Anyone that has tried to apply the ESXi STIG knows the pain it can cause, especially across multiple hosts. Settings don’t stick, special scripts must be created, and local files need to be changed. Doing this once is a pain, doing it across your data center will drive one to drink. How can this be made easier?
The answer could be a custom VIB. Using a VIB can resolve the missing or non-sticky file issue, and populate the settings for you, but is that really a viable solution for the Federal data center? Short answer, it depends. Let’s dive into the reasons.
That’s right, revision 4 of the ESXi 5 STIG is right around the corner. You should see it in mid to late January, barring any issues during sign off at DISA.
So, what are the changes you ask? Well, there are quite a few, and I shouldn’t derail the DISA FSO process by posting them early. However, I can tell you this. The assigned DISA engineer and I sat down for several hours and pretty much rewrote a large majority of the platform portion of the STIG. A special thanks should go out to that engineer, Joe. He absolutely set out to make a much more user friendly and accurate document, and I believe he did. Well done and thanks Joe!
Another thing you will notice is a striking resemblance to this blog and it’s guidance in the check/fix(s) of the next revision! Each and every one of you helped to contribute to that knowledge. So, in a sense, you all had a hand in the rewrite since a large portion of the content was pulled from this site. Thanks to all of you for correcting and adding to what I provided here. I absolutely consider this not only a community effort, but a success at that.
Kudos and all that aside this will undoubtedly not make everyone out there happy, nor will it cover each and every use case. The intent in this revision was to provide content that was achievable and possible to implement. You could say I was trying to work myself out of a blog. 🙂 The revision will not address everything for everyone, but it does work! Remember, as always, the STIG is an implementation guide to controls that do not fit into every situation. Work with your IA teams and DAA on a plan that fits within your agencies goals and security procedures.