Note: This article covers material present in Version 1 Revision 3 and below.  Topics found below may be mitigated in the most current version of the ESXi 5 STIG.  Ensure you are using the most current version of the DISA STIG documents.

Before we move into Part 2 of the ESXi 5 STIG documentation we need to talk about file persistence and how to deal with it.

Note: This is UNSUPPORTED!  Also, changes made to the rc.local and/or local.sh file may not persist after an update or upgrade.  Take good configuration notes of your systems and verify once an update or upgrade is applied.

Those of you that have been using ESXi for a while now realize that files do not persist across reboots unless they are tagged by VisorFS as persistent.  While this may be inconvenient at times the reasons behind it are valid.

So, along the lines of the ESXi 5 STIG, we have a few things that we need to set and persist across reboots.  Findings that have us modify existing files on ESXi are fine.  We can modify those and they will persist, typically.  Always test with a reboot to ensure your settings stick.  What about the findings where the configuration file doesn’t exist?  The SSH Client (ssh_config) settings are a prime example of this.  ESXi 5+ does not currently have a ssh_config file present in /etc/ssh, so any attempt to create and populate one with settings will be lost on reboot.  That’s a problem for you SAs out there needing to comply with the STIG.

How do I create configuration files and make them persist you ask?  Smoke and mirrors my friend.  Persist by way of recreation at boot.  You could do this with a custom package file too, but that violates another STIG setting, so lets stick with this method for now.

There are two ways to do this, one for ESXi 5.0 and another for 5.1 and above.  Both can use the same script block seen below, but the actual script will be placed into different places depending upon the version.  The example below uses the /etc/ssh/ssh_config file as an example, but this could be replaced with most anything and almost any text.

if [ ! -f /etc/ssh/ssh_config ]; then
    cat > /etc/ssh/ssh_config <<-__BlockDelimiter
#-------------
<Text, Commands, Settings Go Here!>
#-------------
__BlockDelimiter
fi

Now, if any of you want to know exactly what this script does just leave a comment and ask, but most won’t care, so I’ll skip it for now.

We have our code block you need to know where to put it.  This changed between ESXi 5 and 5.1+ so there are two sets of instructions, although if you read the rc.local script in each it’s almost as if we intended 5.0 to behave like 5.1, but forgot the rc.local.d directory.

ESXi 5.0

In ESXi 5.0 there is a file in /etc called rc.local.  This script runs at the end of every boot and parses the rc.local.d directory (which doesn’t exist in 5.0) and executes each script in that directory.  That would be really handy, but alas the directory isn’t there in 5.0.

SSH or console into your ESXi 5.0 host and run the following command.  I hope you know how to use vi editor.

vi /etc/rc.local

Now, the vi editor will open with the contents of the existing /etc/rc.local file displayed.  Arrow down to the empty space below the final (fi) and press the I key.  Type in the code block as written above, only replace the file name and commands as you see fit.  Once done press ESC, the colon (:) and the W and Q keys and hit ENTER.  You can now type (more /etc/rc.local) to verify your file is as you expect.  That’s it.  Whatever you put in for the file and text blocks will be created at each and every boot.  ~magic~

You can use this trick on the ssh_config file, or the /etc/banner file if you really feel the need, although I wish you’d just use the /etc/issue file and tell your IA team to get over it.

ESXi 5.1+

Remember how I said 5.1+ did it a little different?  Well, it’s odd.  Almost as if we left out something in 5.0 and you’re going to see why.  In 5.1 we’re going into the /etc/rc.local.d directory and editing the local.sh script.

vi /etc/rc.local.d/local.sh

The rc.local file could technically be used here too, but there’s no reason unless you really want to.  We especially created the local.sh file for just this kind of usage, but for whatever reason we left the directory out of 5.0 even though we parse it in the rc.local file.  Bug?  Perhaps, not sure.

Anyway, within vi arrow down to the last line, hit I, and enter the code block above replacing the file name and command blocks as necessary.  When finished hit ESC, colon (:), then W and Q.  Type more /etc/rc.local.d/local.sh from the command line and ensure it reads as you intended.  Reboot and enjoy.

That’s it, how to create and persist a file and its settings with some smoke and a few mirrors.  Agreed, it’s not persisting, but it works and sometimes you need that, especially with the STIG and unforgiving IA groups.

4 thoughts on “Blog Series: ESXi 5 STIG – File and Setting Persistence

  1. After configuring the above for ESXi 5.1, and after I reboot the system, shouldn’t I see the settings in the ssh_config file? What exactly is that script doing?

  2. the script is missing and “else” statement.

    if [ ! -f /etc/ssh/ssh_config ]; then
    cat > /etc/ssh/ssh_config <<-__BlockDelimiter
    #————-

    #————-
    __BlockDelimiter
    else
    echo “do nothin”
    fi

    • The script is void of an else statement because it doesn’t need one. Since /etc/ssh/ssh_config doesn’t exist as part of the base ESXi installation the evaluation [! -f /etc/ssh/ssh_config ] will always return true, and never hit the else statement if included. The only exception to that is if you install a VIB that sticks the ssh_config, which is exactly why I put the if into the configuration in the first place, so the script here doesn’t alter that behavior. Adding an else to echo a statement of nothing in a condition that is always true seems rather superfluous. That being said, perhaps I’m missing your use case.

Comments are closed.