Note: This article covers material present in Version 1 Revision 3 and below. Topics found below may be mitigated in the most current version of the ESXi 5 STIG. Ensure you are using the most current version of the DISA STIG documents.
In this article I’m going to cover how you can setup the cron jobs necessary in ESXi 5.x to monitor for setUID, setGID, and device file changes per the ESXi 5 STIG. I will walk you through adding a few scripts to your system that will provide log files that are date/time stamped.
Note: The following is unsupported by VMware. The scripts outlined below are for educational purposes only to assist in your compliance efforts. They are in no way meant to be a singular solution nor a replacement for a commercial OS baseline monitoring tool.
GEN002400-ESXI5-10047, GEN002460-ESXI5-20047, GEN002260-ESXI5-000047 – setUID, setGID, and Extraneous Device File Monitoring
First off, as before, the changes we are about to make will not persist across reboots without our help so please reference Blog Series: ESXi 5 STIG – File and Setting Persistence. Keep that handy in the next tab over for reference.
So, we need to add some automated scripts to your ESXi host to parse the file system for suid, guid, and device files. The method in which you review and/or determine changes have been made is up to you, ESXi provides you no mechanism to accomplish this. All we are doing here is setting up the automated process of dumping the data required per the STIG.