Archives: August 2013

Posted on
by 
Note: This article covers material present in Version 1 Revision 3 and below.  Topics found below may be mitigated in the most current version of the ESXi 5 STIG.  Ensure you are using the most current version of the DISA STIG documents.

** Updated 9/9/13 to include distinction on Privilege Separation between v5.0 and 5.1 and above **

Note: All settings within the sshd_config file are case sensitive.  Options are typically all lower case {yes|no} and are all expressed as <settings> <option> within the configuration file.  The easiest way to verify an issue during your configuration is to have a second console open and run 'tail -f /var/log/auth.log' while attempting a connection.

I’m going to start with the SSH daemon findings.  Why?  Because it’s been a topic of conversation internally for the past few days, and it’s just littered with problems to talk about.

So, here’s the format we’re going to follow.  I’m going to divide this into sections calling out the STIG ID and Rule Title.  If the rule causes no issue I’ll call it out, but that will be about it.  By the end of the article you’ll have a list of rules that you comply with, or at the very least you’ll know why you cannot.  Here we go…

The SSH daemon settings in the ESXi 5 STIG pose a bit of a problem for those implementing them.  To make it worse, there’s some confusion and lack of direction to several of the findings, plus one permanent finding that you cannot set on 5.0, but can on 5.1+.  Let’s get started with the SSH daemon settings below.  I’ll cover the SSH client settings in the next post. Continue reading

Posted on
by 
Note: This article covers material present in Version 1 Revision 3 and below.  Topics found below may be mitigated in the most current version of the ESXi 5 STIG.  Ensure you are using the most current version of the DISA STIG documents.

Ah the dreaded STIG. For many, a necessity by way of policy, but an implementation headache for all. Sadly the ESXi 5 STIG, released at V1R1 on August 9th 2013, will be no different.

In the spirit of VMFieldTips I will be taking you on a journey over the next few weeks through the ESXi 5 STIG. I will hit the head scratchers, problem points, and the just plain crazy.  Also, where appropriate, I will try and loop in the official VMware Security Hardening Guides if possible.  I know @mikefoley will be proud.

What this blog series is not:  It is not an official implementation guide by any means.  It is a compilation of questions and answers from the field on how to address, or in some cases securely work around, the findings in the ESXi 5 STIG.  It is completely open for comment and can be driven by you.  If I have not covered a specific finding yet, ask me for it.  If you have a better way, throw it into a comment on the article.  I will review, discuss, and possibly even add it into the article itself.  Blogs are a way to learn, share, and in this case overcome and intense feelings of insanity as you muscle through the ESXi 5 STIG.

The ESXi 5 STIG is made up of three parts, ESXi Server, vCenter Server, and VM (vmx).  I will start this series off in the ESXi Server portion of the STIG, a few findings at a time to reduce the time between posts.  Already, just from the start, we are going to have our work cut out for us.

Posts that are a part of this series will be linked below.  I will also provide the full STIG ID(s) in each post for easy searching and Google indexing.  Ok, now let’s get to it.

Blog Series Table of Contents:

Blog Series: ESXi 5 STIG – ESXi Server SSH Daemon

Blog Series: ESXi 5 STIG – File and Setting Persistence

Blog Series: ESXi 5 STIG – ESXi Server SSH Client

Blog Series: ESXi 5 STIG – ESXi Server Password Complexity Requirements