[vSphere][7.0][ESXI-70-000072] The ESXi host must have all security patches and updates installed.

[daveho5392]

Is your feature request related to a problem? Please describe.

Currently the script only compares the ESXi build number to esxiLastestBuild parameter and if they don't match, throws a failed count.

If the ESXi build number is greater than the esxiLatestBuild parameter, the script will still throw a failed count.

May not want to be on the latest build of ESXi host due to bad patches.

Describe the solution you'd like

Change the IF statement from:

        If($build -ne $stigsettings.esxiLatestBuild){
            Write-ToConsoleRed "...ESXi is not the latest build $($stigsettings.esxiLatestBuild) on $($vmhost.name)...patch the host with the latest updates!!"
            $failedcount++
        }Else{
            Write-ToConsoleGreen "...ESXi is the latest build $build on $($vmhost.name)"
            $unchangedcount++

To:

        If([int]$build -lt [int]$stigsettings.esxiLatestBuild){
            Write-ToConsoleRed "...ESXi is on older build $build on $($vmhost.name)...patch the host to build ($stigsettings.esxiLatestBuild)!!"
            $failedcount++
        }Else{
            Write-ToConsoleGreen "...ESXi is the build $build on $($vmhost.name)"
            $unchangedcount++

Describe alternatives you've considered

No response

Additional context

No response

[rlakey]

Controls like this are really only in that script for to account for all controls where we would expect patch management and updates to be done separately.

You could also just provide your preferred baseline build in the variable to check against.

[pstearns]

@rlakey Question: Can this item be reviewed to downgrade or reword the finding?
Issue it being a CATI and not stating within 30days or such. We have to follow a change control process and it near impossible to patch all sites.