Anyone that has tried to apply the ESXi STIG knows the pain it can cause, especially across multiple hosts.  Settings don’t stick, special scripts must be created, and local files need to be changed.  Doing this once is a pain, doing it across your data center will drive one to drink.  How can this be made easier?

The answer could be a custom VIB.  Using a VIB can resolve the missing or non-sticky file issue, and populate the settings for you, but is that really a viable solution for the Federal data center?  Short answer, it depends.  Let’s dive into the reasons.

First of all let me say that this can absolutely be done, but with some caveats that need to be realized.  Caveats that your IA team might not like, so consult with them first before you undertake this journey.  Let’s start with what a VIB is for some back story.

A VIB is described very well by Kyle in What’s in a VIB? on the blogs.vmware.com site.  Additionally you can go take a look at the VIB Author Fling at VMware Labs and William Lam’s article Creating a Custom VIB for ESXi.  Now, there are a couple of very important things to note from these sources.

  1. A VIB can be placed into one of four separate acceptance levels {VMwareCertified | VMwareAccepted | PartnerSupported | CommunitySupported}
  2. All levels must (err should) be digitally signed, except for CommunitySupported
  3. You cannot modify all the directories necessary for the STIG from the VIB at anything below the VMwareCertified and VMwareAccepted levels
  4. The VIB Author tool can create a VIB at any acceptance level, but there’s a big scary warning

So, where does that leave us?  STIG finding SRG-OS-000193-ESXI5 explicitly states that software acceptance will not be set at CommunitySupported, and we cannot write to the directories we need to at that level anyway, so obviously CommunitySupported won’t work here.

Well, now we have to think about the “work around”.  Yeah, this is where your IA team might start twitching in their chair.  You will have to create a VIB that is at least at the VMwareAccepted level in order to update the necessary system files for the STIG.  However, remember how the articles said that acceptance levels above Community need to be signed?  Well, yours isn’t going to be signed and even if you pull a DoD Code Signing Certificate the ESXi host won’t trust it, so VUM will not distribute your VIB.  Doesn’t mean you’re dead yet though.

Note: I haven't tested if I can work around the trust issue.  If anyone has, please share!

So what CAN we do.  Well, here’s how it breaks down so far.

  • We can create a custom VIB, and set it to be VMwareAccepted or above
  • It will not be signed, but can be if you want, just doesn’t help you much
  • You CAN install it via the command line using –no-sig-check
  • You CAN integrate the VIB into a custom ISO installation
  • You cannot export that into an offline bundle and distribute via VUM

Still interested?  Perhaps, but it really depends on your IA team and the level of effort you want to put into this.  If they have a problem with the unsigned VIB you can technically sign it with a DoD issued code signing certificate.  However, you will still have to install the VIB with the –no-sig-check switch.  The signature does absolutely nothing for you in this case other than validate the package contents, and only if you were to run that validation manually.  They also might get hung up on the fact that you’ve “faked” an acceptance level of VMwareAccepted on the VIB, and perhaps you can get around that by allowing them to validate the VIB contents in the raw, to ensure no malicious intent.  Regardless, any time you’re having to explain yourself to IA at this level you run the risk of the “I don’t know so I’ll say no” answer.

Final conclusion, hazy.  While it is completely possible to create the custom VIB with the required STIG settings populated it must be done in such a manner that many IA shops may disapprove.  If you’re lucky enough to be allowed to move forward, or just don’t care what IA thinks, then there’s a good resource I want to point you to.  Andreas over at www.v-front.de has a great write up, how to guide, and tool set for this work.  You can find it under the ESXi 5 Community Packaging Tools section.  While the VIB Author Fling will do the same work for you I like Andreas’s tool personally.  The choice is really yours.  I just wanted you to have options.

Additionally, leave a comment and let me know if you’d like to see this work done.  While I don’t really have the time to build the VIB on a whim, I will put the effort in if enough of you in the community see it as valuable.

Note: I'm not scoping this as a VMware project.  It would be a strictly personal project.

 

 

9 thoughts on “The Custom ESXi STIG VIB – Is this approach viable for Federal?

  1. This would be absolutely amazing. I know we spoke about this a couple of weeks ago and I have added the VIB creation to a task of mine in 2014. I think this would be widely sought after as many of us in the realm, that typically require STIG’d OS’s and whatnot, don’t have a lot of cycles to do this.

    Having an official STIG VIB from VMware would go a long way around here, I know that much.

    • Cool, but I never said anything about an official STIG VIB from VMware. 🙂 I will go clarify that in the post. This would be a special project I was scoping out to see if there were any interested parties.

  2. Adam, et al. What I think I’ll do here is start a project over on Forge.mil and we can build this out in a collaborative manner on a trusted site.

    If you read this and are interested in assisting, or at the very least downloading and using, please leave a comment or click LIKE on the post so I can see the popularity.

  3. I just went through this process and used the tool from Andreas and included a custom issue file, ssh_config, sshd_config, and passwd. I did run into issues when trying to install it in VIB format and had to install it as an offline bundle (zip). It installed and removed successfully on 5.0 and 5.5 although the removal required a reboot where the install didn’t.

    Once you read through and get the hang of it it would take a matter of maybe a couple of minutes to edit and create one. The only thing that would make this better would be an official signed vmware one so we could use it through VUM but I guess for now I will script the install through PowerCLI.

    • One other note…the removal of the package set the files back to their out of the box defaults and not back to what they may have been modified to before the install.

      • Excellent feedback! Would you be willing to participate with us in a Forge.mil project to build this for all?

  4. I have a request in for a new SoftwareForge.mil project on ESXi STIG VIB creation. I’ll post a new article with the information once it is approved.

  5. A custom VIB would be great. I’ll keep my eye out for the project on forge.mil! We would love to help.

    FWIW, I’ve done all of our pre-STIG’ing via a kickstart script. Not the most efficient, but it works.

Comments are closed.