages caused by the code.